ZB-Server/EscapeFromTeacher
Private
Public Access
1
0
Fork 0
Code Activity
Files
d6b3afbf70c576f577efd4027e24ef81e6ba71f5
EscapeFromTeacher/k8s/cilium-netpol.yaml
Sebastian Unterschütz d6b3afbf70
Some checks failed
Dynamic Branch Deploy / build-and-deploy (push) Has been cancelled
remove unnecessary fromEndpoints rule from CiliumNetworkPolicy configuration
2026-01-25 14:59:42 +01:00

128 lines
2.4 KiB
YAML
Raw Blame History

# Default Deny Policy - blocks all traffic unless explicitly allowed
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: default-deny-all
namespace: escapefromteacher
spec:
endpointSelector: {}
ingress:
- {}
egress:
- {}
---
# Escape Game App Network Policy
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: escape-game-netpol
spec:
endpointSelector:
matchLabels:
app: escape-game
ingress:
toPorts:
- ports:
- port: "8080"
protocol: TCP
egress:
# Allow DNS
- toEndpoints:
- matchLabels:
k8s:io.kubernetes.pod.namespace: kube-system
k8s-app: kube-dns
toPorts:
- ports:
- port: "53"
protocol: UDP
# Allow connection to Redis
- toEndpoints:
- matchLabels:
app: redis
toPorts:
- ports:
- port: "6379"
protocol: TCP
# Allow connection to NATS
- toEndpoints:
- matchLabels:
app: nats
toPorts:
- ports:
- port: "4222"
protocol: TCP
---
# Redis Network Policy
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: redis-netpol
spec:
endpointSelector:
matchLabels:
app: redis
ingress:
# Only allow connections from escape-game app
- fromEndpoints:
- matchLabels:
app: escape-game
toPorts:
- ports:
- port: "6379"
protocol: TCP
egress:
# Allow DNS
- toEndpoints:
- matchLabels:
k8s:io.kubernetes.pod.namespace: kube-system
k8s-app: kube-dns
toPorts:
- ports:
- port: "53"
protocol: UDP
---
# NATS Network Policy
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: nats-netpol
spec:
endpointSelector:
matchLabels:
app: nats
ingress:
# Allow client connections from escape-game app
- fromEndpoints:
- matchLabels:
app: escape-game
toPorts:
- ports:
- port: "4222"
protocol: TCP
# Allow cluster traffic between NATS pods
- fromEndpoints:
- matchLabels:
app: nats
toPorts:
- ports:
- port: "6222"
protocol: TCP
egress:
# Allow DNS
- toEndpoints:
- matchLabels:
k8s:io.kubernetes.pod.namespace: kube-system
k8s-app: kube-dns
toPorts:
- ports:
- port: "53"
protocol: UDP
# Allow cluster communication to other NATS pods
- toEndpoints:
- matchLabels:
app: nats
toPorts:
- ports:
- port: "6222"
protocol: TCP
View Git Blame Copy Permalink