85 lines
2.7 KiB
YAML
85 lines
2.7 KiB
YAML
---
|
|
# Comprehensive CloudNativePG network policy for single-operator deployment
|
|
# This allows the Helm-deployed operator in postgresql-system to manage the cluster
|
|
apiVersion: cilium.io/v2
|
|
kind: CiliumNetworkPolicy
|
|
metadata:
|
|
name: cnpg-comprehensive-access
|
|
namespace: postgresql-system
|
|
spec:
|
|
description: "Allow CloudNativePG operator and cluster communication"
|
|
endpointSelector:
|
|
matchLabels:
|
|
cnpg.io/cluster: postgres-shared # Apply to postgres-shared cluster pods
|
|
ingress:
|
|
# Allow operator in same namespace to manage cluster
|
|
- fromEndpoints:
|
|
- matchLabels:
|
|
app.kubernetes.io/name: cloudnative-pg # Helm-deployed operator
|
|
toPorts:
|
|
- ports:
|
|
- port: "5432"
|
|
protocol: TCP # PostgreSQL database
|
|
- port: "8000"
|
|
protocol: TCP # CloudNativePG health endpoint
|
|
- port: "9187"
|
|
protocol: TCP # PostgreSQL metrics
|
|
# Allow cluster-wide access for applications and monitoring
|
|
- fromEntities:
|
|
- cluster
|
|
- host
|
|
- remote-node
|
|
- kube-apiserver # Explicitly allow API server (used for service port-forward)
|
|
toPorts:
|
|
- ports:
|
|
- port: "5432"
|
|
protocol: TCP # PostgreSQL database access
|
|
- port: "9187"
|
|
protocol: TCP # Metrics collection
|
|
# Allow pod-to-pod communication within cluster (replication)
|
|
- fromEndpoints:
|
|
- matchLabels:
|
|
cnpg.io/cluster: postgres-shared
|
|
toPorts:
|
|
- ports:
|
|
- port: "5432"
|
|
protocol: TCP # PostgreSQL replication
|
|
- port: "8000"
|
|
protocol: TCP # Health checks between replicas
|
|
---
|
|
# Allow CloudNativePG operator to reach webhook endpoints
|
|
apiVersion: cilium.io/v2
|
|
kind: CiliumNetworkPolicy
|
|
metadata:
|
|
name: cnpg-operator-webhook-access
|
|
namespace: postgresql-system
|
|
spec:
|
|
description: "Allow CloudNativePG operator webhook communication"
|
|
endpointSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: cloudnative-pg # Helm-deployed operator
|
|
ingress:
|
|
# Allow Kubernetes API server to reach webhook
|
|
- fromEntities:
|
|
- host
|
|
- cluster
|
|
toPorts:
|
|
- ports:
|
|
- port: "9443"
|
|
protocol: TCP # CloudNativePG webhook port
|
|
egress:
|
|
# Allow operator to reach PostgreSQL pods for management
|
|
- toEndpoints:
|
|
- matchLabels:
|
|
cnpg.io/cluster: postgres-shared
|
|
toPorts:
|
|
- ports:
|
|
- port: "5432"
|
|
protocol: TCP
|
|
- port: "8000"
|
|
protocol: TCP
|
|
# Allow operator to reach Kubernetes API
|
|
- toEntities:
|
|
- cluster
|
|
- host
|
|
- remote-node |