Ejecuta cualquier Skill en Manus
con un clic

Ejecuta cualquier Skill en Manus con un clic

network-policy

Estrellas24

Forks3

Actualizado23 de marzo de 2026, 02:45

Manage Cilium network policies: profile selection, access labels, Hubble debugging, platform namespace CNPs, and emergency escape hatch procedures. Use when: (1) Deploying a new application and setting network profile, (2) Debugging blocked traffic with Hubble, (3) Adding shared resource access, (4) Creating platform namespace CNPs, (5) Using the escape hatch for emergencies. Triggers: "network policy", "hubble", "dropped traffic", "cilium", "blocked traffic", "network profile", "access label", "escape hatch", "cnp", "ccnp"

Instalación

Instalar con Codex o Claude Copia este prompt, pégalo en Codex, Claude u otro asistente, y deja que revise la página de la skill y la instale por ti.

Ejecutar en Manus

Fuente

ionfury

ionfury/homelab

Abrir repositorio de GitHub Ver repositorios del creador

Descarga

Ejecutar en Manus

Ocupaciones relacionadasSOC

Basado en la clasificación ocupacional SOC

Administradores de redes y sistemas informáticosOcupaciones informáticas y matemáticas·SOC 15-1244

Explorador de archivos

4 archivos

SKILL.md

readonly

name	network-policy
description	Manage Cilium network policies: profile selection, access labels, Hubble debugging, platform namespace CNPs, and emergency escape hatch procedures. Use when: (1) Deploying a new application and setting network profile, (2) Debugging blocked traffic with Hubble, (3) Adding shared resource access, (4) Creating platform namespace CNPs, (5) Using the escape hatch for emergencies. Triggers: "network policy", "hubble", "dropped traffic", "cilium", "blocked traffic", "network profile", "access label", "escape hatch", "cnp", "ccnp"
user-invocable	false

Network Policy Management

Architecture quick reference: see references/profiles.md

See references/profiles.md for the full profile selection table, access label catalog, drop classification table, and Hubble command reference.

Workflow: Deploy App with Network Policy

Choose a profile (see references/profiles.md) -> apply label to namespace -> add access labels for shared resources -> verify connectivity.

Apply profile label in kubernetes/platform/namespaces.yaml (committed to git, not kubectl apply):

- name: my-app
  labels:
    network-policy.homelab/profile: standard
    access.network-policy.homelab/postgres: "true"     # if DB access needed
    access.network-policy.homelab/dragonfly: "true"    # if cache access needed
    access.network-policy.homelab/garage-s3: "true"    # if S3 access needed
    access.network-policy.homelab/kube-api: "true"     # if kube-api access needed

After deployment, check for drops:

hubble observe --verdict DROPPED --namespace my-app --since 5m

Run scripts/hubble-debug.sh my-app 5m for the full structured debug sequence.

Workflow: Debug Blocked Traffic

Identify drops -> classify against profiles.md drop table -> verify specific flows with scripts/hubble-debug.sh -> check policy status:

kubectl get cnp -n my-app
kubectl get ccnp | grep -E 'baseline|profile'
kubectl get namespace my-app --show-labels | grep network-policy

Workflow: Emergency Escape Hatch

Use only when network policies block legitimate traffic and you need immediate relief.

Step 1: Disable Enforcement

kubectl label namespace <ns> network-policy.homelab/enforcement=disabled

This triggers alerts:

NetworkPolicyEnforcementDisabled (warning) after 5 minutes
NetworkPolicyEnforcementDisabledLong (critical) after 24 hours

Step 2: Verify Traffic Flows

hubble observe --namespace <ns> --since 1m

Step 3: Investigate Root Cause

Use the debug workflow above to identify the missing or misconfigured policy.

Step 4: Fix the Policy (via GitOps)

Apply the fix through a PR.

Step 5: Re-enable Enforcement

kubectl label namespace <ns> network-policy.homelab/enforcement-

See docs/runbooks/network-policy-escape-hatch.md for the full procedure.

Workflow: Add Platform Namespace CNP

Platform namespaces need hand-crafted CNPs. Create in kubernetes/platform/config/network-policy/platform/.

Every platform CNP must include: DNS egress to kube-system/kube-dns (53 UDP/TCP), Prometheus scrape ingress from monitoring, health probe ingress from health entity and 169.254.0.0/16, and HBONE rules (port 15008) if the namespace participates in the Istio mesh.

