Michael DiLeo
7327d77dcd
Add the redacted source file for demo purposes Reviewed-on: https://source.michaeldileo.org/michael_dileo/Keybard-Vagabond-Demo/pulls/1 Co-authored-by: Michael DiLeo <michael_dileo@proton.me> Co-committed-by: Michael DiLeo <michael_dileo@proton.me>
47 lines
1.3 KiB
YAML
47 lines
1.3 KiB
YAML
---
|
|
# Celery Monitoring Network Policies
|
|
# Port-forward and health check access to Flower with proper DNS/Redis connectivity
|
|
apiVersion: cilium.io/v2
|
|
kind: CiliumNetworkPolicy
|
|
metadata:
|
|
name: celery-flower-ingress
|
|
namespace: celery-monitoring
|
|
spec:
|
|
description: "Allow ingress to Flower from kubectl port-forward and health checks"
|
|
endpointSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: celery-flower
|
|
app.kubernetes.io/component: monitoring
|
|
ingress:
|
|
# Allow kubectl port-forward access (from cluster nodes)
|
|
- fromEntities:
|
|
- cluster
|
|
- host
|
|
toPorts:
|
|
- ports:
|
|
- port: "5555"
|
|
protocol: TCP
|
|
|
|
---
|
|
apiVersion: cilium.io/v2
|
|
kind: CiliumNetworkPolicy
|
|
metadata:
|
|
name: celery-flower-egress
|
|
namespace: celery-monitoring
|
|
spec:
|
|
description: "Allow Flower to connect to Redis, DNS, and monitoring services"
|
|
endpointSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: celery-flower
|
|
app.kubernetes.io/component: monitoring
|
|
egress:
|
|
# Allow all cluster-internal communication (like PieFed approach)
|
|
# This is more permissive but still secure within the cluster
|
|
- toEntities:
|
|
- cluster
|
|
- host
|
|
|
|
|
|
|
|
# Service access policy removed - using kubectl port-forward for local access
|
|
# Port-forward provides secure access without exposing the service externally |