k3s/scripts/hardened/hardened-k3s-netpol.yaml

---
# Allow all traffic within the kube-system namespace; block all other access
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: intra-namespace
  namespace: kube-system
spec:
  podSelector: {}
  ingress:
    - from:
      - namespaceSelector:
          matchLabels:
            name: kube-system
  policyTypes:
  - Ingress
---
# Allow all traffic within the default namespace; block all other access
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: intra-namespace
  namespace: default
spec:
  podSelector: {}
  ingress:
    - from:
      - namespaceSelector:
          matchLabels:
            name: default
  policyTypes:
  - Ingress
---
# Allow traffic within the kube-public namespace; block all other access
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: intra-namespace
  namespace: kube-public
spec:
  podSelector: {}
  ingress:
    - from:
      - namespaceSelector:
          matchLabels:
            name: kube-public
  policyTypes:
  - Ingress
---
# Allow all access to metrics-server
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-all-metrics-server
  namespace: kube-system
spec:
  podSelector:
    matchLabels:
      k8s-app: metrics-server
  ingress:
  - {}
  policyTypes:
  - Ingress
---
# Allow all access to coredns DNS ports
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-network-dns-policy
  namespace: kube-system
spec:
  ingress:
  - ports:
    - port: 53
      protocol: TCP
    - port: 53
      protocol: UDP
  podSelector:
    matchLabels:
      k8s-app: kube-dns
  policyTypes:
  - Ingress
---
# Allow all access to the the servicelb traefik HTTP/HTTPS ports
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-all-svclb-traefik
  namespace: kube-system
spec:
  podSelector:
    matchLabels:
      svccontroller.k3s.cattle.io/svcname: traefik
  ingress:
  - ports:
    - port: 80
      protocol: TCP
    - port: 443
      protocol: TCP
  policyTypes:
  - Ingress
---
# Allow all access to traefik HTTP/HTTPS ports
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-all-traefik
  namespace: kube-system
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: traefik
  ingress:
  - ports:
    - port: 8000
      protocol: TCP
    - port: 8443
      protocol: TCP
  policyTypes:
  - Ingress
Add hardened cluster test Signed-off-by: Brad Davidson <brad.davidson@rancher.com> 2 years ago			`---`
			`# Allow all traffic within the kube-system namespace; block all other access`
			`kind: NetworkPolicy`
			`apiVersion: networking.k8s.io/v1`
			`metadata:`
			`name: intra-namespace`
			`namespace: kube-system`
			`spec:`
			`podSelector: {}`
			`ingress:`
			`- from:`
			`- namespaceSelector:`
			`matchLabels:`
			`name: kube-system`
			`policyTypes:`
			`- Ingress`
			`---`
			`# Allow all traffic within the default namespace; block all other access`
			`kind: NetworkPolicy`
			`apiVersion: networking.k8s.io/v1`
			`metadata:`
			`name: intra-namespace`
			`namespace: default`
			`spec:`
			`podSelector: {}`
			`ingress:`
			`- from:`
			`- namespaceSelector:`
			`matchLabels:`
			`name: default`
			`policyTypes:`
			`- Ingress`
			`---`
			`# Allow traffic within the kube-public namespace; block all other access`
			`kind: NetworkPolicy`
			`apiVersion: networking.k8s.io/v1`
			`metadata:`
			`name: intra-namespace`
			`namespace: kube-public`
			`spec:`
			`podSelector: {}`
			`ingress:`
			`- from:`
			`- namespaceSelector:`
			`matchLabels:`
			`name: kube-public`
			`policyTypes:`
			`- Ingress`
			`---`
			`# Allow all access to metrics-server`
			`apiVersion: networking.k8s.io/v1`
			`kind: NetworkPolicy`
			`metadata:`
			`name: allow-all-metrics-server`
			`namespace: kube-system`
			`spec:`
			`podSelector:`
			`matchLabels:`
			`k8s-app: metrics-server`
			`ingress:`
			`- {}`
			`policyTypes:`
			`- Ingress`
			`---`
			`# Allow all access to coredns DNS ports`
			`apiVersion: networking.k8s.io/v1`
			`kind: NetworkPolicy`
			`metadata:`
			`name: default-network-dns-policy`
			`namespace: kube-system`
			`spec:`
			`ingress:`
			`- ports:`
			`- port: 53`
			`protocol: TCP`
			`- port: 53`
			`protocol: UDP`
			`podSelector:`
			`matchLabels:`
			`k8s-app: kube-dns`
			`policyTypes:`
			`- Ingress`
			`---`
			`# Allow all access to the the servicelb traefik HTTP/HTTPS ports`
			`apiVersion: networking.k8s.io/v1`
			`kind: NetworkPolicy`
			`metadata:`
			`name: allow-all-svclb-traefik`
			`namespace: kube-system`
			`spec:`
			`podSelector:`
			`matchLabels:`
			`svccontroller.k3s.cattle.io/svcname: traefik`
			`ingress:`
			`- ports:`
			`- port: 80`
			`protocol: TCP`
			`- port: 443`
			`protocol: TCP`
			`policyTypes:`
			`- Ingress`
			`---`
			`# Allow all access to traefik HTTP/HTTPS ports`
			`apiVersion: networking.k8s.io/v1`
			`kind: NetworkPolicy`
			`metadata:`
			`name: allow-all-traefik`
			`namespace: kube-system`
			`spec:`
			`podSelector:`
			`matchLabels:`
			`app.kubernetes.io/name: traefik`
			`ingress:`
			`- ports:`
			`- port: 8000`
			`protocol: TCP`
			`- port: 8443`
			`protocol: TCP`
			`policyTypes:`
			`- Ingress`