---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: <namespace>-default
  namespace: <namespace>
spec:
  description: "<Namespace purpose>: describe allowed traffic"
  endpointSelector: {}
  ingress:
    - fromEntities: [health]
    - fromCIDR: ["169.254.0.0/16"]
    - fromEndpoints:
        - matchLabels:
            io.kubernetes.pod.namespace: monitoring
            app.kubernetes.io/name: prometheus
      toPorts:
        - ports:
            - port: "<metrics-port>"
              protocol: TCP
    # HBONE (if mesh participant)
    - fromEndpoints:
        - matchLabels:
            io.kubernetes.pod.namespace: istio-system
            app: ztunnel
      toPorts:
        - ports:
            - port: "15008"
              protocol: TCP
  egress:
    - toEndpoints:
        - matchLabels:
            io.kubernetes.pod.namespace: kube-system
            k8s-app: kube-dns
      toPorts:
        - ports:
            - port: "53"
              protocol: UDP
            - port: "53"
              protocol: TCP
    # HBONE (if mesh participant)
    - toEndpoints:
        - matchLabels:
            io.kubernetes.pod.namespace: istio-system
            app: ztunnel
      toPorts:
        - ports:
            - port: "15008"
              protocol: TCP

After creating, add to kubernetes/platform/config/network-policy/platform/kustomization.yaml.

Anti-Patterns

NEVER create explicit default-deny policies — baselines provide implicit deny
NEVER use profiles for platform namespaces — they need custom CNPs
NEVER hardcode IP addresses — use endpoint selectors and entities
NEVER allow any port — always specify explicit port lists
NEVER disable enforcement without following the escape hatch runbook

Cross-References

references/profiles.md — Profile table, access labels, Hubble commands
network-policy/CLAUDE.md — Full architecture and directory structure
docs/runbooks/network-policy-escape-hatch.md — Emergency bypass procedure

Más de este repositorio

mismo repositorio

dashboard-design

ionfury/homelab

Visual design and layout for Grafana dashboards — panel hierarchy, type selection, color/threshold design, and iterative screenshot-based refinement. Use when: (1) Deciding what panels belong on a new dashboard, (2) Choosing panel types for specific data patterns, (3) Structuring visual hierarchy and layout, (4) Applying color and thresholds to communicate status, (5) Reviewing dashboard appearance via Playwright screenshots, (6) Iterating on readability and density Triggers: "dashboard design", "visual design", "layout design", "panel type", "color scheme", "screenshot review", "iterate dashboard", "dashboard looks", "visual feedback", "refine dashboard", "dashboard hierarchy", "information density"

2026-05-1924

architecture-review

ionfury/homelab

Architecture evaluation criteria and technology standards for the homelab. Preloaded into the designer agent to ground design decisions in established patterns and principles. Use when: (1) Evaluating a proposed technology addition, (2) Reviewing architecture decisions, (3) Assessing stack fit for a new component, (4) Comparing implementation approaches. Triggers: "architecture review", "evaluate technology", "stack fit", "should we use", "technology comparison", "design review", "architecture decision"

2026-04-0824

deploy-app

ionfury/homelab

End-to-end application deployment orchestration for the Kubernetes homelab. Covers research, worktree setup, Flux ResourceSet configuration, dev cluster testing, monitoring integration, and PR creation. Use when: (1) Deploying a new application to the cluster, (2) Adding a new Helm release to the platform, (3) Setting up monitoring, alerting, and health checks for a new service, (4) Testing deployment on dev cluster before GitOps promotion. Triggers: "deploy app", "add new application", "deploy to kubernetes", "install helm chart", "/deploy-app", "set up new service", "add monitoring for", "deploy with monitoring"

2026-03-3024

secrets

ionfury/homelab

Secret management patterns for the Kubernetes homelab platform. Covers secret-generator, ExternalSecret, app-secrets Terragrunt module, and cross-namespace replication via kubernetes-replicator. Use when: (1) Adding secrets for a new application, (2) Deciding between secret-generator and ExternalSecret, (3) Configuring cross-namespace secret replication, (4) Creating persistent secrets via the app-secrets Terragrunt module, (5) Debugging secret sync failures. Triggers: "secret", "ExternalSecret", "secret-generator", "aws ssm", "parameter store", "kubernetes-replicator", "replicate secret", "app-secrets", "persistent secret", "cross-namespace secret", "secret not syncing", "ClusterSecretStore"

2026-03-3024

cnpg-database

ionfury/homelab

CloudNative-PG (CNPG) PostgreSQL database management for the Kubernetes homelab. Covers shared platform cluster, dedicated per-app clusters, credential provisioning, cross-namespace replication via kubernetes-replicator, and monitoring. Use when: (1) Adding a new database for an application, (2) Creating a dedicated CNPG cluster, (3) Setting up database credentials and cross-namespace replication, (4) Debugging database connectivity or CNPG cluster health, (5) Adding PostgreSQL extensions for specialized workloads. Triggers: "database", "postgresql", "postgres", "cnpg", "cloudnative-pg", "pooler", "pgbouncer", "database credentials", "db password", "managed roles", "Database CRD", "database cluster", "shared database", "dedicated database", "cnpg cluster"

2026-03-2324

gateway-routing

ionfury/homelab

Gateway API routing, TLS certificates, and WAF configuration for the homelab Kubernetes platform. Use when: (1) Exposing a service via HTTPRoute, (2) Choosing between internal and external gateways, (3) Debugging TLS or routing issues, (4) Understanding or tuning WAF (Coraza) behavior. Triggers: "httproute", "gateway", "expose service", "add route", "certificate", "tls", "coraza", "waf", "internal gateway", "external gateway", "dns", "ingress", "routing", "cert-manager", "letsencrypt", "homelab-ca"

