diff --git a/manifests/policy/allow-common-egress.yaml b/manifests/policy/allow-common-egress.yaml new file mode 100644 index 0000000..6f27bd2 --- /dev/null +++ b/manifests/policy/allow-common-egress.yaml @@ -0,0 +1,26 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-common-egress + namespace: ai +spec: + podSelector: {} + policyTypes: ["Egress"] + egress: + # Allow DNS to kube-dns/CoreDNS in kube-system + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + ports: + - { protocol: UDP, port: 53 } + - { protocol: TCP, port: 53 } + + # Allow PostgreSQL to services/pods in namespace ai on 5432 + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: ai + ports: + - { protocol: TCP, port: 5432 } + diff --git a/manifests/policy/allow-https-egress.yaml b/manifests/policy/allow-https-egress.yaml new file mode 100644 index 0000000..db12dd6 --- /dev/null +++ b/manifests/policy/allow-https-egress.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-https-egress + namespace: ai +spec: + podSelector: {} + policyTypes: ["Egress"] + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + # exclude RFC1918/private ranges so this only permits Internet egress + except: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + ports: + - { protocol: TCP, port: 443 } + - { protocol: TCP, port: 80 } diff --git a/manifests/policy/kustomization.yaml b/manifests/policy/kustomization.yaml index fda5983..8488249 100644 --- a/manifests/policy/kustomization.yaml +++ b/manifests/policy/kustomization.yaml @@ -5,4 +5,5 @@ resources: - default-deny.yaml - allow-openwebui-ingress.yaml - allow-browser-ingress.yaml - + - allow-common-egress.yaml + - allow-https-egress.yaml