# policies/host-fw-control-plane.yaml apiVersion: "cilium.io/v2" kind: CiliumClusterwideNetworkPolicy metadata: name: "host-fw-control-plane" spec: description: "control-plane specific access rules. Restricted to Tailscale network for security." nodeSelector: matchLabels: node-role.kubernetes.io/control-plane: "" ingress: # Allow access to kube api from Tailscale network, VLAN, VIP, and external IPs # VIP () allows new nodes to bootstrap via VLAN without network changes - fromCIDR: - 100.64.0.0/10 # Tailscale CGNAT range - 10.132.0.0/24 # VLAN subnet (includes VIP and node IPs) - /32 # Explicit VIP for control plane (new node bootstrapping) - /32 # n1 external IP - /32 # n2 external IP - /32 # n3 external IP - fromEntities: - cluster # Allow cluster-internal access toPorts: - ports: - port: "6443" protocol: "TCP" # Allow access to talos from Tailscale network, VLAN, VIP, external IPs, and cluster # Restricted access (not world) for security - authentication still required # https://www.talos.dev/v1.4/learn-more/talos-network-connectivity/ - fromCIDR: - 100.64.0.0/10 # Tailscale CGNAT range - 10.132.0.0/24 # VLAN subnet for node bootstrapping - /32 # VIP for control plane access - /32 # n1 external IP - /32 # n2 external IP - /32 # n3 external IP - fromEntities: - cluster # Allow cluster-internal access toPorts: - ports: - port: "50000" protocol: "TCP" - port: "50001" protocol: "TCP" # Allow worker nodes to access control plane Talos API - fromEntities: - remote-node toPorts: - ports: - port: "50000" protocol: "TCP" - port: "50001" protocol: "TCP" # Allow kube-proxy-replacement from kube-apiserver - fromEntities: - kube-apiserver toPorts: - ports: - port: "10250" protocol: "TCP" - port: "4244" protocol: "TCP" # Allow access from hubble-relay to hubble-peer (running on the node) - fromEndpoints: - matchLabels: k8s-app: hubble-relay toPorts: - ports: - port: "4244" protocol: "TCP" # Allow metrics-server to scrape - fromEndpoints: - matchLabels: k8s-app: metrics-server toPorts: - ports: - port: "10250" protocol: "TCP" # Allow ICMP Ping from/to anywhere. - icmps: - fields: - type: 8 family: IPv4 - type: 128 family: IPv6 # Allow cilium tunnel/health checks from other nodes. - fromEntities: - remote-node toPorts: - ports: - port: "8472" protocol: "UDP" - port: "4240" protocol: "TCP" # Allow etcd communication between control plane nodes # Required for etcd cluster formation and peer communication # Ports: 2379 (client API), 2380 (peer communication), 51871 (Talos etcd peer discovery) - fromCIDR: - 100.64.0.0/10 # Tailscale CGNAT range - 10.132.0.0/24 # VLAN subnet (includes VIP and node IPs) - /32 # Explicit VIP for control plane (new node bootstrapping) - /32 # n1 external IP - /32 # n2 external IP - /32 # n3 external IP - fromEntities: - remote-node # Allow from other nodes (including bootstrapping control planes) - cluster # Allow from cluster pods toPorts: - ports: - port: "2379" protocol: "TCP" # etcd client API - port: "2380" protocol: "TCP" # etcd peer communication - port: "51871" protocol: "UDP" # Talos etcd peer discovery # HTTP and HTTPS access - allow external for Harbor direct access and Let's Encrypt challenges # everything else is secured and I really hate this - fromEntities: - cluster - world # Allow external access for Harbor and Let's Encrypt - fromCIDR: - 100.64.0.0/10 # Tailscale CGNAT range - allow Tailscale services (e.g., Kibana proxy) toPorts: - ports: - port: "80" protocol: "TCP" - port: "443" protocol: "TCP" # Allow access from inside the cluster to the admission controller - fromEntities: - cluster toPorts: - ports: - port: "8443" protocol: "TCP" # Allow PostgreSQL and Redis database connections from cluster - fromEntities: - cluster toPorts: - ports: - port: "5432" protocol: "TCP" # PostgreSQL - port: "6379" protocol: "TCP" # Redis # Allow PostgreSQL monitoring/health checks and CloudNativePG coordination - fromEntities: - cluster toPorts: - ports: - port: "9187" protocol: "TCP" # PostgreSQL metrics port - port: "8000" protocol: "TCP" # CloudNativePG health endpoint - port: "9443" protocol: "TCP" # CloudNativePG operator webhook server # Allow local kubelet health checks on control plane pods # (kubelet on control plane needs to check health endpoints of local pods) - fromEntities: - host toPorts: - ports: - port: "8000" protocol: "TCP" # CloudNativePG health endpoint for kubelet probes # OpenObserve and metrics collection ports - fromEntities: - cluster toPorts: - ports: - port: "5080" protocol: "TCP" # OpenObserve - port: "10254" protocol: "TCP" # NGINX Ingress metrics egress: # Allow all cluster communication (pods, services, nodes) - toEntities: - cluster - remote-node - host # Allow etcd communication to other control plane nodes # Required for etcd cluster formation and peer communication - toCIDR: - 10.132.0.0/24 # VLAN subnet (all control plane nodes) - /32 # VIP - toEntities: - remote-node # Allow to other nodes toPorts: - ports: - port: "2379" protocol: "TCP" # etcd client API - port: "2380" protocol: "TCP" # etcd peer communication - port: "51871" protocol: "UDP" # Talos etcd peer discovery # Allow control plane to reach CloudNativePG health endpoints on all nodes - toEntities: - cluster - remote-node - host toPorts: - ports: - port: "8000" protocol: "TCP" # CloudNativePG health endpoint # Allow control plane to reach PostgreSQL databases on worker nodes - toEntities: - cluster - remote-node toPorts: - ports: - port: "5432" protocol: "TCP" # PostgreSQL database - port: "9187" protocol: "TCP" # PostgreSQL metrics - port: "8000" protocol: "TCP" # CloudNativePG health endpoint (correct port) - port: "8080" protocol: "TCP" # Additional health/admin endpoints - port: "9443" protocol: "TCP" # CloudNativePG operator webhook server # Allow DNS resolution - toEntities: - cluster - remote-node toPorts: - ports: - port: "53" protocol: "TCP" - port: "53" protocol: "UDP" # Allow outbound internet access for backup operations, image pulls, etc. - toEntities: - world toPorts: - ports: - port: "443" protocol: "TCP" # HTTPS - port: "80" protocol: "TCP" # HTTP - port: "53" protocol: "UDP" # DNS - port: "123" protocol: "UDP" # NTP time synchronization