# NetworkPolicies for the databases namespace (PostgreSQL via CloudNativePG) # # Allowed paths: # INGRESS: sso (Keycloak) → PostgreSQL :5432 # INGRESS: mfa (privacyIDEA) → PostgreSQL :5432 # EGRESS: all pods → kube-dns :53 (needed by CloudNativePG operator probes) # # Everything else is denied — in particular, no direct internet egress. # CloudNativePG operator itself runs in its own namespace (cnpg-system) and # needs access to the cluster API, not to the database port from here. # ── Default deny all ingress and egress ────────────────────────────────────── apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-all namespace: databases spec: podSelector: {} policyTypes: - Ingress - Egress --- # ── Allow ingress from Keycloak ────────────────────────────────────────────── apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-ingress-from-keycloak namespace: databases spec: podSelector: matchLabels: # CloudNativePG sets cnpg.io/cluster= on postgres pods. # Adjust the cluster name to match your CloudNativePG Cluster CR name. cnpg.io/cluster: net-kingdom-pg policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: net-kingdom/component: sso podSelector: matchLabels: app.kubernetes.io/name: keycloak ports: - port: 5432 protocol: TCP --- # ── Allow ingress from privacyIDEA ─────────────────────────────────────────── apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-ingress-from-privacyidea namespace: databases spec: podSelector: matchLabels: cnpg.io/cluster: net-kingdom-pg policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: net-kingdom/component: mfa podSelector: matchLabels: app.kubernetes.io/name: privacyidea ports: - port: 5432 protocol: TCP --- # ── Allow ingress from CloudNativePG operator ──────────────────────────────── # The CNPG operator (in cnpg-system) manages the cluster and performs health # probes. Without this, operator reconciliation fails. apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-ingress-from-cnpg-operator namespace: databases spec: podSelector: matchLabels: cnpg.io/cluster: net-kingdom-pg policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: cnpg-system ports: - port: 5432 protocol: TCP - port: 8000 # CloudNativePG instance manager HTTP API (used for status extraction) protocol: TCP - port: 9187 # CloudNativePG metrics exporter protocol: TCP --- # ── Allow egress DNS (all pods) ────────────────────────────────────────────── apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-egress-dns namespace: databases spec: podSelector: {} policyTypes: - Egress egress: - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: kube-system ports: - port: 53 protocol: UDP - port: 53 protocol: TCP --- # ── Allow egress to K8s API (CNPG operator needs it from the pods) ─────────── # CloudNativePG instance pods post status updates to the API server. apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-egress-kube-api namespace: databases spec: podSelector: matchLabels: cnpg.io/cluster: net-kingdom-pg policyTypes: - Egress egress: - ports: - port: 6443 protocol: TCP