feat(mastodon): Restrict outgoing network traffic for Mastodon

0024e0ae · Sheogorath · 9ff4d4d3 · 0024e0ae · 0024e0ae · 0024e0ae
Verified Commit 0024e0ae authored 1 year ago by Sheogorath
--- a/apps/k8s01/mastodon/kustomization.yaml
+++ b/apps/k8s01/mastodon/kustomization.yaml
@@ -6,5 +6,11 @@ resources:
  - certificate.yaml
  - mastodon-values.yaml
  - slo.yaml
+  - ../../../shared/networkpolicies/deny-by-default-ingress.yaml
+  - ../../../shared/networkpolicies/deny-by-default-egress.yaml
+  - ../../../shared/networkpolicies/allow-to-same-namespace.yaml
+  - ../../../shared/networkpolicies/allow-to-public-web.yaml
+  - ../../../shared/networkpolicies/allow-to-kubedns.yaml
 patchesStrategicMerge:
  - database-override.yaml
+  - networkpolicy.yaml
--- a/apps/k8s01/mastodon/networkpolicy.yaml
+++ b/apps/k8s01/mastodon/networkpolicy.yaml
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-to-public-web
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: mastodon
--- a/shared/networkpolicies/allow-to-same-namespace.yaml
+++ b/shared/networkpolicies/allow-to-same-namespace.yaml
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-to-same-namespace
+spec:
+  podSelector: {}
+  egress:
+    - to:
+      - podSelector: {}
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+          podSelector:
+            matchLabels:
+              k8s-app: kube-dns
+      ports:
+        - port: 53
+          protocol: UDP
+        - port: 53
+          protocol: TCP