ZB-Server/EscapeFromTeacher
Private
Public Access
1
0
Fork 0
Code Activity
Files
main
EscapeFromTeacher/k8s/cilium-netpol.yaml
Sebastian Unterschütz 505b579058
Some checks failed
Dynamic Branch Deploy / build-and-deploy (push) Has been cancelled
add ACME solver network policy and experimental co-op mode indicators: implement network policy for HTTP-01 challenge solver, and add visual "EXPERIMENTAL" labels to co-op mode UI and game logic
2026-04-23 00:07:08 +02:00

161 lines
3.2 KiB
YAML
Raw Permalink Blame History

# Default Deny Policy - blocks all traffic unless explicitly allowed
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: default-deny-all
namespace: ${TARGET_NS}
spec:
endpointSelector: {}
ingress:
- {}
egress:
- {}
---
# Escape Game App Network Policy
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: escape-game-netpol
spec:
endpointSelector:
matchLabels:
app: escape-game
ingress:
- toPorts:
- ports:
- port: "8080"
protocol: TCP
egress:
# Allow DNS
- toEndpoints:
- matchLabels:
k8s:io.kubernetes.pod.namespace: kube-system
k8s-app: kube-dns
toPorts:
- ports:
- port: "53"
protocol: UDP
# Allow connection to Redis
- toEndpoints:
- matchLabels:
app: redis
toPorts:
- ports:
- port: "6379"
protocol: TCP
# Allow connection to NATS
- toEndpoints:
- matchLabels:
app: nats
toPorts:
- ports:
- port: "4222"
protocol: TCP
---
# Redis Network Policy
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: redis-netpol
spec:
endpointSelector:
matchLabels:
app: redis
ingress:
# Only allow connections from escape-game app
- fromEndpoints:
- matchLabels:
app: escape-game
toPorts:
- ports:
- port: "6379"
protocol: TCP
egress:
# Allow DNS
- toEndpoints:
- matchLabels:
k8s:io.kubernetes.pod.namespace: kube-system
k8s-app: kube-dns
toPorts:
- ports:
- port: "53"
protocol: UDP
---
# NATS Network Policy
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: nats-netpol
spec:
endpointSelector:
matchLabels:
app: nats
ingress:
# Allow client connections from escape-game app
- fromEndpoints:
- matchLabels:
app: escape-game
toPorts:
- ports:
- port: "4222"
protocol: TCP
# Allow cluster traffic between NATS pods
- fromEndpoints:
- matchLabels:
app: nats
toPorts:
- ports:
- port: "6222"
protocol: TCP
egress:
# Allow DNS
- toEndpoints:
- matchLabels:
k8s:io.kubernetes.pod.namespace: kube-system
k8s-app: kube-dns
toPorts:
- ports:
- port: "53"
protocol: UDP
# Allow cluster communication to other NATS pods
- toEndpoints:
- matchLabels:
app: nats
toPorts:
- ports:
- port: "6222"
protocol: TCP
---
# ACME Challenge Solver Network Policy
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: acme-solver-netpol
namespace: ${TARGET_NS}
spec:
endpointSelector:
matchLabels:
acme.cert-manager.io/http01-solver: "true"
ingress:
# Allow ingress from Traefik
- fromEndpoints:
- matchLabels:
k8s:io.kubernetes.pod.namespace: traefik
toPorts:
- ports:
- port: "8089"
protocol: TCP
egress:
# Allow egress to internet for self-check (if needed) and DNS
- toEntities:
- world
- toEndpoints:
- matchLabels:
k8s:io.kubernetes.pod.namespace: kube-system
k8s-app: kube-dns
toPorts:
- ports:
- port: "53"
protocol: UDP
View Git Blame Copy Permalink