devops folders consolidate

2026-01-25 23:27:41 +02:00
parent 6e687b523a
commit a50bbb38ef
334 changed files with 35079 additions and 5569 deletions
--- a/deploy/offline/airgap/k8s-deny-egress.yaml
+++ b/deploy/offline/airgap/k8s-deny-egress.yaml
@@ -0,0 +1,42 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: sealed-deny-all-egress
+  namespace: default
+  labels:
+    stellaops.dev/owner: devops
+    stellaops.dev/purpose: sealed-mode
+spec:
+  podSelector:
+    matchLabels:
+      sealed: "true"
+  policyTypes:
+    - Egress
+  egress: []
+---
+# Optional patch to allow in-cluster DNS while still blocking external egress.
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: sealed-allow-dns
+  namespace: default
+  labels:
+    stellaops.dev/owner: devops
+    stellaops.dev/purpose: sealed-mode
+spec:
+  podSelector:
+    matchLabels:
+      sealed: "true"
+  policyTypes:
+    - Egress
+  egress:
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+          podSelector:
+            matchLabels:
+              k8s-app: kube-dns
+      ports:
+        - protocol: UDP
+          port: 53