diff --git a/apps/base/shields/kustomization.yaml b/apps/base/shields/kustomization.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..53822a38932f169e07c9ef7b60911b44bb3cf82b
--- /dev/null
+++ b/apps/base/shields/kustomization.yaml
@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: shields
+resources:
+ - namespace.yaml
+ - monitoring.yaml
+ - ../../../shared/networkpolicies/allow-from-ingress.yaml
+ - ../../../shared/networkpolicies/allow-from-monitoring.yaml
+patchesStrategicMerge:
+ - networkpolicy.yaml
diff --git a/apps/base/shields/namespace.yaml b/apps/base/shields/namespace.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..e2e5d8d301aabc96e95a3bc60ab68d88911d70bc
--- /dev/null
+++ b/apps/base/shields/namespace.yaml
@@ -0,0 +1,31 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: shields
+ labels:
+ pod-security.kubernetes.io/audit: restricted
+ pod-security.kubernetes.io/enforce: baseline
+ pod-security.kubernetes.io/warn: restricted
+ pod-security.kubernetes.io/audit-version: v1.23
+ pod-security.kubernetes.io/enforce-version: v1.23
+ pod-security.kubernetes.io/warn-version: v1.23
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: flux-reconciler
+ namespace: shields
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: flux-reconciler
+ namespace: shields
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: admin
+subjects:
+ - kind: ServiceAccount
+ name: flux-reconciler
+ namespace: shields
diff --git a/apps/base/shields/networkpolicy.yaml b/apps/base/shields/networkpolicy.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..bfd39a5bff9809479629dc3237c0c21b5c5d1757
--- /dev/null
+++ b/apps/base/shields/networkpolicy.yaml
@@ -0,0 +1,18 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: allow-from-ingress
+spec:
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: shields
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: allow-from-monitoring
+spec:
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: shields
diff --git a/apps/base/shields/shields.yaml b/apps/base/shields/shields.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..580d41a92f442bea108c7e85d1e9bc4a7bf8aa49
--- /dev/null
+++ b/apps/base/shields/shields.yaml
@@ -0,0 +1,96 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app.kubernetes.io/name: shields
+ name: shields
+ namespace: shields
+spec:
+ replicas: 2
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: shields
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/name: shields
+ spec:
+ affinity:
+ podAntiAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: shields
+ topologyKey: kubernetes.io/hostname
+ containers:
+ - image: docker.io/shieldsio/shields:next
+ name: shields
+ resources:
+ requests:
+ memory: 128Mi
+ cpu: 70m
+ limits:
+ memory: 256Mi
+ cpu: 100m
+ env:
+ - name: METRICS_PROMETHEUS_ENABLED
+ value: "true"
