From 0024e0ae6ca80f37f76f64aefac19caff549752d Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Tue, 31 Oct 2023 18:06:22 +0100
Subject: [PATCH] feat(mastodon): Restrict outgoing network traffic for
 Mastodon

---
 apps/k8s01/mastodon/kustomization.yaml        |  6 +++++
 apps/k8s01/mastodon/networkpolicy.yaml        |  9 ++++++++
 .../allow-to-same-namespace.yaml              | 22 +++++++++++++++++++
 3 files changed, 37 insertions(+)
 create mode 100644 apps/k8s01/mastodon/networkpolicy.yaml
 create mode 100644 shared/networkpolicies/allow-to-same-namespace.yaml

diff --git a/apps/k8s01/mastodon/kustomization.yaml b/apps/k8s01/mastodon/kustomization.yaml
index 8a51612ed..3942762c3 100644
--- a/apps/k8s01/mastodon/kustomization.yaml
+++ b/apps/k8s01/mastodon/kustomization.yaml
@@ -6,5 +6,11 @@ resources:
   - certificate.yaml
   - mastodon-values.yaml
   - slo.yaml
+  - ../../../shared/networkpolicies/deny-by-default-ingress.yaml
+  - ../../../shared/networkpolicies/deny-by-default-egress.yaml
+  - ../../../shared/networkpolicies/allow-to-same-namespace.yaml
+  - ../../../shared/networkpolicies/allow-to-public-web.yaml
+  - ../../../shared/networkpolicies/allow-to-kubedns.yaml
 patchesStrategicMerge:
   - database-override.yaml
+  - networkpolicy.yaml
diff --git a/apps/k8s01/mastodon/networkpolicy.yaml b/apps/k8s01/mastodon/networkpolicy.yaml
new file mode 100644
index 000000000..a76579f1e
--- /dev/null
+++ b/apps/k8s01/mastodon/networkpolicy.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-to-public-web
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: mastodon
diff --git a/shared/networkpolicies/allow-to-same-namespace.yaml b/shared/networkpolicies/allow-to-same-namespace.yaml
new file mode 100644
index 000000000..94b30d961
--- /dev/null
+++ b/shared/networkpolicies/allow-to-same-namespace.yaml
@@ -0,0 +1,22 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-to-same-namespace
+spec:
+  podSelector: {}
+  egress:
+    - to:
+      - podSelector: {}
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+          podSelector:
+            matchLabels:
+              k8s-app: kube-dns
+      ports:
+        - port: 53
+          protocol: UDP
+        - port: 53
+          protocol: TCP
-- 
GitLab