Commits · 57917e9239dc38656887f2fc025b3e62081d831e · Shivering-Isles / Infrastructure GitOps

Nov 29, 2023
- chore(deps): update helm release oauth2-proxy to v6.20.0 · 57917e92
  Botaniker (Bot) authored 1 year ago
  
  57917e92
Nov 18, 2023
- fix(shared): temporarily allow apiserver access using hardcoded ranges · 1dda7b6d
  Sheogorath authored 1 year ago
  
  1dda7b6d
- chore(deps): update helm release oauth2-proxy to v6.19.1 · 18d192a9
  Botaniker (Bot) authored 1 year ago
  
  18d192a9
Nov 17, 2023
- fix(shared): Add missing access to kube-apiserver · 6c07e06d
  Sheogorath authored 1 year ago
  
  6c07e06d
Nov 14, 2023
- chore(deps): update helm release oauth2-proxy to v6.19.0 · af3d5ce7
  Botaniker (Bot) authored 1 year ago
  
  af3d5ce7
Nov 08, 2023
- chore(deps): update helm release oauth2-proxy to v6.18.1 · 2d1b7ff8
  Botaniker (Bot) authored 1 year ago
  
  2d1b7ff8
Nov 06, 2023
- feat(shared): Fix broken policy definiton · e2fb1ce5
  Sheogorath authored 1 year ago
  
  e2fb1ce5
Nov 05, 2023
- fix(shared): Use proper egress network policy schema · c952b2dc
  Sheogorath authored 1 year ago
  
  c952b2dc
- fix(shared): Use NAS IP directly · 563c61a5
  Sheogorath authored 1 year ago
  
  563c61a5
- feat(shared): Add egress network policy for postgres operator · da3b1f25
  Sheogorath authored 1 year ago
  
  da3b1f25
Oct 31, 2023
- feat(shared): Add explicit access to ingress controller · befd013b
  Sheogorath authored 1 year ago
  
  befd013b
- feat(mastodon): Restrict outgoing network traffic for Mastodon · 0024e0ae
  Sheogorath authored 1 year ago
  
  0024e0ae
Oct 20, 2023
- fix(shared): Adjust mailbox.org network policy to allow mail protocols · 900db86a
  Sheogorath authored 1 year ago
  
  900db86a
Oct 18, 2023
- chore(deps): update helm release oauth2-proxy to v6.18.0 · a8db68e6
  Botaniker (Bot) authored 1 year ago
  
  a8db68e6
Sep 26, 2023
- feat(oauth2-proxy): Add trusted IPs for reverse-proxy · b404d3ca
  Sheogorath authored 1 year ago
  
  b404d3ca
- fix(oauth2-proxy): Adjust oauth-proxy to use correct group claim · af7bf965
  Sheogorath authored 1 year ago
  
  af7bf965
Sep 25, 2023
- chore(deps): update helm release oauth2-proxy to v6.17.1 · 4643e92d
  Botaniker (Bot) authored 1 year ago
  
  4643e92d
Sep 16, 2023

feat(oauth2-proxy): Switch to topologySpreadConstraints · 238da3c2

Sheogorath authored 1 year ago

This patch adjusts the central oauth2-proxy resource to use
`topologySpreadConstraints` instead of using `podAntiAffinity`. This
helps with reducing the risk of Pending Pods e.g. during updates when
also a pod config is adjusted.

238da3c2

Sep 15, 2023
- feat(oauth2-proxy): First experiment with abstracting to shared module · 3013dee3
  Sheogorath authored 1 year ago
  
  3013dee3
Sep 14, 2023
- fix(shared): Increase default resource quota to 16Gi and 4 CPUs · 7c83a38e
  Sheogorath authored 1 year ago
  
  7c83a38e
Sep 13, 2023

feat(goharbor): Add "external", operator-managed redis cluster · a165d304

Sheogorath authored 1 year ago

This patch should make redis HA, which should eliminate another SPOF for
goharbor. This is the first usage for the new redis operator.

