ZB-Server/EscapeFromTeacher
Private
Public Access
1
0
Fork 0
Code Activity
Files
aa49976526760a4dde0ed4946bc445e073282edc
EscapeFromTeacher/k8s/cilium-netpol.yaml
Sebastian Unterschütz aa49976526
All checks were successful
Dynamic Branch Deploy / build-and-deploy (push) Successful in 7m3s
add namespace and refine ingress rules in CiliumNetworkPolicy for improved traffic segmentation
2026-01-25 14:47:57 +01:00

132 lines
2.6 KiB
YAML
Raw Blame History

# Default Deny Policy - blocks all traffic unless explicitly allowed
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: default-deny-all
namespace: escapefromteacher
spec:
endpointSelector: {}
ingress:
- {}
egress:
- {}
---
# Escape Game App Network Policy
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: escape-game-netpol
spec:
endpointSelector:
matchLabels:
app: escape-game
ingress:
- fromEndpoints:
- matchLabels:
io.cilium.k8s.policy.namespace: traefik
name: traefik
toPorts:
- ports:
- port: "8080"
protocol: TCP
egress:
# Allow DNS
- toEndpoints:
- matchLabels:
k8s:io.kubernetes.pod.namespace: kube-system
k8s-app: kube-dns
toPorts:
- ports:
- port: "53"
protocol: UDP
# Allow connection to Redis
- toEndpoints:
- matchLabels:
app: redis
toPorts:
- ports:
- port: "6379"
protocol: TCP
# Allow connection to NATS
- toEndpoints:
- matchLabels:
app: nats
toPorts:
- ports:
- port: "4222"
protocol: TCP
---
# Redis Network Policy
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: redis-netpol
spec:
endpointSelector:
matchLabels:
app: redis
ingress:
# Only allow connections from escape-game app
- fromEndpoints:
- matchLabels:
app: escape-game
toPorts:
- ports:
- port: "6379"
protocol: TCP
egress:
# Allow DNS
- toEndpoints:
- matchLabels:
k8s:io.kubernetes.pod.namespace: kube-system
k8s-app: kube-dns
toPorts:
- ports:
- port: "53"
protocol: UDP
---
# NATS Network Policy
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: nats-netpol
spec:
endpointSelector:
matchLabels:
app: nats
ingress:
# Allow client connections from escape-game app
- fromEndpoints:
- matchLabels:
app: escape-game
toPorts:
- ports:
- port: "4222"
protocol: TCP
# Allow cluster traffic between NATS pods
- fromEndpoints:
- matchLabels:
app: nats
toPorts:
- ports:
- port: "6222"
protocol: TCP
egress:
# Allow DNS
- toEndpoints:
- matchLabels:
k8s:io.kubernetes.pod.namespace: kube-system
k8s-app: kube-dns
toPorts:
- ports:
- port: "53"
protocol: UDP
# Allow cluster communication to other NATS pods
- toEndpoints:
- matchLabels:
app: nats
toPorts:
- ports:
- port: "6222"
protocol: TCP
View Git Blame Copy Permalink