From 567dbfe3c0a2c85c7c061a29412c7e130be12fc7 Mon Sep 17 00:00:00 2001
From: James Turland <james@turland.uk>
Date: Tue, 16 Jan 2024 12:55:53 +0000
Subject: [PATCH] add networkpolicies

---
 .../NetworkPolicies/allow-all-ingress.yaml    | 11 ++++++
 .../default-deny-all-ingress.yaml             |  9 +++++
 Kubernetes/NetworkPolicies/example.yaml       | 35 +++++++++++++++++++
 .../NetworkPolicies/namespace-example.yaml    | 17 +++++++++
 .../NetworkPolicies/networkpolicy-egress.yaml | 24 +++++++++++++
 .../networkpolicy-ingress.yaml                | 17 +++++++++
 Kubernetes/NetworkPolicies/port-example.yaml  | 20 +++++++++++
 7 files changed, 133 insertions(+)
 create mode 100644 Kubernetes/NetworkPolicies/allow-all-ingress.yaml
 create mode 100644 Kubernetes/NetworkPolicies/default-deny-all-ingress.yaml
 create mode 100644 Kubernetes/NetworkPolicies/example.yaml
 create mode 100644 Kubernetes/NetworkPolicies/namespace-example.yaml
 create mode 100644 Kubernetes/NetworkPolicies/networkpolicy-egress.yaml
 create mode 100644 Kubernetes/NetworkPolicies/networkpolicy-ingress.yaml
 create mode 100644 Kubernetes/NetworkPolicies/port-example.yaml

diff --git a/Kubernetes/NetworkPolicies/allow-all-ingress.yaml b/Kubernetes/NetworkPolicies/allow-all-ingress.yaml
new file mode 100644
index 0000000..462912d
--- /dev/null
+++ b/Kubernetes/NetworkPolicies/allow-all-ingress.yaml
@@ -0,0 +1,11 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-all-ingress
+spec:
+  podSelector: {}
+  ingress:
+  - {}
+  policyTypes:
+  - Ingress
diff --git a/Kubernetes/NetworkPolicies/default-deny-all-ingress.yaml b/Kubernetes/NetworkPolicies/default-deny-all-ingress.yaml
new file mode 100644
index 0000000..e823802
--- /dev/null
+++ b/Kubernetes/NetworkPolicies/default-deny-all-ingress.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-ingress
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
diff --git a/Kubernetes/NetworkPolicies/example.yaml b/Kubernetes/NetworkPolicies/example.yaml
new file mode 100644
index 0000000..e91eed2
--- /dev/null
+++ b/Kubernetes/NetworkPolicies/example.yaml
@@ -0,0 +1,35 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: test-network-policy
+  namespace: default
+spec:
+  podSelector:
+    matchLabels:
+      role: db
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - ipBlock:
+            cidr: 172.17.0.0/16
+            except:
+              - 172.17.1.0/24
+        - namespaceSelector:
+            matchLabels:
+              project: myproject
+        - podSelector:
+            matchLabels:
+              role: frontend
+      ports:
+        - protocol: TCP
+          port: 6379
+  egress:
+    - to:
+        - ipBlock:
+            cidr: 10.0.0.0/24
+      ports:
+        - protocol: TCP
+          port: 5978
+
diff --git a/Kubernetes/NetworkPolicies/namespace-example.yaml b/Kubernetes/NetworkPolicies/namespace-example.yaml
new file mode 100644
index 0000000..e8ed653
--- /dev/null
+++ b/Kubernetes/NetworkPolicies/namespace-example.yaml
@@ -0,0 +1,17 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: egress-namespaces
+spec:
+  podSelector:
+    matchLabels:
+      app: myapp
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - namespaceSelector:
+        matchExpressions:
+        - key: namespace
+          operator: In
+          values: ["frontend", "backend"]
\ No newline at end of file
diff --git a/Kubernetes/NetworkPolicies/networkpolicy-egress.yaml b/Kubernetes/NetworkPolicies/networkpolicy-egress.yaml
new file mode 100644
index 0000000..5671ac8
--- /dev/null
+++ b/Kubernetes/NetworkPolicies/networkpolicy-egress.yaml
@@ -0,0 +1,24 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: allow-internet-only
+  namespace: pihole
+spec:
+  podSelector: {}
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        except:
+        - 10.0.0.0/8
+        - 192.168.0.0/16
+        - 172.16.0.0/20
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: "kube-system"
+    - podSelector:
+        matchLabels:
+          k8s-app: "kube-dns"
\ No newline at end of file
diff --git a/Kubernetes/NetworkPolicies/networkpolicy-ingress.yaml b/Kubernetes/NetworkPolicies/networkpolicy-ingress.yaml
new file mode 100644
index 0000000..bdc8c95
--- /dev/null
+++ b/Kubernetes/NetworkPolicies/networkpolicy-ingress.yaml
@@ -0,0 +1,17 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: restrict-internal
+  namespace: pihole
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        except:
+        - 10.0.0.0/8
+        - 192.168.0.0/16
+        - 172.16.0.0/20
\ No newline at end of file
diff --git a/Kubernetes/NetworkPolicies/port-example.yaml b/Kubernetes/NetworkPolicies/port-example.yaml
new file mode 100644
index 0000000..f4c914b
--- /dev/null
+++ b/Kubernetes/NetworkPolicies/port-example.yaml
@@ -0,0 +1,20 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: multi-port-egress
+  namespace: default
+spec:
+  podSelector:
+    matchLabels:
+      role: db
+  policyTypes:
+    - Egress
+  egress:
+    - to:
+        - ipBlock:
+            cidr: 10.0.0.0/24
+      ports:
+        - protocol: TCP
+          port: 32000
+          endPort: 32768
+