# policies/host-fw-worker-nodes.yaml
apiVersion: "cilium.io/v2"
kind: CiliumClusterwideNetworkPolicy
metadata:
  name: "host-fw-worker-nodes"
spec:
  description: "Worker node firewall rules - more permissive for database workloads"
  nodeSelector:
    matchExpressions:
    - key: node-role.kubernetes.io/control-plane
      operator: DoesNotExist
  ingress:
  # Allow all cluster communication for database operations
  - fromEntities:
    - cluster
    - remote-node
    - host

  # Allow PostgreSQL and Redis connections from anywhere in cluster
  - fromEntities:
    - cluster
    toPorts:
    - ports:
      - port: "5432"
        protocol: "TCP"  # PostgreSQL
      - port: "6379"
        protocol: "TCP"  # Redis

  # Allow health check and monitoring ports
  - fromEntities:
    - cluster
    toPorts:
    - ports:
      - port: "8000"
        protocol: "TCP"  # CloudNativePG health endpoint
      - port: "8080"
        protocol: "TCP"
      - port: "9187"
        protocol: "TCP"  # PostgreSQL metrics
      - port: "9443"
        protocol: "TCP"  # CloudNativePG operator webhook server
      - port: "10250"
        protocol: "TCP"  # kubelet

  # Allow kubelet access from VLAN for cluster operations
  - fromCIDR:
    - 10.132.0.0/24  # VLAN subnet
    toPorts:
    - ports:
      - port: "10250"
        protocol: "TCP"  # kubelet API

  # HTTP and HTTPS access - allow from cluster and Tailscale network
  # Tailscale network needed for Tailscale operator proxy pods (e.g., Kibana via MagicDNS)
  - fromEntities:
    - cluster
  - fromCIDR:
    - 100.64.0.0/10  # Tailscale CGNAT range - allow Tailscale services
    toPorts:
    - ports:
      - port: "80"
        protocol: "TCP"
      - port: "443"
        protocol: "TCP"

  # Allow access to Talos API from Tailscale network, VLAN, and external IPs
  # Restricted access (not world) for security - authentication still required
  - fromCIDR:
    - 100.64.0.0/10  # Tailscale CGNAT range
    - 10.132.0.0/24  # VLAN subnet for node bootstrapping
    - <NODE_1_EXTERNAL_IP>/32  # n1 external IP
    - <NODE_2_EXTERNAL_IP>/32  # n2 external IP  
    - <NODE_3_EXTERNAL_IP>/32  # n3 external IP
  - fromEntities:
    - cluster  # Allow cluster-internal access
    toPorts:
    - ports:
      - port: "50000"
        protocol: "TCP"
      - port: "50001"
        protocol: "TCP"

  # Allow ICMP Ping
  - icmps:
    - fields:
      - type: 8
        family: IPv4
      - type: 128
        family: IPv6

  # Allow cilium tunnel/health checks
  - fromEntities:
    - remote-node
    toPorts:
    - ports:
      - port: "8472"
        protocol: "UDP"
      - port: "4240"
        protocol: "TCP"

  # Allow hubble communication
  - fromEndpoints:
    - matchLabels:
        k8s-app: hubble-relay
    toPorts:
    - ports:
      - port: "4244"
        protocol: "TCP"

  # NGINX Ingress Controller metrics port
  - fromEntities:
    - cluster
    toPorts:
    - ports:
      - port: "10254"
        protocol: "TCP"  # NGINX Ingress metrics

  # OpenObserve metrics ingestion port  
  - fromEntities:
    - cluster
    toPorts:
    - ports:
      - port: "5080"
        protocol: "TCP"  # OpenObserve HTTP API

  # Additional monitoring ports (removed unused Prometheus/Grafana ports)
  # Note: OpenObserve is used instead of Prometheus/Grafana stack

  egress:
  # Allow all cluster communication (pods, services, nodes) - essential for CloudNativePG
  - toEntities:
    - cluster
    - remote-node
    - host

  # Allow worker nodes to reach control plane services
  - toEntities:
    - cluster
    - remote-node
    toPorts:
    - ports:
      - port: "6443"
        protocol: "TCP"  # Kubernetes API server
      - port: "8000"
        protocol: "TCP"  # CloudNativePG health endpoints
      - port: "9443"
        protocol: "TCP"  # CloudNativePG operator webhook
      - port: "5432"
        protocol: "TCP"  # PostgreSQL replication
      - port: "9187"
        protocol: "TCP"  # PostgreSQL metrics

  # Allow access to control plane via VLAN for node bootstrapping
  # Explicit VIP access ensures new nodes can reach kubeapi without network changes
  - toCIDR:
    - 10.132.0.0/24  # VLAN subnet for cluster bootstrapping (includes VIP)
    - <VIP_IP>/32  # Explicit VIP for control plane kubeapi
    - <NODE_1_IP>/32  # n1 VLAN IP (fallback)
    toPorts:
    - ports:
      - port: "6443"
        protocol: "TCP"  # Kubernetes API server
      - port: "50000"
        protocol: "TCP"  # Talos API
      - port: "50001"
        protocol: "TCP"  # Talos API trustd

  # Allow DNS resolution
  - toEndpoints:
    - matchLabels:
        k8s-app: kube-dns
    toPorts:
    - ports:
      - port: "53"
        protocol: "UDP"
      - port: "53"
        protocol: "TCP"

  # Allow worker nodes to reach external services (OpenObserve, monitoring)
  - toEntities:
    - cluster
    toPorts:
    - ports:
      - port: "5080"
        protocol: "TCP"  # OpenObserve

  # Allow outbound internet access for NTP, image pulls, etc.
  - toEntities:
    - world
    toPorts:
    - ports:
      - port: "443"
        protocol: "TCP"  # HTTPS
      - port: "80"
        protocol: "TCP"   # HTTP
      - port: "53"
        protocol: "UDP"   # DNS
      - port: "123"
        protocol: "UDP"   # NTP time synchronization