Skip to content
Snippets Groups Projects
Verified Commit 587dc679 authored by Sheogorath's avatar Sheogorath :european_castle:
Browse files

feat(iot): Add component for restricting network traffic to local network 

This patch introduces a new component that can be used to restrict all
ingress resources to a predefined set of whitelisted IP addresses. This
reduces the duplication in ingress objects for the same rule sets over
and over again.
parent 7a057040
No related branches found
Tags 36.27.0
No related merge requests found
Hide whitespace changes
Inline Side-by-side
apps/k8s01/iot/kustomization.yaml
+ 1
0
View file @ 587dc679
......@@ -12,3 +12,4 @@ resources:
components:
- ../../../shared/components/oauth2-proxy
- ../../../shared/components/ingress-local-only
apps/k8s01/iot/rainer.yaml
+ 0
5
View file @ 587dc679
......@@ -73,11 +73,6 @@ metadata:
forecastle.stakater.com/appName: Rainer
forecastle.stakater.com/icon: https://raw.githubusercontent.com/Hypfer/Valetudo/master/assets/logo/valetudo_logo_small.svg
forecastle.stakater.com/group: IoT
forecastle.stakater.com/network-restricted: "true"
nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/24
nginx.ingress.kubernetes.io/auth-response-headers: Authorization
nginx.ingress.kubernetes.io/auth-url: ENC[AES256_GCM,data:jKiHDoG05AspEOjtaHqDMJSR7JJWWxtIdg==,iv:Dl/5jLP9WVl6oZ26TvUbWPNI6U50hOI6YAKFx4rU65Y=,tag:u3D0MZQR/yVynTH1cu4KwQ==,type:str]
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
spec:
rules:
- host: ENC[AES256_GCM,data:3G7+SR2q+HdMPliQoNGpSh58WMyV59+S1L/mP8qdF80=,iv:zH6hLjLhtaCL95lxSSGJVMr+QyDHEhvb1FlBU/lbRys=,tag:svh+JpKtlULUll8uvvxCtg==,type:str]
......
apps/k8s01/iot/shelly-ht-monitor.yaml
+ 2
0
View file @ 587dc679
......@@ -67,6 +67,8 @@ metadata:
labels:
app.kubernetes.io/name: shelly-ht-monitor
annotations:
oauth2-proxy.kustomize.si-infra.de/exclude-ingress: "true"
ingress-local-only.kustomize.si-infra.de/exclude-ingress: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/whitelist-source-range: 192.168.30.0/24,192.168.100.0/25
spec:
......
apps/k8s01/iot/shelly.yaml
+ 0
30
View file @ 587dc679
......@@ -72,11 +72,6 @@ metadata:
forecastle.stakater.com/expose: "true"
forecastle.stakater.com/appName: Shelly01
forecastle.stakater.com/group: IoT
forecastle.stakater.com/network-restricted: "true"
nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/24
nginx.ingress.kubernetes.io/auth-response-headers: Authorization
nginx.ingress.kubernetes.io/auth-url: ENC[AES256_GCM,data:LtmYhpd4lLnuyYH9mF8aHNzChLTmrwgtCw==,iv:Dl/5jLP9WVl6oZ26TvUbWPNI6U50hOI6YAKFx4rU65Y=,tag:MUA/yQ+SrJ8F2meqqwlQEQ==,type:str]
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
spec:
rules:
- host: ENC[AES256_GCM,data:WLRfTaemCevolULjn9I4egrdYXWoIkax7CRYNBUqfL4=,iv:b1ieQDnKhv/f7vh2VCfE6QeBcUOvN9Muejbfx0fKdL4=,tag:Hb+Tvi29/eL/KsLMUX7FEg==,type:str]
......@@ -220,11 +215,6 @@ metadata:
forecastle.stakater.com/expose: "true"
forecastle.stakater.com/appName: Shelly02
forecastle.stakater.com/group: IoT
forecastle.stakater.com/network-restricted: "true"
nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/24
nginx.ingress.kubernetes.io/auth-response-headers: Authorization
nginx.ingress.kubernetes.io/auth-url: ENC[AES256_GCM,data:LtmYhpd4lLnuyYH9mF8aHNzChLTmrwgtCw==,iv:Dl/5jLP9WVl6oZ26TvUbWPNI6U50hOI6YAKFx4rU65Y=,tag:MUA/yQ+SrJ8F2meqqwlQEQ==,type:str]
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
spec:
rules:
- host: ENC[AES256_GCM,data:UsrvSRvxxOh916pFlCvXu+c1vf3+7uWn/neX7koz7cA=,iv:LwYhAqCc/lTnzyuf0eWK6DGDM+VDpGkHQ8KQJtyylms=,tag:A7uXbSok1RY3wSQrRO8Pjg==,type:str]
......@@ -368,11 +358,6 @@ metadata:
forecastle.stakater.com/expose: "true"
