diff --git a/diffs/helm__envoy-gateway__templates__certgen-cnp.yaml.patch b/diffs/helm__envoy-gateway__templates__certgen-cnp.yaml.patch index b8af07c..9700fad 100644 --- a/diffs/helm__envoy-gateway__templates__certgen-cnp.yaml.patch +++ b/diffs/helm__envoy-gateway__templates__certgen-cnp.yaml.patch @@ -1,9 +1,9 @@ diff --git a/helm/envoy-gateway/templates/certgen-cnp.yaml b/helm/envoy-gateway/templates/certgen-cnp.yaml new file mode 100644 -index 0000000..d3ce4f6 +index 0000000..2af4f5c --- /dev/null +++ b/helm/envoy-gateway/templates/certgen-cnp.yaml -@@ -0,0 +1,32 @@ +@@ -0,0 +1,43 @@ +--- +apiVersion: "cilium.io/v2" +kind: CiliumNetworkPolicy @@ -25,15 +25,25 @@ index 0000000..d3ce4f6 + egress: + - toEntities: + - kube-apiserver -+ - cluster ++ - toEndpoints: ++ - matchLabels: ++ k8s:io.kubernetes.pod.namespace: default ++ k8s:k8s-app: kubernetes ++ toPorts: ++ - ports: ++ - port: "443" ++ protocol: TCP ++ - toEndpoints: ++ - matchLabels: ++ k8s:component: kube-apiserver ++ k8s:tier: control-plane + - toEndpoints: + - matchLabels: + k8s:io.kubernetes.pod.namespace: kube-system -+ k8s-app: kube-dns ++ k8s:k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: UDP + - port: "53" + protocol: TCP -\ No newline at end of file diff --git a/diffs/helm__envoy-gateway__templates__certgen-netpol.yaml.patch b/diffs/helm__envoy-gateway__templates__certgen-netpol.yaml.patch index d5162a6..e0b911f 100644 --- a/diffs/helm__envoy-gateway__templates__certgen-netpol.yaml.patch +++ b/diffs/helm__envoy-gateway__templates__certgen-netpol.yaml.patch @@ -1,9 +1,9 @@ diff --git a/helm/envoy-gateway/templates/certgen-netpol.yaml b/helm/envoy-gateway/templates/certgen-netpol.yaml new file mode 100644 -index 0000000..54ec43e +index 0000000..0e9f09a --- /dev/null +++ b/helm/envoy-gateway/templates/certgen-netpol.yaml -@@ -0,0 +1,37 @@ +@@ -0,0 +1,44 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy @@ -30,7 +30,14 @@ index 0000000..54ec43e + - namespaceSelector: {} + podSelector: + matchLabels: -+ k8s-app: kube-apiserver ++ component: kube-apiserver ++ tier: control-plane ++ - to: ++ - ipBlock: ++ cidr: 172.31.0.1/32 ++ ports: ++ - port: 443 ++ protocol: TCP + - ports: + - port: 53 + protocol: UDP diff --git a/helm/envoy-gateway/templates/certgen-cnp.yaml b/helm/envoy-gateway/templates/certgen-cnp.yaml index d3ce4f6..2af4f5c 100644 --- a/helm/envoy-gateway/templates/certgen-cnp.yaml +++ b/helm/envoy-gateway/templates/certgen-cnp.yaml @@ -19,14 +19,25 @@ spec: egress: - toEntities: - kube-apiserver - - cluster + - toEndpoints: + - matchLabels: + k8s:io.kubernetes.pod.namespace: default + k8s:k8s-app: kubernetes + toPorts: + - ports: + - port: "443" + protocol: TCP + - toEndpoints: + - matchLabels: + k8s:component: kube-apiserver + k8s:tier: control-plane - toEndpoints: - matchLabels: k8s:io.kubernetes.pod.namespace: kube-system - k8s-app: kube-dns + k8s:k8s-app: kube-dns toPorts: - ports: - port: "53" protocol: UDP - port: "53" - protocol: TCP \ No newline at end of file + protocol: TCP diff --git a/helm/envoy-gateway/templates/certgen-netpol.yaml b/helm/envoy-gateway/templates/certgen-netpol.yaml index 54ec43e..0e9f09a 100644 --- a/helm/envoy-gateway/templates/certgen-netpol.yaml +++ b/helm/envoy-gateway/templates/certgen-netpol.yaml @@ -24,7 +24,14 @@ spec: - namespaceSelector: {} podSelector: matchLabels: - k8s-app: kube-apiserver + component: kube-apiserver + tier: control-plane + - to: + - ipBlock: + cidr: 172.31.0.1/32 + ports: + - port: 443 + protocol: TCP - ports: - port: 53 protocol: UDP diff --git a/sync/patches/network-policies/000-network-policies.patch b/sync/patches/network-policies/000-network-policies.patch index d82abf0..f809604 100644 --- a/sync/patches/network-policies/000-network-policies.patch +++ b/sync/patches/network-policies/000-network-policies.patch @@ -1,9 +1,9 @@ diff --git a/helm/envoy-gateway/templates/certgen-cnp.yaml b/helm/envoy-gateway/templates/certgen-cnp.yaml new file mode 100644 -index 0000000..d3ce4f6 +index 0000000..2af4f5c --- /dev/null +++ b/helm/envoy-gateway/templates/certgen-cnp.yaml -@@ -0,0 +1,32 @@ +@@ -0,0 +1,43 @@ +--- +apiVersion: "cilium.io/v2" +kind: CiliumNetworkPolicy @@ -25,24 +25,34 @@ index 0000000..d3ce4f6 + egress: + - toEntities: + - kube-apiserver -+ - cluster ++ - toEndpoints: ++ - matchLabels: ++ k8s:io.kubernetes.pod.namespace: default ++ k8s:k8s-app: kubernetes ++ toPorts: ++ - ports: ++ - port: "443" ++ protocol: TCP ++ - toEndpoints: ++ - matchLabels: ++ k8s:component: kube-apiserver ++ k8s:tier: control-plane + - toEndpoints: + - matchLabels: + k8s:io.kubernetes.pod.namespace: kube-system -+ k8s-app: kube-dns ++ k8s:k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: UDP + - port: "53" + protocol: TCP -\ No newline at end of file diff --git a/helm/envoy-gateway/templates/certgen-netpol.yaml b/helm/envoy-gateway/templates/certgen-netpol.yaml new file mode 100644 -index 0000000..54ec43e +index 0000000..0e9f09a --- /dev/null +++ b/helm/envoy-gateway/templates/certgen-netpol.yaml -@@ -0,0 +1,37 @@ +@@ -0,0 +1,44 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy @@ -69,7 +79,14 @@ index 0000000..54ec43e + - namespaceSelector: {} + podSelector: + matchLabels: -+ k8s-app: kube-apiserver ++ component: kube-apiserver ++ tier: control-plane ++ - to: ++ - ipBlock: ++ cidr: 172.31.0.1/32 ++ ports: ++ - port: 443 ++ protocol: TCP + - ports: + - port: 53 + protocol: UDP