do not mix ingress and egress network policiies

angelnu · angelnu · commit cedbdb8da648 · 2024-02-29T18:05:13.000Z
diff --git a/base/namespaces/authentik.yaml b/base/namespaces/authentik.yaml
@@ -9,7 +9,7 @@ metadata:
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
 metadata:
-  name: default
+  name: default-ingress
   namespace: authentik
 spec:
   podSelector: {}
@@ -56,11 +56,22 @@ spec:
     - protocol: TCP
       port: 6636
       endPort: 6636
+  policyTypes:
+  - Ingress
+
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: default-egress
+  namespace: authentik
+spec:
+  podSelector: {}
   egress:
   - to:
     # Allow all egress
     - ipBlock:
         cidr: "0.0.0.0/0"
+
   policyTypes:
-    - Ingress
-    - Egress
+  - Egress
diff --git a/base/namespaces/ceph-rbd.yaml b/base/namespaces/ceph-rbd.yaml
@@ -7,7 +7,7 @@ metadata:
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
 metadata:
-  name: default
+  name: default-ingress
   namespace: ceph-rbd
 spec:
   podSelector: {}
@@ -16,6 +16,17 @@ spec:
     # Only allow ingress from K8S (admission controller)
     - ipBlock:
         cidr: "10.0.0.0/8"
+  policyTypes:
+  - Ingress
+
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: default-egress
+  namespace: ceph-rbd
+spec:
+  podSelector: {}
   egress:
   - to:
     # Only allow egress to K8S and local lan
@@ -24,5 +35,4 @@ spec:
     - ipBlock:
         cidr: "192.168.0.0/16"
   policyTypes:
-    - Ingress
-    - Egress
+  - Egress
diff --git a/base/namespaces/ceph.yaml b/base/namespaces/ceph.yaml
@@ -7,7 +7,7 @@ metadata:
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
 metadata:
-  name: default
+  name: default-ingress
   namespace: ceph
 spec:
   podSelector: {}
@@ -16,6 +16,17 @@ spec:
     # Only allow ingress from K8S (admission controller)
     - ipBlock:
         cidr: "10.0.0.0/8"
+  policyTypes:
+  - Ingress
+
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: default-egress
+  namespace: ceph
+spec:
+  podSelector: {}
   egress:
   - to:
     # Only allow egress to K8S and local lan
@@ -24,6 +35,5 @@ spec:
     - ipBlock:
         cidr: "192.168.0.0/16"
   policyTypes:
-    - Ingress
-    - Egress
+  - Egress
 
diff --git a/base/namespaces/cert-manager.yaml b/base/namespaces/cert-manager.yaml
@@ -7,7 +7,7 @@ metadata:
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
 metadata:
-  name: default
+  name: default-ingress
   namespace: cert-manager
 spec:
   podSelector: {}
@@ -16,11 +16,21 @@ spec:
     # Only allow ingress from K8S (admission controller)
     - ipBlock:
         cidr: "10.0.0.0/8"
+  policyTypes:
+  - Ingress
+
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: default-egress
+  namespace: cert-manager
+spec:
+  podSelector: {}
   egress:
   - to:
     # Allow all egress (lets encrypt)
     - ipBlock:
         cidr: "0.0.0.0/0"
   policyTypes:
-    - Ingress
-    - Egress
+  - Egress
diff --git a/base/namespaces/default.yaml b/base/namespaces/default.yaml
@@ -7,7 +7,7 @@
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
 metadata:
-  name: default
+  name: default-ingress
   namespace: default
 spec:
   podSelector: {}
@@ -47,12 +47,22 @@ spec:
     - protocol: UDP
       port: 1700 
       endPort: 1700
+  policyTypes:
+  - Ingress
+
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: default-egress
+  namespace: default
+spec:
+  podSelector: {}
   egress:
   - to:
     # Allow all egress
     - ipBlock:
         cidr: "0.0.0.0/0"
-  policyTypes:
-    - Ingress
-    - Egress
 