+ - name: METRICS_PROMETHEUS_ENDPOINT_ENABLED
+ value: "true"
+ - name: PORT
+ value: "8080"
+ ports:
+ - containerPort: 8080
+ name: http
+ securityContext:
+ runAsUser: 937
+ runAsGroup: 937
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ allowPrivilegeEscalation: false
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app.kubernetes.io/name: shields
+ name: shields
+ namespace: shields
+spec:
+ ports:
+ - name: http
+ port: 80
+ protocol: TCP
+ targetPort: http
+ selector:
+ app.kubernetes.io/name: shields
+ type: ClusterIP
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+ name: shields
+ namespace: shields
+ labels:
+ app.kubernetes.io/name: shields
+spec:
+ endpoints:
+ - path: /metrics
+ port: http
+ scheme: http
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: shields
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+ name: shields
+ namespace: shields
+ labels:
+ app.kubernetes.io/name: shields
+spec:
+ minAvailable: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: shields
\ No newline at end of file
diff --git a/apps/k8s01/shields/certificate.yaml b/apps/k8s01/shields/certificate.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..529494eac6542ce5b707a90233d81799f625ab39
--- /dev/null
+++ b/apps/k8s01/shields/certificate.yaml
@@ -0,0 +1,64 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: shields-tls
+ namespace: shields
+spec:
+ dnsNames:
+ - ENC[AES256_GCM,data:7f28/ffW5slUxv094Lv7k5ud257I3siDQvnd,iv:/sw9Q6lykDfv8ZJVS36wjSY9zjMsI2oR/56SL8dYI/Q=,tag:ixERn0tc+ru01ptWvtPsZQ==,type:str]
+ issuerRef:
+ name: letsencrypt
+ kind: ClusterIssuer
+ secretName: ingress-shields-tls
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age: []
+ lastmodified: "2022-11-21T23:24:16Z"
+ mac: ENC[AES256_GCM,data:1xL3S+gHIgDSiLUpH/CSjLssgjdRbOJWkODjpI4M3r1P4RxKFpG2Mdua6+RJ15n64SThvFPueu57w0pF+wiKZYIqZK8mbPeYgFnluEJxCn99kuU6Zh0/MTGkmtN1i7d7u0xtgXXTsrtTJRmpunv0bhDfvXb1pV8SXQq8KnZG95Q=,iv:6r9d1Fi7r7hnVjmPOGx6jf6JgDOYWBe7AmxOY73bpfw=,tag:QGziqBtRte8NRFHX8cHUBA==,type:str]
+ pgp:
+ - created_at: "2022-01-21T18:13:48Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ wcFMA7kpg2bgzVHcAQ//U+q9DXB4HdBgO6bn7G8+MrAvTrfjyrLkuMmtzGIreuf0
+ DKUr5P3U+8c3i5zwF7vD6i6qMhfFus//Ix1MHmbOk0H2ZSDzkN6gk6KdPEyKGpG8
+ IpiMGu7qdGiR2pQ1UrwA3FDvRttkKADyjx/L+RvYlPZrRWZkWw16OCIdYwBPxfqp
+ q9uuVd41TZ1LpCRPEVCUH8iY61VLhgAx9JUx7ojX4bc45186u8jySDZMkjv/xXwN
+ bS6SqgqlD68Wq4dBiJwVbILo98WNMDyGFGia9EO3VfAdXHG4REvWr+uXPf4nDznp
+ mg1oQcrvc41s/M/Nc5QvWdc4gRDJZaXUwzjsrGtsM67s7zLzYq/diUFcA70mjmjr
+ cGzHz6FSpV4APuj3aVhxtKQGnxQRRH66O1tFs6MjOsImSXONDHXHeCw4QoYWABHS
+ 6n2KOojyzmeug/ya8FUTsCyVZ3PDFd+UOxxdtKl3nzBwUocBmRfvWFeBvyo/QOfB
+ A0pNBL8Q/yA3p2XIKuibiL8OMNuxfiMF3SHei4KMGP2Zk6dKss5N13TBzQ4oYBIq
+ gqQQjYXSq8b6OkojSHja3OO77qIAzzMD7ztxUwAtq7a0/dZOU1ZXCNczfS0Y7Bun
+ Ay8ELsdhZ0IQY02RMsMxCy8f0aemEOAAGiZ+LR9LE7QS5lVL86bk8SlKUsLKbfTS
