claude/k8s-apps
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
k8s-apps/apps/infra-network-policies/kyverno.yaml
claude 17e55ae0c9
All checks were successful
AI Review / AI Code Review (pull_request) Successful in 1s
Details
PR Checks / Validate & Security Scan (pull_request) Successful in 9s
Details
fix: allow Kyverno egress to Gitea external for registry token exchange 
After changing Gitea ROOT_URL to https://git.georgepet.duckdns.org,
the registry V2 auth challenge redirects to the external URL.
Kyverno needs to reach 185.47.204.231:443 for token exchange.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-24 21:29:00 +01:00

119 lines
2.5 KiB
YAML
Raw Blame History

# Kyverno NetworkPolicies
# Default deny + selective allow for kyverno namespace
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: kyverno
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
---
# Allow DNS egress (all kyverno pods need DNS)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-dns-egress
namespace: kyverno
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
---
# Admission controller: receives webhook calls from K8s API, needs K8s API + registry
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-kyverno-admission
namespace: kyverno
spec:
podSelector:
matchLabels:
app.kubernetes.io/component: admission-controller
policyTypes:
- Ingress
- Egress
ingress:
# K8s API calls webhook on port 9443
- ports:
- port: 9443
protocol: TCP
egress:
# K8s API server
- ports:
- port: 6443
protocol: TCP
# Gitea registry (verify image signatures)
- to:
- ipBlock:
cidr: 10.10.10.1/32
ports:
- port: 3000
protocol: TCP
# Gitea external (registry token exchange via ROOT_URL)
- to:
- ipBlock:
cidr: 185.47.204.231/32
ports:
- port: 443
protocol: TCP
---
# Background controller: K8s API + registry
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-kyverno-background
namespace: kyverno
spec:
podSelector:
matchLabels:
app.kubernetes.io/component: background-controller
policyTypes:
- Egress
egress:
# K8s API server
- ports:
- port: 6443
protocol: TCP
# Gitea registry
- to:
- ipBlock:
cidr: 10.10.10.1/32
ports:
- port: 3000
protocol: TCP
# Gitea external (registry token exchange via ROOT_URL)
- to:
- ipBlock:
cidr: 185.47.204.231/32
ports:
- port: 443
protocol: TCP
---
# Cleanup controller: K8s API only
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-kyverno-cleanup
namespace: kyverno
spec:
podSelector:
matchLabels:
app.kubernetes.io/component: cleanup-controller
policyTypes:
- Egress
egress:
# K8s API server
- ports:
- port: 6443
protocol: TCP
Reference in New Issue View Git Blame Copy Permalink