Skip to content

Commit

Permalink
tailspin: readd latest after build exceptions were resolved
Browse files Browse the repository at this point in the history 
Signed-off-by: aserowy <serowy@hotmail.com>
  • Loading branch information
@aserowy
aserowy committed Nov 12, 2024
1 parent bffe0c7 commit 1095588
Show file tree
Hide file tree
Showing 5 changed files with 265 additions and 226 deletions.
367 changes: 177 additions & 190 deletions cluster/homelab/cilium.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,214 +15,201 @@
values = {
operator.replicas = 1;

# replicate k3s environment.
ipam.operator.clusterPoolIPv4PodCIDRList = [ "10.42.0.0/16" ];
# # FIX: https://github.com/cilium/cilium/issues/31197
# dnsProxy.enableTransparentMode = false;

k8sServiceHost = "localhost";
k8sServicePort = 6444;
# # replicate k3s environment
# ipam = {
# mode = "kubernetes";
# operator.clusterPoolIPv4PodCIDRList = [ "10.42.0.0/16" ];
# };

# policy enforcement.
policyEnforcementMode = "always";
policyAuditMode = false;
# TODO: is host dependent: should come as modul option
k8sServiceHost = "192.168.178.53";
k8sServicePort = 6443;

# set cilium as a kube-proxy replacement.
# policy enforcement
# policyEnforcementMode = "always";
policyEnforcementMode = "never";

# set cilium as a kube-proxy replacement
kubeProxyReplacement = true;

hubble = {
relay.enabled = true;
ui.enabled = true;
tls.auto.method = "cronJob";
};
# hubble = {
# relay.enabled = true;
# ui.enabled = true;
# };
};
};

resources = {
ciliumNetworkPolicies = {
# Allow hubble relay server egress to nodes
allow-hubble-relay-server-egress.spec = {
description = "Policy for egress from hubble relay to hubble server in Cilium agent.";
endpointSelector.matchLabels."app.kubernetes.io/name" = "hubble-relay";
egress = [
{
toEntities = [
"remote-node"
"host"
];
toPorts = [
{
ports = [
{
port = "4244";
protocol = "TCP";
}
];
}
];
}
];
};

# Allow hubble UI to talk to hubble relay
allow-hubble-ui-relay-ingress.spec = {
description = "Policy for ingress from hubble UI to hubble relay.";
endpointSelector.matchLabels."app.kubernetes.io/name" = "hubble-relay";
ingress = [
{
fromEndpoints = [
{
matchLabels."app.kubernetes.io/name" = "hubble-ui";
}
];
toPorts = [
{
ports = [
{
port = "4245";
protocol = "TCP";
}
];
}
];
}
];
};

# Allow hubble UI to talk to kube-apiserver
allow-hubble-ui-kube-apiserver-egress.spec = {
description = "Allow Hubble UI to talk to kube-apiserver";
endpointSelector.matchLabels."app.kubernetes.io/name" = "hubble-ui";
egress = [
{
toEntities = [ "kube-apiserver" ];
toPorts = [
{
ports = [
{
port = "6443";
protocol = "TCP";
}
];
}
];
}
];
};

# Allow kube-dns to talk to upstream DNS
allow-kube-dns-upstream-egress.spec = {
description = "Policy for egress to allow kube-dns to talk to upstream DNS.";
endpointSelector.matchLabels.k8s-app = "kube-dns";
egress = [
{
toEntities = [ "world" ];
toPorts = [
{
ports = [
{
port = "53";
protocol = "UDP";
}
];
}
];
}
];
};

# Allow CoreDNS to talk to kube-apiserver
allow-kube-dns-apiserver-egress.spec = {
description = "Allow coredns to talk to kube-apiserver.";
allow-coredns-apiserver-egress.spec = {
endpointSelector.matchLabels.k8s-app = "kube-dns";
egress = [
{
toEntities = [ "kube-apiserver" ];
toPorts = [
{
ports = [
{
port = "6443";
protocol = "TCP";
}
];
}
];
}
];
};

# Allow hubble-generate-certs job to talk to kube-apiserver
allow-hubble-generate-certs-apiserver-egress.spec = {
description = "Allow hubble-generate-certs job to talk to kube-apiserver.";
endpointSelector.matchLabels."batch.kubernetes.io/job-name" = "hubble-generate-certs";
egress = [
{
toEntities = [ "kube-apiserver" ];
toPorts = [
{
ports = [
{
port = "6443";
protocol = "TCP";
}
];
}
];
}
];
};
};

ciliumClusterwideNetworkPolicies = {
# Allow all cilium endpoints to talk egress to each other
allow-internal-egress.spec = {
description = "Policy to allow all Cilium managed endpoint to talk to all other cilium managed endpoints on egress";
endpointSelector = { };
egress = [
{
toEndpoints = [ { } ];
}
];
};