+  policyTypes:
+  - Egress
diff --git a/base/namespaces/kube-system.yaml b/base/namespaces/kube-system.yaml
@@ -7,7 +7,7 @@
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
 metadata:
-  name: default
+  name: default-ingress
   namespace: kube-system
 spec:
   podSelector: {}
@@ -16,12 +16,21 @@ spec:
     # Only allow ingress from K8S (DNS server)
     - ipBlock:
         cidr: "10.0.0.0/8"
+  policyTypes:
+  - Ingress
+
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: default-egress
+  namespace: kube-system
+spec:
+  podSelector: {}
   egress:
   - to:
     # Allow all egress (multus has to pull CNI plugins, DNS server)
     - ipBlock:
         cidr: "0.0.0.0/0"
   policyTypes:
-    - Ingress
-    - Egress
-
+  - Egress
diff --git a/base/namespaces/kubernetes-dashboard.yaml b/base/namespaces/kubernetes-dashboard.yaml
@@ -4,11 +4,10 @@ metadata:
   name: kubernetes-dashboard
 
 ---
-
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
 metadata:
-  name: default
+  name: default-ingress
   namespace: kubernetes-dashboard
 spec:
   podSelector: {}
@@ -18,6 +17,17 @@ spec:
     - namespaceSelector:
         matchLabels:
           kubernetes.io/metadata.name: nginx
+  policyTypes:
+  - Ingress
+
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: default-egress
+  namespace: kubernetes-dashboard
+spec:
+  podSelector: {}
   egress:
   - to:
     # Only allow egress to K8S and local network
@@ -26,5 +36,4 @@ spec:
     - ipBlock:
         cidr: "192.0.0.0/8"
   policyTypes:
-    - Ingress
-    - Egress
+  - Egress
diff --git a/base/namespaces/maddy.yaml b/base/namespaces/maddy.yaml
@@ -6,11 +6,10 @@ metadata:
     cert-manager: CLUSTER_DOMAIN_CERT
 
 ---
-
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
 metadata:
-  name: default
+  name: default-ingress
   namespace: maddy
 spec:
   podSelector: {}
@@ -58,11 +57,21 @@ spec:
     - protocol: TCP
       port: 465
       endPort: 465
+  policyTypes:
+  - Ingress
+
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: default-egress
+  namespace: maddy
+spec:
+  podSelector: {}
   egress:
   - to:
     # allow outbound email
     - ipBlock:
         cidr: "0.0.0.0/0"
   policyTypes:
-    - Ingress
-    - Egress
+  - Egress
diff --git a/base/namespaces/monitoring.yaml b/base/namespaces/monitoring.yaml
@@ -7,7 +7,19 @@ metadata:
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
 metadata:
-  name: default
+  name: default-ingress
+  namespace: monitoring
+spec:
+  podSelector: {}
+  ingress: []
+  policyTypes:
+  - Ingress
+
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: default-egress
   namespace: monitoring
 spec:
   podSelector: {}
@@ -17,6 +29,4 @@ spec:
     - ipBlock:
         cidr: "10.0.0.0/8"
   policyTypes:
-    - Ingress
-    - Egress
-
+  - Egress
diff --git a/base/namespaces/nginx.yaml b/base/namespaces/nginx.yaml
@@ -7,7 +7,7 @@ metadata:
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
 metadata:
-  name: default
+  name: default-ingress
   namespace: nginx
 spec:
   podSelector: {}
@@ -16,11 +16,21 @@ spec:
     # Allow all ingress (K8S ingress)
     - ipBlock:
         cidr: "0.0.0.0/0"
+  policyTypes:
+  - Ingress
+
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: default-egress
+  namespace: nginx
+spec:
+  podSelector: {}
   egress:
   - to:
     # Allow egress to Internet (oauth)
     - ipBlock:
         cidr: "0.0.0.0/0"
   policyTypes:
-    - Ingress
-    - Egress
+  - Egress
diff --git a/base/namespaces/postgres.yaml b/base/namespaces/postgres.yaml
@@ -7,7 +7,7 @@ metadata:
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
 metadata:
-  name: default
+  name: default-ingress
   namespace: postgres
 spec:
   podSelector: {}
@@ -20,11 +20,21 @@ spec:
     - namespaceSelector:
         matchLabels:
           kubernetes.io/metadata.name: postgres
+  policyTypes:
+  - Ingress
+
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: default-egress
+  namespace: postgres
+spec:
+  podSelector: {}
   egress:
   - to:
     # Only allow egress to K8S
     - ipBlock:
         cidr: "10.0.0.0/0"
   policyTypes:
-    - Ingress
-    - Egress
+  - Egress
diff --git a/base/namespaces/rook-ceph.yaml b/base/namespaces/rook-ceph.yaml
