generated from coulomb/repo-seed
fix(sso-mfa): NK-WP-0003-T04 — correct privacyIDEA image and port
privacyidea/privacyidea:3.12 does not exist on Docker Hub. Correct image: privacyidea/otpserver:3.12.2 (port 5001). Updated files: - deployment.yaml: image, containerPort, probes, service port - ingress.yaml: backend service port - netpol-mfa.yaml: ingress port + keycloak → keycape label - netpol-sso.yaml: KeyCape egress port to privacyIDEA Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -1,8 +1,8 @@
|
||||
# NetworkPolicies for the mfa namespace (privacyIDEA)
|
||||
#
|
||||
# Allowed paths:
|
||||
# INGRESS: Traefik (kube-system) → privacyIDEA :8080 (user-facing portal)
|
||||
# INGRESS: Keycloak (sso) → privacyIDEA :8080 (Provider API calls)
|
||||
# INGRESS: Traefik (kube-system) → privacyIDEA :5001 (user-facing portal)
|
||||
# INGRESS: KeyCape (sso) → privacyIDEA :5001 (Provider API calls)
|
||||
# EGRESS: privacyIDEA → databases :5432 (PostgreSQL)
|
||||
# EGRESS: all pods → kube-dns :53 (UDP+TCP)
|
||||
#
|
||||
@@ -42,14 +42,14 @@ spec:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: traefik
|
||||
ports:
|
||||
- port: 8080
|
||||
- port: 5001
|
||||
protocol: TCP
|
||||
---
|
||||
# ── Allow ingress from Keycloak (Provider API calls) ─────────────────────────
|
||||
# ── Allow ingress from KeyCape (Provider API calls) ──────────────────────────
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: allow-ingress-from-keycloak
|
||||
name: allow-ingress-from-keycape
|
||||
namespace: mfa
|
||||
spec:
|
||||
podSelector:
|
||||
@@ -64,9 +64,9 @@ spec:
|
||||
net-kingdom/component: sso
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: keycloak
|
||||
app.kubernetes.io/name: keycape
|
||||
ports:
|
||||
- port: 8080
|
||||
- port: 5001
|
||||
protocol: TCP
|
||||
---
|
||||
# ── Allow egress to PostgreSQL ───────────────────────────────────────────────
|
||||
|
||||
Reference in New Issue
Block a user