2026-03-2324

name	network-policy
description	Manage Cilium network policies: profile selection, access labels, Hubble debugging, platform namespace CNPs, and emergency escape hatch procedures. Use when: (1) Deploying a new application and setting network profile, (2) Debugging blocked traffic with Hubble, (3) Adding shared resource access, (4) Creating platform namespace CNPs, (5) Using the escape hatch for emergencies. Triggers: "network policy", "hubble", "dropped traffic", "cilium", "blocked traffic", "network profile", "access label", "escape hatch", "cnp", "ccnp"
user-invocable	false

Network Policy Management

Architecture quick reference: see references/profiles.md

See references/profiles.md for the full profile selection table, access label catalog, drop classification table, and Hubble command reference.

Workflow: Deploy App with Network Policy

Choose a profile (see references/profiles.md) -> apply label to namespace -> add access labels for shared resources -> verify connectivity.

Apply profile label in kubernetes/platform/namespaces.yaml (committed to git, not kubectl apply):

- name: my-app
  labels:
    network-policy.homelab/profile: standard
    access.network-policy.homelab/postgres: "true"     # if DB access needed
    access.network-policy.homelab/dragonfly: "true"    # if cache access needed
    access.network-policy.homelab/garage-s3: "true"    # if S3 access needed
    access.network-policy.homelab/kube-api: "true"     # if kube-api access needed

After deployment, check for drops:

hubble observe --verdict DROPPED --namespace my-app --since 5m

Run scripts/hubble-debug.sh my-app 5m for the full structured debug sequence.

Workflow: Debug Blocked Traffic

Identify drops -> classify against profiles.md drop table -> verify specific flows with scripts/hubble-debug.sh -> check policy status:

kubectl get cnp -n my-app
kubectl get ccnp | grep -E 'baseline|profile'
kubectl get namespace my-app --show-labels | grep network-policy

Workflow: Emergency Escape Hatch

Use only when network policies block legitimate traffic and you need immediate relief.

Step 1: Disable Enforcement

kubectl label namespace <ns> network-policy.homelab/enforcement=disabled

This triggers alerts:

NetworkPolicyEnforcementDisabled (warning) after 5 minutes
NetworkPolicyEnforcementDisabledLong (critical) after 24 hours

Step 2: Verify Traffic Flows

hubble observe --namespace <ns> --since 1m

Step 3: Investigate Root Cause

Use the debug workflow above to identify the missing or misconfigured policy.

Step 4: Fix the Policy (via GitOps)

Apply the fix through a PR.

Step 5: Re-enable Enforcement

kubectl label namespace <ns> network-policy.homelab/enforcement-

See docs/runbooks/network-policy-escape-hatch.md for the full procedure.

Workflow: Add Platform Namespace CNP

Platform namespaces need hand-crafted CNPs. Create in kubernetes/platform/config/network-policy/platform/.

---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: <namespace>-default
  namespace: <namespace>
spec:
  description: "<Namespace purpose>: describe allowed traffic"
  endpointSelector: {}
  ingress:
    - fromEntities: [health]
    - fromCIDR: ["169.254.0.0/16"]
    - fromEndpoints:
        - matchLabels:
            io.kubernetes.pod.namespace: monitoring
            app.kubernetes.io/name: prometheus
      toPorts:
        - ports:
            - port: "<metrics-port>"
              protocol: TCP
    # HBONE (if mesh participant)
    - fromEndpoints:
        - matchLabels:
            io.kubernetes.pod.namespace: istio-system
            app: ztunnel
      toPorts:
        - ports:
            - port: "15008"
              protocol: TCP
  egress:
    - toEndpoints:
        - matchLabels:
            io.kubernetes.pod.namespace: kube-system
            k8s-app: kube-dns
      toPorts:
        - ports:
            - port: "53"
              protocol: UDP
            - port: "53"
              protocol: TCP
    # HBONE (if mesh participant)
    - toEndpoints:
        - matchLabels:
            io.kubernetes.pod.namespace: istio-system
            app: ztunnel
      toPorts:
        - ports:
            - port: "15008"
              protocol: TCP

After creating, add to kubernetes/platform/config/network-policy/platform/kustomization.yaml.

Anti-Patterns

NEVER create explicit default-deny policies — baselines provide implicit deny
NEVER use profiles for platform namespaces — they need custom CNPs
NEVER hardcode IP addresses — use endpoint selectors and entities
NEVER allow any port — always specify explicit port lists
NEVER disable enforcement without following the escape hatch runbook

Cross-References

references/profiles.md — Profile table, access labels, Hubble commands
network-policy/CLAUDE.md — Full architecture and directory structure
docs/runbooks/network-policy-escape-hatch.md — Emergency bypass procedure