michael_dileo/Keybard-Vagabond-Demo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
56fdee7b80cc09a2fa8ce5b78cda93db44ffafd8
Keybard-Vagabond-Demo/manifests/infrastructure/postgresql/cilium-cnpg-policies.yaml
Michael DiLeo 7327d77dcd redaction (#1) 
Add the redacted source file for demo purposes

Reviewed-on: https://source.michaeldileo.org/michael_dileo/Keybard-Vagabond-Demo/pulls/1
Co-authored-by: Michael DiLeo <michael_dileo@proton.me>
Co-committed-by: Michael DiLeo <michael_dileo@proton.me>
2025-12-24 13:40:47 +00:00

85 lines
2.7 KiB
YAML
Raw Blame History

---
# Comprehensive CloudNativePG network policy for single-operator deployment
# This allows the Helm-deployed operator in postgresql-system to manage the cluster
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: cnpg-comprehensive-access
namespace: postgresql-system
spec:
description: "Allow CloudNativePG operator and cluster communication"
endpointSelector:
matchLabels:
cnpg.io/cluster: postgres-shared # Apply to postgres-shared cluster pods
ingress:
# Allow operator in same namespace to manage cluster
- fromEndpoints:
- matchLabels:
app.kubernetes.io/name: cloudnative-pg # Helm-deployed operator
toPorts:
- ports:
- port: "5432"
protocol: TCP # PostgreSQL database
- port: "8000"
protocol: TCP # CloudNativePG health endpoint
- port: "9187"
protocol: TCP # PostgreSQL metrics
# Allow cluster-wide access for applications and monitoring
- fromEntities:
- cluster
- host
- remote-node
- kube-apiserver # Explicitly allow API server (used for service port-forward)
toPorts:
- ports:
- port: "5432"
protocol: TCP # PostgreSQL database access
- port: "9187"
protocol: TCP # Metrics collection
# Allow pod-to-pod communication within cluster (replication)
- fromEndpoints:
- matchLabels:
cnpg.io/cluster: postgres-shared
toPorts:
- ports:
- port: "5432"
protocol: TCP # PostgreSQL replication
- port: "8000"
protocol: TCP # Health checks between replicas
---
# Allow CloudNativePG operator to reach webhook endpoints
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: cnpg-operator-webhook-access
namespace: postgresql-system
spec:
description: "Allow CloudNativePG operator webhook communication"
endpointSelector:
matchLabels:
app.kubernetes.io/name: cloudnative-pg # Helm-deployed operator
ingress:
# Allow Kubernetes API server to reach webhook
- fromEntities:
- host
- cluster
toPorts:
- ports:
- port: "9443"
protocol: TCP # CloudNativePG webhook port
egress:
# Allow operator to reach PostgreSQL pods for management
- toEndpoints:
- matchLabels:
cnpg.io/cluster: postgres-shared
toPorts:
- ports:
- port: "5432"
protocol: TCP
- port: "8000"
protocol: TCP
# Allow operator to reach Kubernetes API
- toEntities:
- cluster
- host
- remote-node
Reference in New Issue View Git Blame Copy Permalink