Last active
July 2, 2024 13:44
-
-
Save dgiebert/6f67aa334c6837bfb649216b715a224c to your computer and use it in GitHub Desktop.
CiliumClusterwideNetworkPolicy for RKE2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Check https://docs.rke2.io/install/requirements#inbound-network-rules | |
# Enable the Host Firewall feature: https://docs.cilium.io/en/latest/security/host-firewall/ | |
# HelmChartConfig Example: | |
# apiVersion: helm.cattle.io/v1 | |
# kind: HelmChartConfig | |
# metadata: | |
# name: rke2-cilium | |
# namespace: kube-system | |
# spec: | |
# valuesContent: |- | |
# kubeProxyReplacement: strict | |
# k8sServiceHost: 127.0.0.1 | |
# k8sServicePort: 6443 | |
# hostFirewall: | |
# enabled: true | |
--- | |
apiVersion: "cilium.io/v2" | |
kind: CiliumClusterwideNetworkPolicy | |
metadata: | |
name: "master-node-lock-down" | |
spec: | |
description: "Allow a minimum set of required ports on ingress of master nodes" | |
nodeSelector: | |
matchLabels: | |
node-role.kubernetes.io/master: "true" | |
ingress: | |
- fromEntities: | |
- health | |
- fromNodes: | |
- matchLabels: | |
node-role.kubernetes.io/worker: "true" | |
toPorts: | |
- ports: | |
# RKE2 supervisor API | |
- port: "9345" | |
protocol: TCP | |
# Kubernetes API | |
- port: "6443" | |
protocol: TCP | |
# Cattle Cluster Agent exception | |
- fromEndpoints: | |
- matchLabels: | |
app: cattle-cluster-agent | |
io.kubernetes.pod.namespace: cattle-system | |
toEntities: | |
- kube-apiserver | |
--- | |
apiVersion: "cilium.io/v2" | |
kind: CiliumClusterwideNetworkPolicy | |
metadata: | |
name: "etcd-node-lock-down" | |
spec: | |
description: "Allow a minimum set of required ports on ingress of etcd nodes" | |
nodeSelector: | |
matchLabels: | |
node-role.kubernetes.io/etcd: "true" | |
ingress: | |
- fromEntities: | |
- health | |
- fromNodes: | |
- matchLabels: | |
node-role.kubernetes.io/etcd: "true" | |
- matchLabels: | |
node-role.kubernetes.io/master: "true" | |
toPorts: | |
- ports: | |
# etcd client port | |
- port: "2379" | |
protocol: TCP | |
# etcd peer port | |
- port: "2380" | |
protocol: TCP | |
# etcd metrics port | |
- port: "2381" | |
protocol: TCP | |
--- | |
apiVersion: "cilium.io/v2" | |
kind: CiliumClusterwideNetworkPolicy | |
metadata: | |
name: "worker-node-lock-down" | |
spec: | |
description: "Allow a minimum set of required ports on ingress of worker nodes" | |
nodeSelector: | |
matchLabels: | |
node-role.kubernetes.io/worker: "true" | |
ingress: | |
- fromEntities: | |
- health | |
- fromNodes: | |
- matchLabels: | |
node-role.kubernetes.io/etcd: "true" | |
- matchLabels: | |
node-role.kubernetes.io/master: "true" | |
- matchLabels: | |
node-role.kubernetes.io/worker: "true" | |
toPorts: | |
- ports: | |
# Kubelet metrics | |
- port: "10250" | |
protocol: TCP | |
# Cilium | |
- port: "4240" | |
protocol: TCP | |
- port: "8472" | |
protocol: UDP | |
# 1.16 feature | |
# - toPorts: | |
# - port: "30000" | |
# endPort: "32767" | |
# protocol: TCP | |
--- | |
apiVersion: "cilium.io/v2" | |
kind: CiliumClusterwideNetworkPolicy | |
metadata: | |
name: "allow-local-ssh" | |
spec: | |
nodeSelector: {} | |
ingress: | |
- fromCIDR: | |
- "10.0.0.0/8" | |
- "192.168.0.0/16" | |
- "172.16.0.0/12" | |
toPorts: | |
- ports: | |
- port: "22" | |
protocol: TCP | |
- icmps: | |
- fields: | |
- type: 8 | |
family: IPv4 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment