Cilium Network Policies
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: mastodon-egress-federation
namespace: mastodon
spec:
egress:
- toCIDRSet:
- cidr: 0.0.0.0/0
except:
- 192.168.0.0/16
- 100.64.0.0/10
- 10.244.0.0/16
- 10.96.0.0/12
endpointSelector:
matchLabels:
app.kubernetes.io/name: mastodon
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: mastodon-infra-core
namespace: mastodon
spec:
egress:
- toEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: kube-system
k8s-app: kube-dns
toPorts:
- ports:
- port: "53"
protocol: UDP
rules:
dns:
- matchPattern: '*'
- toEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: pg-vchord-cluster
toPorts:
- ports:
- port: "5432"
protocol: TCP
- toEndpoints:
- matchLabels:
k8s:io.kubernetes.pod.namespace: minio
v1.min.io/tenant: production
toPorts:
- ports:
- port: "9000"
protocol: TCP
- toFQDNs:
- matchName: mastodon.redis.prod.nasreddine.com
toPorts:
- ports:
- port: "6379"
protocol: TCP
endpointSelector:
matchLabels:
app.kubernetes.io/name: mastodon
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: mastodon-ingress-cloudflare
namespace: mastodon
spec:
endpointSelector:
matchLabels:
app.kubernetes.io/name: mastodon
ingress:
- fromEndpoints:
- matchLabels:
app.kubernetes.io/name: cloudflare-tunnel
io.kubernetes.pod.namespace: cloudflare-tunnel
toPorts:
- ports:
- port: "3000"
protocol: TCP
- port: "4000"
protocol: TCP
- port: "8080"
protocol: TCP
Wael's Digital Garden