From 2644d2b50c7e015ffd873b283c68257df60f4b58 Mon Sep 17 00:00:00 2001 From: Sebastian Eriksson Date: Sun, 19 Jan 2025 19:16:06 +0100 Subject: [PATCH] network policies --- config/nginx.conf | 9 --------- .../external-controller.yaml | 0 .../internal-controller.yaml | 0 controllers/kustomization.yaml | 6 ++++++ kustomization.yaml | 4 ++-- policies/external-policy.yaml | 13 ++++++++++++ policies/internal-policy.yaml | 20 +++++++++++++++++++ policies/kustomization.yaml | 6 ++++++ 8 files changed, 47 insertions(+), 11 deletions(-) rename external-controller.yaml => controllers/external-controller.yaml (100%) rename internal-controller.yaml => controllers/internal-controller.yaml (100%) create mode 100644 controllers/kustomization.yaml create mode 100644 policies/external-policy.yaml create mode 100644 policies/internal-policy.yaml create mode 100644 policies/kustomization.yaml diff --git a/config/nginx.conf b/config/nginx.conf index 518ef3d..b1b46f4 100644 --- a/config/nginx.conf +++ b/config/nginx.conf @@ -36,15 +36,6 @@ http { listen 80; server_name ~^(?.+)\.dev\.mrcynic\.site$; - # Inform NGINX how to read the client IP from X-Forwarded-For - real_ip_header X-Forwarded-For; - set_real_ip_from 192.168.0.1; - real_ip_recursive on; - - # Block if not LAN (192.168.0.0/24). You can expand or tighten this as needed. - allow 192.168.0.0/24; - deny all; - location / { proxy_pass http://internal_ingress; proxy_set_header Host $host; diff --git a/external-controller.yaml b/controllers/external-controller.yaml similarity index 100% rename from external-controller.yaml rename to controllers/external-controller.yaml diff --git a/internal-controller.yaml b/controllers/internal-controller.yaml similarity index 100% rename from internal-controller.yaml rename to controllers/internal-controller.yaml diff --git a/controllers/kustomization.yaml b/controllers/kustomization.yaml new file mode 100644 index 0000000..ec227bb --- /dev/null +++ b/controllers/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - external-controller.yaml + - internal-controller.yaml diff --git a/kustomization.yaml b/kustomization.yaml index 71b7118..9886d5d 100644 --- a/kustomization.yaml +++ b/kustomization.yaml @@ -4,11 +4,11 @@ kind: Kustomization namespace: ingress-nginx resources: - - external-controller.yaml - - internal-controller.yaml - namespace.yaml - services.yaml - proxy.yaml + - policies + - controllers configMapGenerator: - name: proxy-config diff --git a/policies/external-policy.yaml b/policies/external-policy.yaml new file mode 100644 index 0000000..b98856e --- /dev/null +++ b/policies/external-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-all-ingress-nginx-external +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: nginx-external + policyTypes: + - Ingress + ingress: + - {} diff --git a/policies/internal-policy.yaml b/policies/internal-policy.yaml new file mode 100644 index 0000000..c1cc333 --- /dev/null +++ b/policies/internal-policy.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: restrict-ingress-nginx-internal +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: nginx-internal + policyTypes: + - Ingress + ingress: + - from: + - ipBlock: + cidr: 192.168.0.0/16 + ports: + - protocol: TCP + port: 80 + - protocol: TCP + port: 443 diff --git a/policies/kustomization.yaml b/policies/kustomization.yaml new file mode 100644 index 0000000..4f51d2d --- /dev/null +++ b/policies/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - external-policy.yaml + - internal-policy.yaml