dapperdivers · dapperdivers · Feb 22, 2026 · Feb 27, 2026
@@ -45,3 +45,25 @@ spec:
   interval: 30m
   retryInterval: 1m
   timeout: 5m
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cilium-network-policies
+  namespace: kube-system
+spec:
+  # NOTE: no targetNamespace — policies specify their own namespaces
+  dependsOn:
+    - name: cilium
+      namespace: kube-system
+  path: ./kubernetes/apps/kube-system/cilium/policies
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system
+  wait: false
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m
@@ -0,0 +1,147 @@
+---
+# OpenClaw (Tim) needs broad egress:
+# - Database (Postgres, Redis, NATS)
+# - Home Assistant (ha-mcp)
+# - OpenCTI (threat intel)
+# - External APIs (Anthropic, etc.)
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-openclaw-egress
+  namespace: ai
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: openclaw
+  egress:
+    # Database access (NATS, Redis, Postgres)
+    - toEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: database
+      toPorts:
+        - ports:
+            - port: "4222"
+              protocol: TCP
+            - port: "5432"
+              protocol: TCP
+            - port: "6379"
+              protocol: TCP
+    # Home Assistant
+    - toEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: home-automation
+            app.kubernetes.io/name: home-assistant
+      toPorts:
+        - ports:
+            - port: "8123"
+              protocol: TCP
+    # OpenCTI
+    - toEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: security
+      toPorts:
+        - ports:
+            - port: "8080"
+              protocol: TCP
+    # LiteLLM (local LLM proxy)
+    - toEndpoints:
+        - matchLabels:
+            app.kubernetes.io/name: litellm
+      toPorts:
+        - ports:
+            - port: "4000"
+              protocol: TCP
+    # Speaches (STT/TTS)
+    - toEndpoints:
+        - matchLabels:
+            app.kubernetes.io/name: speaches
+      toPorts:
+        - ports:
+            - port: "8000"
+              protocol: TCP
+    # External APIs (Anthropic, OpenAI, etc.) — HTTPS
+    - toCIDR:
+        - 0.0.0.0/0
+      toPorts:
+        - ports:
+            - port: "443"
+              protocol: TCP
+---
+# LiteLLM needs Postgres + external LLM APIs
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-litellm-egress
+  namespace: ai
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: litellm
+  egress:
+    - toEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: database
+      toPorts:
+        - ports:
+            - port: "5432"
+              protocol: TCP
+            - port: "6379"
+              protocol: TCP
+    # External LLM APIs
+    - toCIDR:
+        - 0.0.0.0/0
+      toPorts:
+        - ports:
+            - port: "443"
+              protocol: TCP
+---
+# Munin (OpenClaw #2) — similar to Tim but scoped
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-munin-egress
+  namespace: ai
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: munin
+  egress:
+    - toEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: database
+      toPorts:
+        - ports:
+            - port: "4222"
+              protocol: TCP
+            - port: "5432"
+              protocol: TCP
+            - port: "6379"
+              protocol: TCP
+    # External APIs
+    - toCIDR:
+        - 0.0.0.0/0
+      toPorts:
+        - ports:
+            - port: "443"
+              protocol: TCP
+---
+# Allow LiteLLM to be reached by other AI services
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-litellm-ingress
+  namespace: ai
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: litellm
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: ai
+        - matchLabels:
+            io.kubernetes.pod.namespace: roundtable
+      toPorts:
+        - ports:
+            - port: "4000"
+              protocol: TCP
@@ -0,0 +1,108 @@
+---
+# Allow known clients to reach PostgreSQL (CloudNative-PG)
+# Port 5432 — apps that use Postgres databases
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-postgres-clients
+  namespace: database
+spec:
+  endpointSelector:
+    matchLabels:
+      cnpg.io/cluster: postgres
+  ingress:
+    - fromEndpoints:
+        # security namespace (authentik, opencti, vaultwarden)
+        - matchLabels:
+            io.kubernetes.pod.namespace: security
+        # selfhosted namespace (atuin, inbox-zero, miniflux, paperless-ngx)
+        - matchLabels:
