Dustin C. Hatch
33ee59cb90
This network policy blocks all outbound communication except to the designated internal services. This will help prevent any data exfiltration in the unlikely event the Firefly were to be compromised.
62 lines
1.4 KiB
YAML
62 lines
1.4 KiB
YAML
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: firefly-iii
|
|
labels:
|
|
app.kubernetes.io/name: firefly-iii
|
|
app.kubernetes.io/component: firefly-iii
|
|
spec:
|
|
egress:
|
|
# Allow access to other components of the Firefly III ecosystem
|
|
- to:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: firefly-iii
|
|
# Allow access Kubernetes cluster DNS
|
|
- to:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: kube-system
|
|
podSelector:
|
|
matchLabels:
|
|
k8s-app: kube-dns
|
|
ports:
|
|
- port: 53
|
|
protocol: UDP
|
|
- port: 53
|
|
protocol: TCP
|
|
# Allow access to the PostgreSQL database server
|
|
- to:
|
|
- ipBlock:
|
|
cidr: 172.30.0.0/26
|
|
ports:
|
|
- port: 5432
|
|
protocol: TCP
|
|
# Allow access to SMTP on mail.pyrocufflink.blue
|
|
- to:
|
|
- ipBlock:
|
|
cidr: 172.30.0.12/32
|
|
ports:
|
|
- port: 25
|
|
# Allow access dch-webhooks
|
|
- to:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: default
|
|
podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: dch-webhooks
|
|
# Allow access ntfy
|
|
- to:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: ntfy
|
|
podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: ntfy
|
|
podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/component: firefly-iii
|
|
policyTypes:
|
|
- Egress
|