Michael DiLeo
7327d77dcd
Add the redacted source file for demo purposes Reviewed-on: https://source.michaeldileo.org/michael_dileo/Keybard-Vagabond-Demo/pulls/1 Co-authored-by: Michael DiLeo <michael_dileo@proton.me> Co-committed-by: Michael DiLeo <michael_dileo@proton.me>
199 lines
5.1 KiB
YAML
199 lines
5.1 KiB
YAML
# policies/host-fw-worker-nodes.yaml
|
|
apiVersion: "cilium.io/v2"
|
|
kind: CiliumClusterwideNetworkPolicy
|
|
metadata:
|
|
name: "host-fw-worker-nodes"
|
|
spec:
|
|
description: "Worker node firewall rules - more permissive for database workloads"
|
|
nodeSelector:
|
|
matchExpressions:
|
|
- key: node-role.kubernetes.io/control-plane
|
|
operator: DoesNotExist
|
|
ingress:
|
|
# Allow all cluster communication for database operations
|
|
- fromEntities:
|
|
- cluster
|
|
- remote-node
|
|
- host
|
|
|
|
# Allow PostgreSQL and Redis connections from anywhere in cluster
|
|
- fromEntities:
|
|
- cluster
|
|
toPorts:
|
|
- ports:
|
|
- port: "5432"
|
|
protocol: "TCP" # PostgreSQL
|
|
- port: "6379"
|
|
protocol: "TCP" # Redis
|
|
|
|
# Allow health check and monitoring ports
|
|
- fromEntities:
|
|
- cluster
|
|
toPorts:
|
|
- ports:
|
|
- port: "8000"
|
|
protocol: "TCP" # CloudNativePG health endpoint
|
|
- port: "8080"
|
|
protocol: "TCP"
|
|
- port: "9187"
|
|
protocol: "TCP" # PostgreSQL metrics
|
|
- port: "9443"
|
|
protocol: "TCP" # CloudNativePG operator webhook server
|
|
- port: "10250"
|
|
protocol: "TCP" # kubelet
|
|
|
|
# Allow kubelet access from VLAN for cluster operations
|
|
- fromCIDR:
|
|
- 10.132.0.0/24 # VLAN subnet
|
|
toPorts:
|
|
- ports:
|
|
- port: "10250"
|
|
protocol: "TCP" # kubelet API
|
|
|
|
# HTTP and HTTPS access - allow from cluster and Tailscale network
|
|
# Tailscale network needed for Tailscale operator proxy pods (e.g., Kibana via MagicDNS)
|
|
- fromEntities:
|
|
- cluster
|
|
- fromCIDR:
|
|
- 100.64.0.0/10 # Tailscale CGNAT range - allow Tailscale services
|
|
toPorts:
|
|
- ports:
|
|
- port: "80"
|
|
protocol: "TCP"
|
|
- port: "443"
|
|
protocol: "TCP"
|
|
|
|
# Allow access to Talos API from Tailscale network, VLAN, and external IPs
|
|
# Restricted access (not world) for security - authentication still required
|
|
- fromCIDR:
|
|
- 100.64.0.0/10 # Tailscale CGNAT range
|
|
- 10.132.0.0/24 # VLAN subnet for node bootstrapping
|
|
- <NODE_1_EXTERNAL_IP>/32 # n1 external IP
|
|
- <NODE_2_EXTERNAL_IP>/32 # n2 external IP
|
|
- <NODE_3_EXTERNAL_IP>/32 # n3 external IP
|
|
- fromEntities:
|
|
- cluster # Allow cluster-internal access
|
|
toPorts:
|
|
- ports:
|
|
- port: "50000"
|
|
protocol: "TCP"
|
|
- port: "50001"
|
|
protocol: "TCP"
|
|
|
|
# Allow ICMP Ping
|
|
- icmps:
|
|
- fields:
|
|
- type: 8
|
|
family: IPv4
|
|
- type: 128
|
|
family: IPv6
|
|
|
|
# Allow cilium tunnel/health checks
|
|
- fromEntities:
|
|
- remote-node
|
|
toPorts:
|
|
- ports:
|
|
- port: "8472"
|
|
protocol: "UDP"
|
|
- port: "4240"
|
|
protocol: "TCP"
|
|
|
|
# Allow hubble communication
|
|
- fromEndpoints:
|
|
- matchLabels:
|
|
k8s-app: hubble-relay
|
|
toPorts:
|
|
- ports:
|
|
- port: "4244"
|
|
protocol: "TCP"
|
|
|
|
# NGINX Ingress Controller metrics port
|
|
- fromEntities:
|
|
- cluster
|
|
toPorts:
|
|
- ports:
|
|
- port: "10254"
|
|
protocol: "TCP" # NGINX Ingress metrics
|
|
|
|
# OpenObserve metrics ingestion port
|
|
- fromEntities:
|
|
- cluster
|
|
toPorts:
|
|
- ports:
|
|
- port: "5080"
|
|
protocol: "TCP" # OpenObserve HTTP API
|
|
|
|
# Additional monitoring ports (removed unused Prometheus/Grafana ports)
|
|
# Note: OpenObserve is used instead of Prometheus/Grafana stack
|
|
|
|
egress:
|
|
# Allow all cluster communication (pods, services, nodes) - essential for CloudNativePG
|
|
- toEntities:
|
|
- cluster
|
|
- remote-node
|
|
- host
|
|
|
|
# Allow worker nodes to reach control plane services
|
|
- toEntities:
|
|
- cluster
|
|
- remote-node
|
|
toPorts:
|
|
- ports:
|
|
- port: "6443"
|
|
protocol: "TCP" # Kubernetes API server
|
|
- port: "8000"
|
|
protocol: "TCP" # CloudNativePG health endpoints
|
|
- port: "9443"
|
|
protocol: "TCP" # CloudNativePG operator webhook
|
|
- port: "5432"
|
|
protocol: "TCP" # PostgreSQL replication
|
|
- port: "9187"
|
|
protocol: "TCP" # PostgreSQL metrics
|
|
|
|
# Allow access to control plane via VLAN for node bootstrapping
|
|
# Explicit VIP access ensures new nodes can reach kubeapi without network changes
|
|
- toCIDR:
|
|
- 10.132.0.0/24 # VLAN subnet for cluster bootstrapping (includes VIP)
|
|
- <VIP_IP>/32 # Explicit VIP for control plane kubeapi
|
|
- <NODE_1_IP>/32 # n1 VLAN IP (fallback)
|
|
toPorts:
|
|
- ports:
|
|
- port: "6443"
|
|
protocol: "TCP" # Kubernetes API server
|
|
- port: "50000"
|
|
protocol: "TCP" # Talos API
|
|
- port: "50001"
|
|
protocol: "TCP" # Talos API trustd
|
|
|
|
# Allow DNS resolution
|
|
- toEndpoints:
|
|
- matchLabels:
|
|
k8s-app: kube-dns
|
|
toPorts:
|
|
- ports:
|
|
- port: "53"
|
|
protocol: "UDP"
|
|
- port: "53"
|
|
protocol: "TCP"
|
|
|
|
# Allow worker nodes to reach external services (OpenObserve, monitoring)
|
|
- toEntities:
|
|
- cluster
|
|
toPorts:
|
|
- ports:
|
|
- port: "5080"
|
|
protocol: "TCP" # OpenObserve
|
|
|
|
# Allow outbound internet access for NTP, image pulls, etc.
|
|
- toEntities:
|
|
- world
|
|
toPorts:
|
|
- ports:
|
|
- port: "443"
|
|
protocol: "TCP" # HTTPS
|
|
- port: "80"
|
|
protocol: "TCP" # HTTP
|
|
- port: "53"
|
|
protocol: "UDP" # DNS
|
|
- port: "123"
|
|
protocol: "UDP" # NTP time synchronization |