148 lines
3.0 KiB
YAML
148 lines
3.0 KiB
YAML
# Network policies for the veylant namespace (E10-02).
|
|
# Strategy: default-deny-all, then explicit whitelist per service.
|
|
# Apply: kubectl apply -f deploy/k8s/network-policies.yaml -n veylant
|
|
---
|
|
# Default deny all ingress and egress within the namespace.
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: default-deny-all
|
|
namespace: veylant
|
|
spec:
|
|
podSelector: {}
|
|
policyTypes:
|
|
- Ingress
|
|
- Egress
|
|
|
|
---
|
|
# Allow inbound HTTP traffic to the proxy from the ingress controller only.
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-proxy-ingress
|
|
namespace: veylant
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
app: veylant-proxy
|
|
policyTypes:
|
|
- Ingress
|
|
ingress:
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: ingress-nginx
|
|
ports:
|
|
- protocol: TCP
|
|
port: 8090
|
|
|
|
---
|
|
# Allow the proxy to call the PII sidecar gRPC service.
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-proxy-to-pii
|
|
namespace: veylant
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
app: veylant-proxy
|
|
policyTypes:
|
|
- Egress
|
|
egress:
|
|
- to:
|
|
- podSelector:
|
|
matchLabels:
|
|
app: pii-service
|
|
ports:
|
|
- protocol: TCP
|
|
port: 50051
|
|
|
|
---
|
|
# Allow the proxy to connect to PostgreSQL.
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-proxy-to-postgres
|
|
namespace: veylant
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
app: veylant-proxy
|
|
policyTypes:
|
|
- Egress
|
|
egress:
|
|
- to:
|
|
- podSelector:
|
|
matchLabels:
|
|
app: postgres
|
|
ports:
|
|
- protocol: TCP
|
|
port: 5432
|
|
|
|
---
|
|
# Allow the proxy to connect to ClickHouse for audit logging.
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-proxy-to-clickhouse
|
|
namespace: veylant
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
app: veylant-proxy
|
|
policyTypes:
|
|
- Egress
|
|
egress:
|
|
- to:
|
|
- podSelector:
|
|
matchLabels:
|
|
app: clickhouse
|
|
ports:
|
|
- protocol: TCP
|
|
port: 9000
|
|
|
|
---
|
|
# Allow the proxy to connect to Redis (rate limiting + PII pseudonym cache).
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-proxy-to-redis
|
|
namespace: veylant
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
app: veylant-proxy
|
|
policyTypes:
|
|
- Egress
|
|
egress:
|
|
- to:
|
|
- podSelector:
|
|
matchLabels:
|
|
app: redis
|
|
ports:
|
|
- protocol: TCP
|
|
port: 6379
|
|
|
|
---
|
|
# Allow DNS resolution (CoreDNS) for all pods.
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-dns-egress
|
|
namespace: veylant
|
|
spec:
|
|
podSelector: {}
|
|
policyTypes:
|
|
- Egress
|
|
egress:
|
|
- to:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: kube-system
|
|
ports:
|
|
- protocol: UDP
|
|
port: 53
|
|
- protocol: TCP
|
|
port: 53
|