forecastle.stakater.com/appName: Shelly03
forecastle.stakater.com/group: IoT
forecastle.stakater.com/network-restricted: "true"
nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/24
nginx.ingress.kubernetes.io/auth-response-headers: Authorization
nginx.ingress.kubernetes.io/auth-url: ENC[AES256_GCM,data:LtmYhpd4lLnuyYH9mF8aHNzChLTmrwgtCw==,iv:Dl/5jLP9WVl6oZ26TvUbWPNI6U50hOI6YAKFx4rU65Y=,tag:MUA/yQ+SrJ8F2meqqwlQEQ==,type:str]
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
spec:
rules:
- host: ENC[AES256_GCM,data:p/xRNccIALlca8OhT5v0zuGBfmy+756nIe+i45gMt4k=,iv:YGfsPpwpUg09kWGqcumP3A+fXGp8agzJ1QvqHihD1o0=,tag:NRNVo+A1AIrW7bkPT44xPA==,type:str]
......@@ -516,11 +501,6 @@ metadata:
forecastle.stakater.com/expose: "true"
forecastle.stakater.com/appName: Shelly04
forecastle.stakater.com/group: IoT
forecastle.stakater.com/network-restricted: "true"
nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/24
nginx.ingress.kubernetes.io/auth-response-headers: Authorization
nginx.ingress.kubernetes.io/auth-url: ENC[AES256_GCM,data:LtmYhpd4lLnuyYH9mF8aHNzChLTmrwgtCw==,iv:Dl/5jLP9WVl6oZ26TvUbWPNI6U50hOI6YAKFx4rU65Y=,tag:MUA/yQ+SrJ8F2meqqwlQEQ==,type:str]
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
spec:
rules:
- host: ENC[AES256_GCM,data:Sn0wxRvKQ9cr5nyCEyBg5oDuh6CmZuuWqY4SVfchilg=,iv:GbPWSO79oy9zDqCE4HkAVvz9Ka2bU/Kobi2GkQmIBlE=,tag:U8JMFrqoU3dXwbNQCLO4pw==,type:str]
......@@ -664,11 +644,6 @@ metadata:
forecastle.stakater.com/expose: "true"
forecastle.stakater.com/appName: Humidity & Temprature 01
forecastle.stakater.com/group: IoT
forecastle.stakater.com/network-restricted: "true"
nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/24
nginx.ingress.kubernetes.io/auth-response-headers: Authorization
nginx.ingress.kubernetes.io/auth-url: ENC[AES256_GCM,data:LtmYhpd4lLnuyYH9mF8aHNzChLTmrwgtCw==,iv:Dl/5jLP9WVl6oZ26TvUbWPNI6U50hOI6YAKFx4rU65Y=,tag:MUA/yQ+SrJ8F2meqqwlQEQ==,type:str]
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
spec:
rules:
- host: ENC[AES256_GCM,data:dys6Cxmfwb0PVxULV3qUKlsISkcJ6VKh8ea86A==,iv:KywdcfWqytxLZ+YiudSilQbmVXyw0RtwTxh1Y72ePPQ=,tag:aU8iKSzG5CJhVGS0iNEQuw==,type:str]
......@@ -812,11 +787,6 @@ metadata:
forecastle.stakater.com/expose: "true"
forecastle.stakater.com/appName: Humidity & Temprature 02
forecastle.stakater.com/group: IoT
forecastle.stakater.com/network-restricted: "true"
nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/24
nginx.ingress.kubernetes.io/auth-response-headers: Authorization
nginx.ingress.kubernetes.io/auth-url: ENC[AES256_GCM,data:LtmYhpd4lLnuyYH9mF8aHNzChLTmrwgtCw==,iv:Dl/5jLP9WVl6oZ26TvUbWPNI6U50hOI6YAKFx4rU65Y=,tag:MUA/yQ+SrJ8F2meqqwlQEQ==,type:str]
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
spec:
rules:
- host: ENC[AES256_GCM,data:AFaV2uMokW2I/uqaYlz5VWGEIByXuOMZHxLvJw==,iv:RKMMco7G0yWYQ1DJTljRbCix1bIqPi/MhwOA1K79lIA=,tag:WJaAj26+fn7gY6dAVa5pqQ==,type:str]
......
shared/components/ingress-local-only/ingress.yaml 0 → 100644
+ 6
0
View file @ 587dc679
- op: add
path: /metadata/annotations/nginx.ingress.kubernetes.io~1whitelist-source-range
value: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/24
- op: add
path: /metadata/annotations/forecastle.stakater.com~1network-restricted
value: "true"
\ No newline at end of file
shared/components/ingress-local-only/kustomization.yaml 0 → 100644
+ 10
0
View file @ 587dc679
apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component
patches:
- path: ingress.yaml
target:
group: networking.k8s.io
version: v1
kind: Ingress
annotationSelector: "ingress-local-only.kustomize.si-infra.de/exclude-ingress!=true"
\ No newline at end of file
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment