github.com/cilium/cilium@v1.16.2/test/k8s/manifests/kafka-sw-security-policy.yaml

github.com/cilium/cilium@v1.16.2/test/k8s/manifests/kafka-sw-security-policy.yaml (about)

     1  apiVersion: "cilium.io/v2"
     2  kind: CiliumNetworkPolicy
     3  metadata:
     4    name: "kafka-sw-security-policy"
     5  specs:
     6    - description: Allow only permitted Kafka requests to empire Kafka broker
     7      endpointSelector:
     8        matchLabels:
     9          app: kafka
    10      ingress:
    11      - fromEndpoints:
    12        - matchLabels:
    13            "reserved:host": ""
    14        toPorts:
    15        - ports:
    16          - port: "9092"
    17            protocol: TCP
    18    - endpointSelector:
    19        matchLabels:
    20          app: kafka
    21      egress:
    22      - toEndpoints:
    23        - matchLabels:
    24            k8s-app: kube-dns
    25            "k8s:io.kubernetes.pod.namespace": kube-system
    26    - endpointSelector:
    27        matchLabels:
    28          app: kafka
    29      ingress:
    30      - fromEndpoints:
    31        - matchLabels:
    32            app: empire-hq
    33        toPorts:
    34        - ports:
    35          - port: "9092"
    36            protocol: TCP
    37          rules:
    38            kafka:
    39            - apiKey: "apiversions"
    40            - apiKey: "metadata"
    41            - apiKey: "produce"
    42              topic: "deathstar-plans"
    43            - apiKey: "produce"
    44              topic: "empire-announce"
    45      - fromEndpoints:
    46        - matchLabels:
    47            app: kafka
    48    - endpointSelector:
    49        matchLabels:
    50          app: kafka
    51      ingress:
    52      - fromEndpoints:
    53        - matchLabels:
    54            app: empire-outpost
    55        toPorts:
    56        - ports:
    57          - port: "9092"
    58            protocol: TCP
    59          rules:
    60            kafka:
    61            - apiKey: "fetch"
    62              topic: "empire-announce"
    63            - apiKey: "apiversions"
    64            - apiKey: "metadata"
    65            - apiKey: "findcoordinator"
    66            - apiKey: "joingroup"
    67            - apiKey: "leavegroup"
    68            - apiKey: "syncgroup"
    69            - apiKey: "offsets"
    70            - apiKey: "offsetcommit"
    71            - apiKey: "offsetfetch"
    72            - apiKey: "heartbeat"
    73    - endpointSelector:
    74        matchLabels:
    75          app: kafka
    76      ingress:
    77      - fromEndpoints:
    78        - matchLabels:
    79            app: empire-backup
    80        toPorts:
    81        - ports:
    82          - port: "9092"
    83            protocol: TCP
    84          rules:
    85            kafka: []
    86    - endpointSelector:
    87        matchLabels:
    88          app: empire-backup
    89      egress:
    90      - toPorts:
    91        - ports:
    92          - port: "9092"
    93            protocol: TCP
    94          rules:
    95            kafka:
    96            - apiKey: "fetch"
    97              topic: "deathstar-plans"
    98            - apiKey: "apiversions"
    99            - apiKey: "metadata"
   100            - apiKey: "findcoordinator"
   101            - apiKey: "joingroup"
   102            - apiKey: "leavegroup"
   103            - apiKey: "syncgroup"
   104            - apiKey: "offsets"
   105            - apiKey: "offsetcommit"
   106            - apiKey: "offsetfetch"
   107            - apiKey: "heartbeat"