# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumnetworkpolicy_v2.json
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: hubble-ui
  namespace: kube-system
specs:
  - nodeSelector:
      # apply to master nodes
      matchLabels:
        node-role.kubernetes.io/control-plane: ''
    ingress:
    # hubble ui -> api server
    - fromEndpoints:
      - matchLabels:
          io.cilium.k8s.policy.serviceaccount: hubble-ui
      toPorts:
      - ports:
        - port: '6443'
          protocol: TCP
  - endpointSelector:
      # apply to core dns endpoints
      matchLabels:
        io.cilium.k8s.policy.serviceaccount: coredns
    ingress:
    # hubble ui -> core dns
    - fromEndpoints:
      - matchLabels:
          io.cilium.k8s.policy.serviceaccount: hubble-ui
      toPorts:
      - ports:
        - port: '53'
          protocol: UDP
  - endpointSelector:
      # apply to hubble relay endpoints
      matchLabels:
        io.cilium.k8s.policy.serviceaccount: hubble-relay
    ingress:
    # hubble ui -> hubble relay
    - fromEndpoints:
      - matchLabels:
          io.cilium.k8s.policy.serviceaccount: hubble-ui
      toPorts:
      - ports:
        - port: '4245'
          protocol: TCP
  - endpointSelector:
      # apply to hubble ui endpoints
      matchLabels:
        io.cilium.k8s.policy.serviceaccount: hubble-ui
    egress:
    # hubble ui -> api server
    - toEntities:
      - kube-apiserver
      toPorts:
      - ports:
        - port: '6443'
          protocol: TCP
    # hubble ui -> hubble relay
    - toEndpoints:
      - matchLabels:
          io.cilium.k8s.policy.serviceaccount: hubble-relay
      toPorts:
      - ports:
        - port: '4245'
          protocol: TCP
    # hubble ui -> core dns
    - toEndpoints:
      - matchLabels:
          io.cilium.k8s.policy.serviceaccount: coredns
      toPorts:
      - ports:
        - port: '53'
          protocol: UDP