Files
argocd-apps/apps/base/bind-internal/authoritative/acls.yaml
T
unkinben f9dd90a6b0
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
Restrict authoritative queries to internal networks
Mirrors the puppet authoritative master-zones view (match-clients
acl-main.unkin.net) using a global allow-query instead of a view, since
dynamic primary zones in a view would need per-view allow-new-zones.

- add auth-acl-main BindACL (the puppet acl-main.unkin.net networks)
- allow-query { auth-acl-main; 10.42.0.0/16; } on bind-authoritative
  (pod net included so secondaries can SOA-refresh from the primary)
2026-07-04 21:58:13 +10:00

27 lines
710 B
YAML

---
# Internal client networks allowed to query the authoritative servers,
# mirrored from the puppet authoritative /etc/named/acls.conf
# (acl-main.unkin.net). Named auth-acl-main because the resolver has its own,
# differently-scoped acl-main.unkin.net in the same namespace.
apiVersion: bind.unkin.net/v1alpha1
kind: BindACL
metadata:
name: auth-acl-main
namespace: bind-internal
spec:
clusterRef: bind-authoritative
entries:
- 198.18.13.0/24
- 198.18.14.0/24
- 198.18.15.0/24
- 198.18.16.0/24
- 198.18.17.0/24
- 198.18.19.0/24
- 198.18.20.0/24
- 198.18.24.0/24
- 198.18.25.0/24
- 198.18.26.0/24
- 198.18.27.0/24
- 198.18.28.0/24
- 198.18.29.0/24