+ UQE87XjR8vATk5CDPZ357fl4rcrND1TehqrByB5p/TqJVe+9rbvE56AJgK0vEYzp
+ XKO5Sp201jBInr8WmUWTQ5paFNU9lZwhEpb1fqTvgt55Mw==
+ =64L4
+ -----END PGP MESSAGE-----
+ fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601
+ - created_at: "2022-01-21T18:13:48Z"
+ enc: |
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA4oYbIHZIrAPAQ//XcmHPgwByh+6vS7cVnsVCt6HQDk834gW5t3MaKtqFjJW
+ GY0MPkV1eZ+PIBm9oP2SZ8sVcNWzIgbtuzGht0BhsJlssf0rxvVJJSNC+iQ6ZGsD
+ L+cp5EPmepIFMGVda5OKT18Q5N9RKYT58MTjgzIYGTfIe4rdVddmAZq3KDLG6pV/
+ SOTw6Zq5TshE/zyFPu3ndFKCS3twCb1AmPx1YMFLpPFiGYXXemdMtoOlQJE2qdRX
+ DciGW97ZLrj8WMKQl3zU35N2oQeoCcxYLVrYq0+qGhFujhRYCgOL+O3d4+XmCvEO
+ ZpZR7KWfrSn7976EDMRqRYxz++mMgD+V6RIJdbw2AmIYwX7HwkTwjwK89H0lh9R5
+ kkYhxgKaVsoGTa3NBATuf0au+qHMzlkRjSToaZ+QKCPnwxSoURQgyNAkR1aQ2Pgi
+ muTu915RrAy7f9A3Jtt8zZSYXPXkSW44YXOCjhHy7ayFh9nQ4zeklfM4eMAU1Ni/
+ hKXmN35tlCorstv+i6Zyc+bBkL8an2v4YHWZQ8BKYkqAWRJDalKErbaP+Y/i/Bwf
+ +PjS+umpm9OkZ5lPTdxhzLxRMOWuGfbhrwAwuNV+jF3iDAGvPBR2EsJ/Ga2aXdqZ
+ TGeeMKs5sozba2d2fJyPADL/6DyKHS58b9VJt6r368xy7cVOD/UCaYOm01Ygn2vU
+ ZgEJAhDyxv/+3B3ju7Y1YlyM3WwbVEH6Vq1ZkOCy9uF7r24u5L01zx2QcGufpC1L
+ +XWTKormP0iD0q8PV7n/PU9F8Feb5bCmJTzIoWfT3+9X8cYwBaGUZqA3fNWJxOAu
+ vC+njoUTFA==
+ =5FJc
+ -----END PGP MESSAGE-----
+ fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07
+ encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL)$
+ version: 3.7.3
diff --git a/apps/k8s01/shields/egress-policy.yaml b/apps/k8s01/shields/egress-policy.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..4d7be916a270a324ce644777f66bc17abe498f9b
--- /dev/null
+++ b/apps/k8s01/shields/egress-policy.yaml
@@ -0,0 +1,18 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: allow-to-public-web
+spec:
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: shields
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: allow-to-kubedns
+spec:
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: shields
\ No newline at end of file
diff --git a/apps/k8s01/shields/ingress.yaml b/apps/k8s01/shields/ingress.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..34be67e143f2ce5e82a780a4c9be92bc9ca68a8c
--- /dev/null
+++ b/apps/k8s01/shields/ingress.yaml
@@ -0,0 +1,75 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: shields
+ namespace: shields
+ labels:
+ app.kubernetes.io/name: shields
+spec:
+ rules:
+ - host: ENC[AES256_GCM,data:Ls6Wg25JUEowgV8YTOfGp1daaimJC5yFg8uq,iv:khJiOaFri7CCjdilB7R7FSUanMAwAP7X9ETn5XXi2ZA=,tag:cSPvZNtTkMX4jXuXXbIaEw==,type:str]
+ http:
+ paths:
+ - backend:
+ service:
+ name: shields
+ port:
+ name: http
+ path: /
+ pathType: Prefix
+ tls:
+ - hosts:
+ - ENC[AES256_GCM,data:TrW9Zg/zjwIVzqCAeVX72ye5ZEeWgD6mypRH,iv:VTiUhXKSPBy+lH3EpjipQyxYI/+kRPbot9X4xiVft8A=,tag:ZhPJ6DfKnSmWbNnrf1ABHA==,type:str]
+ secretName: ingress-shields-tls
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age: []
+ lastmodified: "2022-11-21T23:23:18Z"
