Keybard-Vagabond-Demo/manifests/infrastructure/cluster-policies/host-fw-control-plane.yaml

# policies/host-fw-control-plane.yaml
apiVersion: "cilium.io/v2"
kind: CiliumClusterwideNetworkPolicy
metadata:
  name: "host-fw-control-plane"
spec:
  description: "control-plane specific access rules. Restricted to Tailscale network for security."
  nodeSelector:
    matchLabels:
      node-role.kubernetes.io/control-plane: ""
  ingress:
  # Allow access to kube api from Tailscale network, VLAN, VIP, and external IPs
  # VIP (<VIP_IP>) allows new nodes to bootstrap via VLAN without network changes
  - fromCIDR:
    - 100.64.0.0/10  # Tailscale CGNAT range
    - 10.132.0.0/24  # VLAN subnet (includes VIP <VIP_IP> and node IPs)
    - <VIP_IP>/32  # Explicit VIP for control plane (new node bootstrapping)
    - <NODE_1_EXTERNAL_IP>/32  # n1 external IP
    - <NODE_2_EXTERNAL_IP>/32  # n2 external IP  
    - <NODE_3_EXTERNAL_IP>/32  # n3 external IP
  - fromEntities:
    - cluster  # Allow cluster-internal access
    toPorts:
    - ports:
      - port: "6443"
        protocol: "TCP"

  # Allow access to talos from Tailscale network, VLAN, VIP, external IPs, and cluster
  # Restricted access (not world) for security - authentication still required
  # https://www.talos.dev/v1.4/learn-more/talos-network-connectivity/
  - fromCIDR:
    - 100.64.0.0/10  # Tailscale CGNAT range
    - 10.132.0.0/24  # VLAN subnet for node bootstrapping
    - <VIP_IP>/32  # VIP for control plane access
    - <NODE_1_EXTERNAL_IP>/32  # n1 external IP
    - <NODE_2_EXTERNAL_IP>/32  # n2 external IP  
    - <NODE_3_EXTERNAL_IP>/32  # n3 external IP
  - fromEntities:
    - cluster  # Allow cluster-internal access
    toPorts:
    - ports:
      - port: "50000"
        protocol: "TCP"
      - port: "50001"
        protocol: "TCP"

  # Allow worker nodes to access control plane Talos API
  - fromEntities:
    - remote-node
    toPorts:
    - ports:
      - port: "50000"
        protocol: "TCP"
      - port: "50001"
        protocol: "TCP"

  # Allow kube-proxy-replacement from kube-apiserver
  - fromEntities:
    - kube-apiserver
    toPorts:
    - ports:
      - port: "10250"
        protocol: "TCP"
      - port: "4244"
        protocol: "TCP"

  # Allow access from hubble-relay to hubble-peer (running on the node)
  - fromEndpoints:
    - matchLabels:
        k8s-app: hubble-relay
    toPorts:
    - ports:
      - port: "4244"
        protocol: "TCP"

   # Allow metrics-server to scrape
  - fromEndpoints:
    - matchLabels:
        k8s-app: metrics-server
    toPorts:
    - ports:
      - port: "10250"
        protocol: "TCP"

  # Allow ICMP Ping from/to anywhere.
  - icmps:
    - fields:
      - type: 8
        family: IPv4
      - type: 128
        family: IPv6

  # Allow cilium tunnel/health checks from other nodes.
  - fromEntities:
    - remote-node
    toPorts:
    - ports:
      - port: "8472"
        protocol: "UDP"
      - port: "4240"
        protocol: "TCP"

  # Allow etcd communication between control plane nodes
  # Required for etcd cluster formation and peer communication
  # Ports: 2379 (client API), 2380 (peer communication), 51871 (Talos etcd peer discovery)
  - fromCIDR:
    - 100.64.0.0/10  # Tailscale CGNAT range
    - 10.132.0.0/24  # VLAN subnet (includes VIP <VIP_IP> and node IPs)
    - <VIP_IP>/32  # Explicit VIP for control plane (new node bootstrapping)
    - <NODE_1_EXTERNAL_IP>/32  # n1 external IP
    - <NODE_2_EXTERNAL_IP>/32  # n2 external IP  
    - <NODE_3_EXTERNAL_IP>/32  # n3 external IP
  - fromEntities:
    - remote-node  # Allow from other nodes (including bootstrapping control planes)
    - cluster  # Allow from cluster pods
    toPorts:
    - ports:
      - port: "2379"
        protocol: "TCP"  # etcd client API
      - port: "2380"
        protocol: "TCP"  # etcd peer communication
      - port: "51871"
        protocol: "UDP"  # Talos etcd peer discovery

# HTTP and HTTPS access - allow external for Harbor direct access and Let's Encrypt challenges
# everything else is secured and I really hate this
  - fromEntities:
    - cluster
    - world  # Allow external access for Harbor and Let's Encrypt
  - fromCIDR:
    - 100.64.0.0/10  # Tailscale CGNAT range - allow Tailscale services (e.g., Kibana proxy)
    toPorts:
    - ports:
      - port: "80"
        protocol: "TCP"
      - port: "443"
        protocol: "TCP"

# Allow access from inside the cluster to the admission controller
  - fromEntities:
    - cluster
    toPorts:
    - ports:
      - port: "8443"
        protocol: "TCP"

  # Allow PostgreSQL and Redis database connections from cluster
  - fromEntities:
    - cluster
    toPorts:
    - ports:
      - port: "5432"
        protocol: "TCP"  # PostgreSQL
      - port: "6379"
        protocol: "TCP"  # Redis

  # Allow PostgreSQL monitoring/health checks and CloudNativePG coordination
  - fromEntities:
    - cluster
    toPorts:
    - ports:
      - port: "9187"
        protocol: "TCP"  # PostgreSQL metrics port
      - port: "8000"
        protocol: "TCP"  # CloudNativePG health endpoint
      - port: "9443"
        protocol: "TCP"  # CloudNativePG operator webhook server

  # Allow local kubelet health checks on control plane pods
  # (kubelet on control plane needs to check health endpoints of local pods)
  - fromEntities:
    - host
    toPorts:
    - ports:
      - port: "8000"
        protocol: "TCP"  # CloudNativePG health endpoint for kubelet probes

  # OpenObserve and metrics collection ports
  - fromEntities:
    - cluster
    toPorts:
    - ports:
      - port: "5080"
        protocol: "TCP"  # OpenObserve
      - port: "10254"
        protocol: "TCP"  # NGINX Ingress metrics

  egress:
  # Allow all cluster communication (pods, services, nodes)
  - toEntities:
    - cluster
    - remote-node
    - host
  
  # Allow etcd communication to other control plane nodes
  # Required for etcd cluster formation and peer communication
  - toCIDR:
    - 10.132.0.0/24  # VLAN subnet (all control plane nodes)
    - <VIP_IP>/32  # VIP
  - toEntities:
    - remote-node  # Allow to other nodes
    toPorts:
    - ports:
      - port: "2379"
        protocol: "TCP"  # etcd client API
      - port: "2380"
        protocol: "TCP"  # etcd peer communication
      - port: "51871"
        protocol: "UDP"  # Talos etcd peer discovery

  
  # Allow control plane to reach CloudNativePG health endpoints on all nodes
  - toEntities:
    - cluster
    - remote-node
    - host
    toPorts:
    - ports:
      - port: "8000"
        protocol: "TCP"  # CloudNativePG health endpoint
  
  # Allow control plane to reach PostgreSQL databases on worker nodes
  - toEntities:
    - cluster
    - remote-node
    toPorts:
    - ports:
      - port: "5432"
        protocol: "TCP"  # PostgreSQL database
      - port: "9187"
        protocol: "TCP"  # PostgreSQL metrics
      - port: "8000"
        protocol: "TCP"  # CloudNativePG health endpoint (correct port)
      - port: "8080"
        protocol: "TCP"  # Additional health/admin endpoints
      - port: "9443"
        protocol: "TCP"  # CloudNativePG operator webhook server
  
  # Allow DNS resolution
  - toEntities:
    - cluster
    - remote-node
    toPorts:
    - ports:
      - port: "53"
        protocol: "TCP"
      - port: "53"
        protocol: "UDP"
  
  # Allow outbound internet access for backup operations, image pulls, etc.
  - toEntities:
    - world
    toPorts:
    - ports:
      - port: "443"
        protocol: "TCP"  # HTTPS
      - port: "80"
        protocol: "TCP"   # HTTP
      - port: "53"
        protocol: "UDP"   # DNS
      - port: "123"
        protocol: "UDP"   # NTP time synchronization