oleksandr/homelab
1
0
Fork 0
Code Pull Requests Activity
Files
5a122e348237beeabbb8e441a0170b35407f04c6
homelab/kubernetes/app/media/networkpolicy.yaml

220 lines
4.5 KiB
YAML
Raw Blame History

# Default deny all ingress in the media namespace
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
namespace: media
spec:
podSelector: {}
policyTypes:
- Ingress
---
# Allow ingress controller to reach qbittorrent, sonarr, radarr
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-ingress-controller
namespace: media
spec:
podSelector:
matchExpressions:
- key: app
operator: In
values:
- qbittorrent
- sonarr
- radarr
- seerr
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: traefik
---
# sonarr-db: only reachable from sonarr and backup jobs
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: sonarr-db
namespace: media
spec:
podSelector:
matchLabels:
app: sonarr-db
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: sonarr
- podSelector:
matchLabels:
app: media-backup
---
# radarr-db: only reachable from radarr and backup jobs
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: radarr-db
namespace: media
spec:
podSelector:
matchLabels:
app: radarr-db
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: radarr
- podSelector:
matchLabels:
app: media-backup
---
# Allow prowlarr to receive connections from sonarr and radarr
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-internal-comms
namespace: media
spec:
podSelector:
matchLabels:
app: prowlarr
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: sonarr
- podSelector:
matchLabels:
app: radarr
---
# Allow prowlarr and seerr to reach sonarr, radarr, and qbittorrent
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-prowlarr-to-apps
namespace: media
spec:
podSelector:
matchExpressions:
- key: app
operator: In
values:
- sonarr
- radarr
- qbittorrent
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: prowlarr
- podSelector:
matchLabels:
app: seerr
---
# Allow qbittorrent to receive connections from sonarr, radarr, and external BT traffic
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-qbittorrent
namespace: media
spec:
podSelector:
matchLabels:
app: qbittorrent
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: sonarr
- podSelector:
matchLabels:
app: radarr
- ports:
- port: 23312
protocol: TCP
- port: 23312
protocol: UDP
---
# Allow jellyfin to reach seerr (cross-namespace)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-jellyfin-to-seerr
namespace: media
spec:
podSelector:
matchLabels:
app: seerr
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: jellyfin
podSelector:
matchLabels:
app: jellyfin
---
# seerr-db: only reachable from seerr and backup jobs
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: seerr-db
namespace: media
spec:
podSelector:
matchLabels:
app: seerr-db
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: seerr
- podSelector:
matchLabels:
app: media-backup
---
# Allow backup pods egress to Synology (rest-server), B2, DNS, and DB
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-backup-egress
namespace: media
spec:
podSelector:
matchLabels:
app: media-backup
policyTypes:
- Egress
egress:
- ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
- ports:
- port: 8888
protocol: TCP
- ports:
- port: 443
protocol: TCP
- ports:
- port: 5432
protocol: TCP
View Git Blame Copy Permalink