+ mac: ENC[AES256_GCM,data:x+8H6dF5IcvYPur32fIXoMUjpd31bRzrSRW3w0q1Af9qcskKjxYGTdy5QgpFXRxs07tdV8ALYha4z3y/QNLAFvxEYYPLOI3Qw9FFIfMIWe1cUVrInO8JpogwIbIMyXg3KYGXREPXhmNn6lxA9NrLqo6cHrNqX6V5ZT9yY4FqreI=,iv:mOQdfZk8joW/vZTzUYrYDfwYihCT136zOJz5n6qBjaE=,tag:8wJdEIaShlgTFpxiWEPA0w==,type:str]
+ pgp:
+ - created_at: "2022-11-21T23:23:18Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ wcFMA7kpg2bgzVHcAQ//Qv9uHg5XLGXazE73KPUoH4fqOH9uO85CwtJvizNN8fyR
+ 7j9BgCfjEze/OTzy9h+Zmd6W9WV47/I61j3tkzkq+UE7mFsSmZrzsWgHcNJ8qg3w
+ dXezL9GzMv/B/p7DlZjUtwCLHLVcSKFZh01rO0r3q4v8hXpl4UO38gNOoZg1R5rp
+ KP+eE3JVvBw5QqZaWUS3EGM4Vy3drNmz1vlEYnh6xfd9TaHaNk+xzIgarpUlVKd9
+ 38lxwTxZJRjQp3b2CkKJ09RWkxhyJV+YjOcsCsZW4slWlV9RLRqWqHcy3BPAPRN5
+ WLBzx57dEENX3Hi1WU2yFfBnN0h3rujv6SBJL77UTgjjUEMJNXkwfk5BuQHVWrMd
+ yCa5J6oXAAV5ii2UNnfW+UTSlsSpO0QreP6KmzNBGOmb/C6BlV3znYX+jPsDyl7l
+ 4toIhjSSAFjlSBLa6DZZAiTtEcSPHrELvBmFvQSkoXd4ZcXN16VUGN1bh2REYdzO
+ H7NNFAToxFT3Z5Y6CU2rCb7kQYtY2JIYzfLRt56HReTDlfNSN+/PFmGHZWq/M8bq
+ Cjm6sViN3GajWqITgrt9QAUvb8BDg7QlaChN1Z1U2yHtYN6ndPHyisgsNVTE2V+3
+ A8iRJE0NDPNs+UpW2+VQS2vh0US0gjdZUIorkcDZ0LFouP7i09H+pyZ+ZBrPym/S
+ UQFTiGiV4NO5SA/2tbmuoJho91+F8uL+ieOIxkS+yzrene3wj911gnkwsPOmy6/Q
+ 4YzqYyNKWA60xo/jEPaIVYyBDH+PBJsQ9SyUcHEcukoVlw==
+ =5/Nx
+ -----END PGP MESSAGE-----
+ fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601
+ - created_at: "2022-11-21T23:23:18Z"
+ enc: |
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA4oYbIHZIrAPAQ//WqQj3zETMqQoFyeM00Q6VwIu8aZDwSsEWR07twfLk6is
+ hlRAWdmOdSiItYxxGgAEbK6DiBmqoyw56EfvJbOfAAF+BXnl+pgV0ozeJdl+LJar
+ xVfQNwxIaP7LnqbmHXINDln0+0AfckNhXUcjP+HhwCr+aRz/pdiJkHsr7VTLH8nM
+ bf+Z2nKFhzdTbOjxC3O/yxh9baPBSRAq2fNx2SQk1JPzqBCIsqGkArF3shjtDzKc
+ MkU4BiRv+8fqX31bZXU00+TBZnMIkZT8OM4Kk4gWDCgVtWO3b+tl2xA4nO389/FP
+ nRWpeUHZU2BPIstW41FEIv/ID62s6D8WZZ5Ewh7NpLb7Xb29ABKh3wMOxe4lUEMx
+ b95XjT7jPwwcTNkea4v3nlQRkcsVzn1wr2zwZtr8FX4m8KHMc8OYCZoAS+C0FQbn
+ te35wyN7CBV3G9Xg+PijI+OxXXZR7wtrwtVMMAF7bNO6ySWOChuLzzkARUIF1SYc
+ soB5FShuNcwUFB9BnI5QpjOWT1tMiMYlXC7LgMbkh2pMjs8pnFxmjbx8g+WezdVF
+ eDiKP2rLLWeewA5+wGow2b1jlWpzveZXghFkKPHt0EvpjwFj9yk+f3E8SCqE6BFJ
+ LvhI41HtckenpQxvHa6I35RrP67ANGOahV4X4zTT8lu50hLOgFE4A3GD0yOlTczU
+ ZgEJAhATTbyPPq6mLTW9dBlVcO8NYYUdNzWBRVUeISx3A69AU185TUBMVYfJVXSg
+ 0poGps/+ASmRFsuTDfNd7FXF8feEHzFafEC0uJ0xeZGrgPRyVC+5WH6vdLuqyyKU
+ iJ9te6Wzmw==
+ =1rfI
+ -----END PGP MESSAGE-----
+ fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07
+ encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|.*(H|h)osts?|tang|externalURL|.*-secret|.*-url|.*Secrets?|.*-domain|password|subjects|node|apiURL|.*(S|s)erverNames?|.*SecretKey|externalName)$
+ version: 3.7.3
diff --git a/apps/k8s01/shields/kustomization.yaml b/apps/k8s01/shields/kustomization.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..6db555b8fe37687871e2b4aa6da7bb66e2e82056
--- /dev/null
+++ b/apps/k8s01/shields/kustomization.yaml