# Allow all health checks
cilium-health-checks.spec = {
endpointSelector.matchLabels."reserved:health" = "";
ingress = [
{
fromEntities = [ "remote-node" ];
}
];
egress = [
{
toEntities = [ "remote-node" ];
}
];
};

# Allow all cilium managed endpoints to talk to cluster dns
allow-kube-dns-cluster-ingress.spec = {
description = "Policy for ingress allow to kube-dns from all Cilium managed endpoints in the cluster.";
endpointSelector.matchLabels = {
"k8s:io.kubernetes.pod.namespace" = "kube-system";
"k8s-app" = "kube-dns";
};
ingress = [
{
fromEndpoints = [ { } ];
toPorts = [
{
ports = [
{
port = "53";
protocol = "UDP";
}
];
}
];
}
];
};
};
# ciliumNetworkPolicies = {
# allow-hubble-relay-server-egress.spec = {
# description = "Policy for egress from hubble relay to hubble server in Cilium agent.";
# endpointSelector.matchLabels."app.kubernetes.io/name" = "hubble-relay";
# egress = [
# {
# toEntities = [
# "remote-node"
# "host"
# ];
# toPorts = [
# {
# ports = [
# {
# port = "4244";
# protocol = "TCP";
# }
# ];
# }
# ];
# }
# ];
# };
#
# allow-hubble-ui-relay-ingress.spec = {
# description = "Policy for ingress from hubble UI to hubble relay.";
# endpointSelector.matchLabels."app.kubernetes.io/name" = "hubble-relay";
# ingress = [
# {
# fromEndpoints = [
# {
# matchLabels."app.kubernetes.io/name" = "hubble-ui";
# }
# ];
# toPorts = [
# {
# ports = [
# {
# port = "4245";
# protocol = "TCP";
# }
# ];
# }
# ];
# }
# ];
# };
#
# allow-hubble-ui-kube-apiserver-egress.spec = {
# description = "Allow Hubble UI to talk to kube-apiserver";
# endpointSelector.matchLabels."app.kubernetes.io/name" = "hubble-ui";
# egress = [
# {
# toEntities = [ "kube-apiserver" ];
# toPorts = [
# {
# ports = [
# {
# port = "6443";
# protocol = "TCP";
# }
# ];
# }
# ];
# }
# ];
# };
#
# allow-kube-dns-upstream-egress.spec = {
# description = "Policy for egress to allow kube-dns to talk to upstream DNS.";
# endpointSelector.matchLabels.k8s-app = "kube-dns";
# egress = [
# {
# toEntities = [ "world" ];
# toPorts = [
# {
# ports = [
# {
# port = "53";
# protocol = "UDP";
# }
# ];
# }
# ];
# }
# ];
# };
#
# allow-hubble-generate-certs-apiserver-egress.spec = {
# description = "Allow hubble-generate-certs job to talk to kube-apiserver.";
# endpointSelector.matchLabels."batch.kubernetes.io/job-name" = "hubble-generate-certs";
# egress = [
# {
# toEntities = [ "kube-apiserver" ];
# toPorts = [
# {
# ports = [
# {
# port = "6443";
# protocol = "TCP";
# }
# ];
# }
# ];
# }
# ];
# };
# };
#
# ciliumClusterwideNetworkPolicies = {
# allow-internal-egress.spec = {
# description = "Policy to allow all Cilium managed endpoint to talk to all other cilium managed endpoints on egress";
# endpointSelector = { };
# egress = [
# {
# toEndpoints = [ { } ];
# }
# ];
# };
#
# allow-kube-dns-cluster-ingress.spec = {
# description = "Policy for ingress allow to kube-dns from all Cilium managed endpoints in the cluster.";
# endpointSelector.matchLabels = {
# "k8s:io.kubernetes.pod.namespace" = "kube-system";
# "k8s-app" = "kube-dns";
# };
# ingress = [
# {
# fromEndpoints = [ { } ];
# toPorts = [
# {
# ports = [
# {
# port = "53";
# protocol = "UDP";
# }
# ];
# }
# ];
# }
# ];
# };
#
# cilium-health-checks.spec = {
# endpointSelector.matchLabels."reserved:health" = "";
# ingress = [
# {
# fromEntities = [ "remote-node" ];
# }
# ];
# egress = [
# {
# toEntities = [ "remote-node" ];
# }
# ];
# };
# };
};
};
}
Loading

0 comments on commit 1095588

Please sign in to comment.