+            io.kubernetes.pod.namespace: selfhosted
+        # ai namespace (litellm)
+        - matchLabels:
+            io.kubernetes.pod.namespace: ai
+        # media namespace (autobrr)
+        - matchLabels:
+            io.kubernetes.pod.namespace: media
+        # observability (grafana)
+        - matchLabels:
+            io.kubernetes.pod.namespace: observability
+        # kyverno (postgres-init policy)
+        - matchLabels:
+            io.kubernetes.pod.namespace: kyverno
+      toPorts:
+        - ports:
+            - port: "5432"
+              protocol: TCP
+---
+# Allow known clients to reach Dragonfly (Redis) — port 6379
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-dragonfly-clients
+  namespace: database
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: dragonfly
+  ingress:
+    - fromEndpoints:
+        # security (authentik, opencti)
+        - matchLabels:
+            io.kubernetes.pod.namespace: security
+        # selfhosted (paperless-ngx, searxng)
+        - matchLabels:
+            io.kubernetes.pod.namespace: selfhosted
+        # media (various *arr apps)
+        - matchLabels:
+            io.kubernetes.pod.namespace: media
+        # ai namespace
+        - matchLabels:
+            io.kubernetes.pod.namespace: ai
+      toPorts:
+        - ports:
+            - port: "6379"
+              protocol: TCP
+---
+# Allow known clients to reach NATS — port 4222
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-nats-clients
+  namespace: database
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: nats
+  ingress:
+    - fromEndpoints:
+        # roundtable knights (all communicate via NATS)
+        - matchLabels:
+            io.kubernetes.pod.namespace: roundtable
+        # ai namespace (openclaw dispatches tasks via NATS)
+        - matchLabels:
+            io.kubernetes.pod.namespace: ai
+      toPorts:
+        - ports:
+            - port: "4222"
+              protocol: TCP
+---
+# Allow EMQX MQTT clients — port 1883
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-emqx-clients
+  namespace: database
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: emqx
+  ingress:
+    - fromEndpoints:
+        # home-automation (zigbee2mqtt)
+        - matchLabels:
+            io.kubernetes.pod.namespace: home-automation
+      toPorts:
+        - ports:
+            - port: "1883"
+              protocol: TCP
@@ -0,0 +1,20 @@
+---
+# Allow all pods to reach CoreDNS for name resolution
+# Applied cluster-wide via CiliumClusterwideNetworkPolicy
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: allow-dns
+spec:
+  endpointSelector: {}
+  egress:
+    - toEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: kube-system
+            k8s-app: kube-dns
+      toPorts:
+        - ports:
+            - port: "53"
+              protocol: UDP
+            - port: "53"
+              protocol: TCP
@@ -0,0 +1,73 @@
+---
+# Home Assistant needs to reach IoT devices on LAN
+# and EMQX (MQTT) in database namespace
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-ha-egress
+  namespace: home-automation
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: home-assistant
+  egress:
+    # Reach MQTT broker
+    - toEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: database
+            app.kubernetes.io/name: emqx
+      toPorts:
+        - ports:
+            - port: "1883"
+              protocol: TCP
+    # Reach LAN devices (IoT VLAN, typical ranges)
+    - toCIDR:
+        - 10.0.0.0/8
+        - 192.168.0.0/16
+      toPorts:
+        - ports:
+            - port: "80"
+              protocol: TCP
+            - port: "443"
+              protocol: TCP
+            - port: "8123"
+              protocol: TCP
+---
+# Zigbee2MQTT needs MQTT broker access
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-z2m-egress
+  namespace: home-automation
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: zigbee2mqtt
+  egress:
+    - toEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: database
+            app.kubernetes.io/name: emqx
+      toPorts:
+        - ports:
+            - port: "1883"
+              protocol: TCP
+---
+# Allow AI namespace to reach Home Assistant (ha-mcp sidecar)
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-ha-from-ai
+  namespace: home-automation
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: home-assistant
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: ai
+      toPorts:
+        - ports:
+            - port: "8123"
+              protocol: TCP