github.com/cilium/cilium@v1.16.2/test/k8s/manifests/host-policies.yaml

github.com/cilium/cilium@v1.16.2/test/k8s/manifests/host-policies.yaml (about)

     1  apiVersion: "cilium.io/v2"
     2  kind: CiliumClusterwideNetworkPolicy
     3  metadata:
     4    name: "host-policy"
     5  specs:
     6    - description: "Allow only test client <-> server communications on node <-> pod paths (local and remote pods)"
     7      nodeSelector:
     8        matchLabels:
     9          status: lockdown
    10      ingress:
    11      - fromEndpoints:
    12        - matchLabels:
    13            zgroup: testClient
    14        toPorts:
    15        - ports:
    16          - port: "80"
    17            protocol: TCP
    18      - fromEndpoints:
    19        - matchExpressions:
    20          - key: test
    21            operator: NotIn
    22            values: [hostfw]
    23      egress:
    24      - toEndpoints:
    25        - matchLabels:
    26            zgroup: testServer
    27        toPorts:
    28        - ports:
    29          - port: "80"
    30            protocol: TCP
    31      - toEndpoints:
    32        - matchExpressions:
    33          - key: test
    34            operator: NotIn
    35            values: [hostfw]
    36    - description: "Open required ports + test application's port between nodes"
    37      nodeSelector: {}
    38      ingress:
    39      - fromEntities:
    40        - remote-node
    41        toPorts:
    42        - ports:
    43          - port: "80"
    44            protocol: TCP
    45          # VXLAN tunnels between nodes
    46          - port: "8472"
    47            protocol: UDP
    48          # etcd connections
    49          - port: "2379"
    50            protocol: TCP
    51          - port: "2380"
    52            protocol: TCP
    53          # kube-api server
    54          - port: "6443"
    55            protocol: TCP
    56          # kubelet
    57          - port: "10250"
    58            protocol: TCP
    59          # Health checks
    60          - port: "4240"
    61            protocol: TCP
    62      egress:
    63      - toEntities:
    64        - remote-node
    65        toPorts:
    66        - ports:
    67          - port: "80"
    68            protocol: TCP
    69          # VXLAN tunnels between nodes
    70          - port: "8472"
    71            protocol: UDP
    72          # etcd connections
    73          - port: "2379"
    74            protocol: TCP
    75          - port: "2380"
    76            protocol: TCP
    77          # kube-api server
    78          - port: "6443"
    79            protocol: TCP
    80          # kubelet
    81          - port: "10250"
    82            protocol: TCP
    83          # Health checks
    84          - port: "4240"
    85            protocol: TCP
    86    - description: "Allow all to/from health and world"
    87      nodeSelector: {}
    88      ingress:
    89      - fromEntities:
    90        - health
    91        - world
    92      egress:
    93      - toEntities:
    94        - health
    95        - world
    96    - description: "Allow ICMP/ICMPv6 traffic on all nodes"
    97      nodeSelector: {}
    98      ingress:
    99      - icmps:
   100        - fields:
   101          - type: 8
   102            family: IPv4
   103          - type: 128
   104            family: IPv6
   105      egress:
   106      - icmps:
   107        - fields:
   108          - type: 8
   109            family: IPv4
   110          - type: 128
   111            family: IPv6