more more access to api-server from certgen

giantswarm · Dec 18, 2024 · b25843a · b25843a
1 parent ae1a5de
commit b25843a
Show file tree

Hide file tree

Showing 5 changed files with 72 additions and 20 deletions.
diff --git a/diffs/helm__envoy-gateway__templates__certgen-cnp.yaml.patch b/diffs/helm__envoy-gateway__templates__certgen-cnp.yaml.patch
@@ -1,9 +1,9 @@
 diff --git a/helm/envoy-gateway/templates/certgen-cnp.yaml b/helm/envoy-gateway/templates/certgen-cnp.yaml
 new file mode 100644
-index 0000000..d3ce4f6
+index 0000000..2af4f5c
 --- /dev/null
 +++ b/helm/envoy-gateway/templates/certgen-cnp.yaml
-@@ -0,0 +1,32 @@
+@@ -0,0 +1,43 @@
 +---
 +apiVersion: "cilium.io/v2"
 +kind: CiliumNetworkPolicy
@@ -25,15 +25,25 @@ index 0000000..d3ce4f6
 +  egress:
 +    - toEntities:
 +        - kube-apiserver
-+        - cluster
++    - toEndpoints:
++        - matchLabels:
++            k8s:io.kubernetes.pod.namespace: default
++            k8s:k8s-app: kubernetes
++      toPorts:
++        - ports:
++            - port: "443"
++              protocol: TCP
++    - toEndpoints:
++        - matchLabels:
++            k8s:component: kube-apiserver
++            k8s:tier: control-plane
 +    - toEndpoints:
 +        - matchLabels:
 +            k8s:io.kubernetes.pod.namespace: kube-system
-+            k8s-app: kube-dns
++            k8s:k8s-app: kube-dns
 +      toPorts:
 +        - ports:
 +            - port: "53"
 +              protocol: UDP
 +            - port: "53"
 +              protocol: TCP
-\ No newline at end of file
diff --git a/diffs/helm__envoy-gateway__templates__certgen-netpol.yaml.patch b/diffs/helm__envoy-gateway__templates__certgen-netpol.yaml.patch
@@ -1,9 +1,9 @@
 diff --git a/helm/envoy-gateway/templates/certgen-netpol.yaml b/helm/envoy-gateway/templates/certgen-netpol.yaml
 new file mode 100644
-index 0000000..54ec43e
+index 0000000..0e9f09a
 --- /dev/null
 +++ b/helm/envoy-gateway/templates/certgen-netpol.yaml
-@@ -0,0 +1,37 @@
+@@ -0,0 +1,44 @@
 +---
 +apiVersion: networking.k8s.io/v1
 +kind: NetworkPolicy
@@ -30,7 +30,14 @@ index 0000000..54ec43e
 +        - namespaceSelector: {}
 +          podSelector:
 +            matchLabels:
-+              k8s-app: kube-apiserver
++              component: kube-apiserver
++              tier: control-plane
++    - to:
++        - ipBlock:
++            cidr: 172.31.0.1/32
++      ports:
++        - port: 443
++          protocol: TCP
 +    - ports:
 +        - port: 53
 +          protocol: UDP

diff --git a/helm/envoy-gateway/templates/certgen-cnp.yaml b/helm/envoy-gateway/templates/certgen-cnp.yaml
@@ -19,14 +19,25 @@ spec:
   egress:
     - toEntities:
         - kube-apiserver
-        - cluster
+    - toEndpoints:
+        - matchLabels:
+            k8s:io.kubernetes.pod.namespace: default
+            k8s:k8s-app: kubernetes
+      toPorts:
+        - ports:
+            - port: "443"
+              protocol: TCP
+    - toEndpoints:
+        - matchLabels:
+            k8s:component: kube-apiserver
+            k8s:tier: control-plane
     - toEndpoints:
         - matchLabels:
             k8s:io.kubernetes.pod.namespace: kube-system
-            k8s-app: kube-dns
+            k8s:k8s-app: kube-dns
       toPorts:
         - ports:
             - port: "53"
               protocol: UDP
             - port: "53"
-              protocol: TCP
+              protocol: TCP
diff --git a/helm/envoy-gateway/templates/certgen-netpol.yaml b/helm/envoy-gateway/templates/certgen-netpol.yaml
@@ -24,7 +24,14 @@ spec:
         - namespaceSelector: {}
           podSelector:
             matchLabels:
-              k8s-app: kube-apiserver
+              component: kube-apiserver
+              tier: control-plane
+    - to:
+        - ipBlock:
+            cidr: 172.31.0.1/32
+      ports:
+        - port: 443
+          protocol: TCP
     - ports:
         - port: 53
           protocol: UDP

diff --git a/sync/patches/network-policies/000-network-policies.patch b/sync/patches/network-policies/000-network-policies.patch
@@ -1,9 +1,9 @@
 diff --git a/helm/envoy-gateway/templates/certgen-cnp.yaml b/helm/envoy-gateway/templates/certgen-cnp.yaml
 new file mode 100644
-index 0000000..d3ce4f6
+index 0000000..2af4f5c
 --- /dev/null
 +++ b/helm/envoy-gateway/templates/certgen-cnp.yaml
-@@ -0,0 +1,32 @@
+@@ -0,0 +1,43 @@
 +---
 +apiVersion: "cilium.io/v2"
 +kind: CiliumNetworkPolicy
@@ -25,24 +25,34 @@ index 0000000..d3ce4f6
 +  egress:
 +    - toEntities:
 +        - kube-apiserver
-+        - cluster
++    - toEndpoints:
++        - matchLabels:
++            k8s:io.kubernetes.pod.namespace: default
++            k8s:k8s-app: kubernetes
++      toPorts:
++        - ports:
++            - port: "443"
++              protocol: TCP
++    - toEndpoints:
++        - matchLabels:
++            k8s:component: kube-apiserver
++            k8s:tier: control-plane
 +    - toEndpoints:
 +        - matchLabels:
 +            k8s:io.kubernetes.pod.namespace: kube-system
-+            k8s-app: kube-dns
++            k8s:k8s-app: kube-dns
 +      toPorts:
 +        - ports:
 +            - port: "53"
 +              protocol: UDP
 +            - port: "53"
 +              protocol: TCP
-\ No newline at end of file
 diff --git a/helm/envoy-gateway/templates/certgen-netpol.yaml b/helm/envoy-gateway/templates/certgen-netpol.yaml
 new file mode 100644
-index 0000000..54ec43e
+index 0000000..0e9f09a
 --- /dev/null
 +++ b/helm/envoy-gateway/templates/certgen-netpol.yaml
-@@ -0,0 +1,37 @@
+@@ -0,0 +1,44 @@
 +---
 +apiVersion: networking.k8s.io/v1
 +kind: NetworkPolicy
@@ -69,7 +79,14 @@ index 0000000..54ec43e
 +        - namespaceSelector: {}
 +          podSelector:
 +            matchLabels:
-+              k8s-app: kube-apiserver
++              component: kube-apiserver
++              tier: control-plane
++    - to:
++        - ipBlock:
++            cidr: 172.31.0.1/32
++      ports:
++        - port: 443
++          protocol: TCP
 +    - ports:
 +        - port: 53
 +          protocol: UDP