From 2992d7d326ff5ce3f08a9dc43c6d3b94139c56ed Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Sat, 16 May 2026 18:18:40 -0400 Subject: [PATCH] feat(thelounge): add cilium egress filtering Allow: DNS, LDAP (authentik), in-cluster ZNC, irc.passthepopcorn.me:6697. Default-deny for everything else. Co-Authored-By: Claude Sonnet 4.6 --- thelounge/ciliumnetworkpolicy.yaml | 44 ++++++++++++++++++++++++++++++ thelounge/kustomization.yaml | 1 + 2 files changed, 45 insertions(+) create mode 100644 thelounge/ciliumnetworkpolicy.yaml diff --git a/thelounge/ciliumnetworkpolicy.yaml b/thelounge/ciliumnetworkpolicy.yaml new file mode 100644 index 0000000..cea6477 --- /dev/null +++ b/thelounge/ciliumnetworkpolicy.yaml @@ -0,0 +1,44 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: thelounge-egress + namespace: irc +spec: + endpointSelector: + matchLabels: + app.kubernetes.io/name: thelounge + egress: + - toEndpoints: + - matchLabels: + k8s:io.kubernetes.pod.namespace: kube-system + k8s:k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: ANY + rules: + dns: + - matchPattern: "*" + - toEndpoints: + - matchLabels: + k8s:io.kubernetes.pod.namespace: auth + k8s:app.kubernetes.io/name: authentik-outpost-ldap + k8s:goauthentik.io/outpost-type: ldap + toPorts: + - ports: + - port: "389" + protocol: TCP + - toEndpoints: + - matchLabels: + k8s:io.kubernetes.pod.namespace: irc + k8s:app.kubernetes.io/name: znc + toPorts: + - ports: + - port: "6501" + protocol: TCP + - toFQDNs: + - matchName: "irc.passthepopcorn.me" + toPorts: + - ports: + - port: "6697" + protocol: TCP diff --git a/thelounge/kustomization.yaml b/thelounge/kustomization.yaml index 902b09c..9c1a21e 100644 --- a/thelounge/kustomization.yaml +++ b/thelounge/kustomization.yaml @@ -5,4 +5,5 @@ resources: - service.yaml - httproute.yaml - authorizationpolicy.yaml + - ciliumnetworkpolicy.yaml - config.yaml