From d11db78c225e0309d7fb24507e9ece15d72a26ad Mon Sep 17 00:00:00 2001
From: 1602077 <jack.charlie.munday@cern.ch>
Date: Fri, 28 Mar 2025 13:32:51 +0100
Subject: [PATCH] cilium netpol draft

---
 .../netpol-restrict-auditlog-access.yaml      | 29 +++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 templates/netpol-restrict-auditlog-access.yaml

diff --git a/templates/netpol-restrict-auditlog-access.yaml b/templates/netpol-restrict-auditlog-access.yaml
new file mode 100644
index 0000000..a5dca9c
--- /dev/null
+++ b/templates/netpol-restrict-auditlog-access.yaml
@@ -0,0 +1,29 @@
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: restrict-auditlog-webhook-access
+  namespace: kube-system
+spec:
+  description: "Restricts egress traffic to audit log webhook to falco only"
+  endpointSelector:
+    matchExpressions:
+      - key: app.kubernetes.io/name
+        operator: NotIn
+        values: ["falcosidekick", "falco"]
+  egressDeny:
+    - toCIDR:
+        - 10.254.0.11/32
+  # policyTypes:
+  #   - Egress
+  # podSelector:
+  #   matchLabels:
+  #     app.kubernetes.io/instance: cern-magnum
+  #     app.kubernetes.io/name: falcosidekick
+  # egress:
+  #   - to:
+  #       - ipBlock:
+  #           cidr: 10.254.0.11/32
+  #     ports:
+  #       - protocol: TCP
+  #         port: 9765
-- 
GitLab