Dustin C. Hatch
33ee59cb90
This network policy blocks all outbound communication except to the designated internal services. This will help prevent any data exfiltration in the unlikely event the Firefly were to be compromised.
70 lines
1.5 KiB
YAML
70 lines
1.5 KiB
YAML
apiVersion: kustomize.config.k8s.io/v1beta1
|
|
kind: Kustomization
|
|
|
|
labels:
|
|
- pairs:
|
|
app.kubernetes.io/instance: firefly-iii
|
|
|
|
namespace: firefly-iii
|
|
|
|
resources:
|
|
- secrets.yaml
|
|
- postgres-cert.yaml
|
|
- redis.yaml
|
|
- firefly-iii.yaml
|
|
- ingress.yaml
|
|
- importer.yaml
|
|
- importer-ingress.yaml
|
|
- ../dch-root-ca
|
|
- network-policy.yaml
|
|
|
|
configMapGenerator:
|
|
- name: firefly-iii
|
|
envs:
|
|
- firefly-iii.env
|
|
options:
|
|
disableNameSuffixHash: true
|
|
- name: firefly-iii-importer
|
|
envs:
|
|
- firefly-iii-importer.env
|
|
|
|
patches:
|
|
- patch: |-
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: firefly-iii
|
|
spec:
|
|
template:
|
|
spec:
|
|
affinity:
|
|
nodeAffinity:
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
- weight: 100
|
|
preference:
|
|
matchExpressions:
|
|
- key: kubernetes.io/arch
|
|
operator: In
|
|
values:
|
|
- amd64
|
|
containers:
|
|
- name: firefly-iii
|
|
volumeMounts:
|
|
- mountPath: /run/dch-ca
|
|
name: dch-root-ca
|
|
readOnly: true
|
|
- mountPath: /run/secrets/firefly/postgresql
|
|
name: postgresql-cert
|
|
readOnly: true
|
|
volumes:
|
|
- name: dch-root-ca
|
|
configMap:
|
|
name: dch-root-ca
|
|
- name: postgresql-cert
|
|
secret:
|
|
secretName: postgres-client-cert
|
|
defaultMode: 0640
|
|
images:
|
|
- name: docker.io/fireflyiii/core
|
|
newTag: version-6.2.21
|