a165d304

Jul 21, 2023
- feat(uptime-kuma): Add SMTP support · c5f80c48
  Sheogorath authored 1 year ago
  
  c5f80c48
Feb 21, 2023
- fix(cert-manager): Fix shared network-policy names · b12dc664
  Sheogorath authored 2 years ago
  
  b12dc664
- fix(cert-manager): Add missing kube-dns to http-challenge egress · e3630542
  Sheogorath authored 2 years ago
  
  e3630542
- fix(uptime-kuma): Add network policy for HTTP challenge · e435f0f6
  Sheogorath authored 2 years ago
  
  e435f0f6
Nov 21, 2022

feat(shields): Initial shields deployment · 685c17c5

Sheogorath authored 2 years ago

This patch provides an initial version of shields for the
cluster, deploying shields in a fairly locked down setup. This
includes blocking all ingress and egress traffic except of the
ingress controller, monitoring and outgoing web traffic to the
public internet.

As part of this some new shared network policies are created,
added and renamed. These aim to improve the namespace isolation
and provisioning of controlled network access.

685c17c5

Sep 18, 2022
- fix(shared): Add podselector to network policy · f754ffb1
  Sheogorath authored 2 years ago
  
  f754ffb1
Sep 17, 2022

feat(metallb): Add policy to allow webhook access · c22ffdca

Sheogorath authored 2 years ago

This patch provides a new shared-config that can be used to allow access
from kube-system and uses this NetworkPolicy to allow access to the new
metallb AdmissionWebhook.

c22ffdca

May 10, 2022
- feat(shared): Add deny-by-default policy · 5f22d7d0
  Sheogorath authored 2 years ago
  
  Add a very basic, shared policy to prevent ingress traffic for a namespace.
  5f22d7d0
Apr 24, 2022

feat(shared): Allow patroni monitoring · 6c8239d5
Sheogorath authored 2 years ago

6c8239d5

feat(shared): Add monitoring rule for database network policy · 55cd2fd6

Sheogorath authored 2 years ago

This patch allows to monitor Postgresql Instances by allowing the
monitoring namespace to access a exporter container port by default for
spilo instances.

55cd2fd6

fix(shared): Reduce scope for database network policy · 68c6b828

Sheogorath authored 2 years ago

This patch reduces the network acess from the database mangeement
namespace to postgres-operator only. (Technically speaking there isn't
anything else running in that namespace, but it helps to keep things
tight in case of future expansions.)

68c6b828

fix(shared): Reduce scope for monitoring NetworkPolicy · 14710202
Sheogorath authored 2 years ago
```
This patch reduces the network access from the monitoring namespaces to
only prometheus.
```
14710202

Apr 03, 2022

fix(shared): Increase overall CPU limits · 8e717cba

Sheogorath authored 2 years ago

This patch should help to better scale software on the cluster, CPU
limits are not that big of a problem.

8e717cba

Mar 27, 2022
- feat(goharbor): Deploy namespace resource quota · 25a6c7d0
  Sheogorath authored 2 years ago
  
  25a6c7d0
Feb 04, 2022

fix(shared): Fix name of "allow-from-all-namespaces" networkpolicy · 132f2c88
Sheogorath authored 3 years ago

132f2c88

fix(kube-system): Add non-blocking network policy · 52f276d7

Sheogorath authored 3 years ago

Since kube-system is a bit delicate when it comes to blocking, this
intial network policy tries to not block anything in order to keep
everything working. This might be the solution to the
globalnetworkpolicy issue.

52f276d7

Feb 02, 2022
- fix(shared): Fix completely malformed YAML · c25e8639
  Sheogorath authored 3 years ago
  
  c25e8639
- fix(monitoring): Add basic network policy · 47b16f32
  Sheogorath authored 3 years ago
  
  47b16f32
- fix(goharbor): Fix broken monitoring · 2bdace92
  Sheogorath authored 3 years ago
  
  This patch adds a new network policy to allow traffic from the monitoring namespace to access the exporter endpoints. Since it's not using allow right now, prometheus reports target down.
  2bdace92