feat(k8s/media): implement and scale apps to zero for migration

2026-02-21 22:56:32 +02:00
parent 43031e7484
commit 942887c997
18 changed files with 1185 additions and 2 deletions
--- a/kubernetes/app/media/networkpolicy.yaml
+++ b/kubernetes/app/media/networkpolicy.yaml
@@ -0,0 +1,145 @@
+# Default deny all ingress in the media namespace
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-ingress
+  namespace: media
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+---
+# Allow ingress controller to reach qbittorrent, sonarr, radarr
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-ingress-controller
+  namespace: media
+spec:
+  podSelector:
+    matchExpressions:
+      - key: app
+        operator: In
+        values:
+          - qbittorrent
+          - sonarr
+          - radarr
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: traefik
+---
+# sonarr-db: only reachable from sonarr and backup jobs
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: sonarr-db
+  namespace: media
+spec:
+  podSelector:
+    matchLabels:
+      app: sonarr-db
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app: sonarr
+        - podSelector:
+            matchLabels:
+              app: sonarr-db-backup
+---
+# radarr-db: only reachable from radarr and backup jobs
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: radarr-db
+  namespace: media
+spec:
+  podSelector:
+    matchLabels:
+      app: radarr-db
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app: radarr
+        - podSelector:
+            matchLabels:
+              app: radarr-db-backup
+---
+# Allow prowlarr to receive connections from sonarr and radarr
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-internal-comms
+  namespace: media
+spec:
+  podSelector:
+    matchLabels:
+      app: prowlarr
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app: sonarr
+        - podSelector:
+            matchLabels:
+              app: radarr
+---
+# Allow prowlarr to reach sonarr, radarr, and qbittorrent
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-prowlarr-to-apps
+  namespace: media
+spec:
+  podSelector:
+    matchExpressions:
+      - key: app
+        operator: In
+        values:
+          - sonarr
+          - radarr
+          - qbittorrent
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app: prowlarr
+---
+# Allow qbittorrent to receive connections from sonarr, radarr, and external BT traffic
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-qbittorrent
+  namespace: media
+spec:
+  podSelector:
+    matchLabels:
+      app: qbittorrent
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app: sonarr
+        - podSelector:
+            matchLabels:
+              app: radarr
+    - ports:
+        - port: 23312
+          protocol: TCP
+        - port: 23312
+          protocol: UDP