generated from coulomb/repo-seed
fix(sso-mfa): NK-WP-0003-T04 — correct privacyIDEA image and port
privacyidea/privacyidea:3.12 does not exist on Docker Hub. Correct image: privacyidea/otpserver:3.12.2 (port 5001). Updated files: - deployment.yaml: image, containerPort, probes, service port - ingress.yaml: backend service port - netpol-mfa.yaml: ingress port + keycloak → keycape label - netpol-sso.yaml: KeyCape egress port to privacyIDEA Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -1,8 +1,8 @@
|
||||
# NetworkPolicies for the mfa namespace (privacyIDEA)
|
||||
#
|
||||
# Allowed paths:
|
||||
# INGRESS: Traefik (kube-system) → privacyIDEA :8080 (user-facing portal)
|
||||
# INGRESS: Keycloak (sso) → privacyIDEA :8080 (Provider API calls)
|
||||
# INGRESS: Traefik (kube-system) → privacyIDEA :5001 (user-facing portal)
|
||||
# INGRESS: KeyCape (sso) → privacyIDEA :5001 (Provider API calls)
|
||||
# EGRESS: privacyIDEA → databases :5432 (PostgreSQL)
|
||||
# EGRESS: all pods → kube-dns :53 (UDP+TCP)
|
||||
#
|
||||
@@ -42,14 +42,14 @@ spec:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: traefik
|
||||
ports:
|
||||
- port: 8080
|
||||
- port: 5001
|
||||
protocol: TCP
|
||||
---
|
||||
# ── Allow ingress from Keycloak (Provider API calls) ─────────────────────────
|
||||
# ── Allow ingress from KeyCape (Provider API calls) ──────────────────────────
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: allow-ingress-from-keycloak
|
||||
name: allow-ingress-from-keycape
|
||||
namespace: mfa
|
||||
spec:
|
||||
podSelector:
|
||||
@@ -64,9 +64,9 @@ spec:
|
||||
net-kingdom/component: sso
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: keycloak
|
||||
app.kubernetes.io/name: keycape
|
||||
ports:
|
||||
- port: 8080
|
||||
- port: 5001
|
||||
protocol: TCP
|
||||
---
|
||||
# ── Allow egress to PostgreSQL ───────────────────────────────────────────────
|
||||
|
||||
@@ -13,7 +13,7 @@
|
||||
# Allowed egress paths:
|
||||
# keycape → authelia :9091 (OIDC callback orchestration)
|
||||
# keycape → lldap :3890 (LDAP user lookups)
|
||||
# keycape → mfa :8080 (privacyIDEA MFA check and token validation)
|
||||
# keycape → mfa :5001 (privacyIDEA MFA check and token validation)
|
||||
# authelia → lldap :3890 (LDAP authentication backend)
|
||||
# all pods → kube-dns :53 (DNS resolution)
|
||||
#
|
||||
@@ -201,7 +201,7 @@ spec:
|
||||
- port: 3890
|
||||
protocol: TCP
|
||||
---
|
||||
# ── KeyCape egress → privacyIDEA (mfa namespace) :8080 ───────────────────────
|
||||
# ── KeyCape egress → privacyIDEA (mfa namespace) :5001 ───────────────────────
|
||||
# KeyCape calls privacyIDEA to check and validate MFA tokens.
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
@@ -220,7 +220,7 @@ spec:
|
||||
matchLabels:
|
||||
net-kingdom/component: mfa
|
||||
ports:
|
||||
- port: 8080
|
||||
- port: 5001
|
||||
protocol: TCP
|
||||
---
|
||||
# ── Authelia egress → LLDAP (within sso namespace) ───────────────────────────
|
||||
|
||||
Reference in New Issue
Block a user