@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: shields
+resources:
+ - ../../base/shields
+ - ../../../shared/resourcequotas/default.yaml
+ - egress-policy.yaml
+ - certificate.yaml
+ - ingress.yaml
+ - ../../../shared/networkpolicies/deny-by-default-ingress.yaml
+ - ../../../shared/networkpolicies/deny-by-default-egress.yaml
+ - ../../../shared/networkpolicies/allow-to-kubedns.yaml
+ - ../../../shared/networkpolicies/allow-to-web.yaml
+patchesStrategicMerge:
+ - networkpolicy.yaml
\ No newline at end of file
diff --git a/infrastructure/drivers/kustomization.yaml b/infrastructure/drivers/kustomization.yaml
index 22ea8ec7681e5d33080ac20c9e99070a8453cedb..a38892b4e35be9624708ccc9ebad9d8a8fb9933a 100644
--- a/infrastructure/drivers/kustomization.yaml
+++ b/infrastructure/drivers/kustomization.yaml
@@ -4,4 +4,4 @@ namespace: drivers-system
resources:
- namespace.yaml
- amd-gpu.yaml
- - ../../shared/networkpolicies/deny-by-default.yaml
+ - ../../shared/networkpolicies/deny-by-default-ingress.yaml
diff --git a/shared/networkpolicies/allow-to-kubedns.yaml b/shared/networkpolicies/allow-to-kubedns.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..0edb8bfb40c62c1bc7478200b30c6e345feac5f4
--- /dev/null
+++ b/shared/networkpolicies/allow-to-kubedns.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: allow-to-kubedns
+spec:
+ egress:
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: kube-system
+ podSelector:
+ matchLabels:
+ k8s-app: kube-dns
+ ports:
+ - port: 53
+ protocol: UDP
+ - port: 53
+ protocol: TCP
+ policyTypes:
+ - Egress
\ No newline at end of file
diff --git a/shared/networkpolicies/allow-to-public-web.yaml b/shared/networkpolicies/allow-to-public-web.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..7c9277a65c84765dd9a311875a5ab4c0e8f5bbbb
--- /dev/null
+++ b/shared/networkpolicies/allow-to-public-web.yaml
@@ -0,0 +1,23 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: allow-to-public-web
+spec:
+ egress:
+ - to:
+ - ipBlock:
+ except:
+ - "192.168.0.0/16"
+ - "172.16.0.0/12"
+ - "10.0.0.0/8"
+ - "169.254.0.0/16"
+ - "100.64.0.0/10"
+ cidr: 0.0.0.0/0
+ ports:
+ - protocol: TCP
+ port: 80
+ - protocol: TCP
+ port: 443
+ policyTypes:
+ - Egress
\ No newline at end of file
diff --git a/shared/networkpolicies/deny-by-default-egress.yaml b/shared/networkpolicies/deny-by-default-egress.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..a4659e14174dbce0140affa0aff3039f4e58bf4f
--- /dev/null
+++ b/shared/networkpolicies/deny-by-default-egress.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: default-deny-egress
+spec:
+ podSelector: {}
+ policyTypes:
+ - Egress
diff --git a/shared/networkpolicies/deny-by-default.yaml b/shared/networkpolicies/deny-by-default-ingress.yaml
similarity index 100%
rename from shared/networkpolicies/deny-by-default.yaml
rename to shared/networkpolicies/deny-by-default-ingress.yaml