# NetworkPolicies for the sso namespace (KeyCape + Authelia + LLDAP) # # Components in this namespace: # keycape — OIDC orchestration layer (port 8080) # authelia — authentication frontend (port 9091) # lldap — LDAP directory (port 3890 LDAP, port 17170 Web UI) # # Allowed ingress paths: # Traefik → keycape :8080 (OIDC endpoints, user-facing) # Traefik → authelia :9091 (login portal, user-facing) # Traefik → lldap :17170 (admin web UI; IP-restricted at Traefik layer) # # Allowed egress paths: # keycape → authelia :9091 (OIDC callback orchestration) # keycape → lldap :3890 (LDAP user lookups) # keycape → mfa :8080 (privacyIDEA MFA check and token validation) # authelia → lldap :3890 (LDAP authentication backend) # all pods → kube-dns :53 (DNS resolution) # # No egress to databases namespace — KeyCape is stateless; # LLDAP uses SQLite on a PVC (no external DB needed in lightweight mode). # ── Default deny all ingress and egress ────────────────────────────────────── apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-all namespace: sso spec: podSelector: {} policyTypes: - Ingress - Egress --- # ── Traefik → KeyCape :8080 ─────────────────────────────────────────────────── apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-traefik-to-keycape namespace: sso spec: podSelector: matchLabels: app.kubernetes.io/name: keycape policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: kube-system podSelector: matchLabels: app.kubernetes.io/name: traefik ports: - port: 8080 protocol: TCP --- # ── Traefik → Authelia :9091 ────────────────────────────────────────────────── apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-traefik-to-authelia namespace: sso spec: podSelector: matchLabels: app.kubernetes.io/name: authelia policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: kube-system podSelector: matchLabels: app.kubernetes.io/name: traefik ports: - port: 9091 protocol: TCP --- # ── Traefik → LLDAP :17170 (admin web UI) ──────────────────────────────────── # IP-based restriction is enforced at the Traefik layer (lldap-admin-allowlist # middleware in lldap/middleware.yaml). This NetworkPolicy opens the port; # Traefik enforces the IP allowlist before traffic reaches LLDAP. apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-traefik-to-lldap-ui namespace: sso spec: podSelector: matchLabels: app.kubernetes.io/name: lldap policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: kube-system podSelector: matchLabels: app.kubernetes.io/name: traefik ports: - port: 17170 protocol: TCP --- # ── KeyCape → Authelia :9091 ────────────────────────────────────────────────── # KeyCape redirects the browser to Authelia and exchanges auth codes at /token. apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-keycape-to-authelia namespace: sso spec: podSelector: matchLabels: app.kubernetes.io/name: authelia policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app.kubernetes.io/name: keycape ports: - port: 9091 protocol: TCP --- # ── KeyCape → LLDAP :3890 ──────────────────────────────────────────────────── # KeyCape queries LLDAP for user attributes after authentication. apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-keycape-to-lldap namespace: sso spec: podSelector: matchLabels: app.kubernetes.io/name: lldap policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app.kubernetes.io/name: keycape ports: - port: 3890 protocol: TCP --- # ── Authelia → LLDAP :3890 ─────────────────────────────────────────────────── # Authelia binds to LLDAP to validate credentials and resolve group membership. apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-authelia-to-lldap namespace: sso spec: podSelector: matchLabels: app.kubernetes.io/name: lldap policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app.kubernetes.io/name: authelia ports: - port: 3890 protocol: TCP --- # ── KeyCape egress → Authelia + LLDAP (within sso namespace) ───────────────── apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-keycape-egress-internal namespace: sso spec: podSelector: matchLabels: app.kubernetes.io/name: keycape policyTypes: - Egress egress: - to: - podSelector: matchLabels: app.kubernetes.io/name: authelia ports: - port: 9091 protocol: TCP - to: - podSelector: matchLabels: app.kubernetes.io/name: lldap ports: - port: 3890 protocol: TCP --- # ── KeyCape egress → privacyIDEA (mfa namespace) :8080 ─────────────────────── # KeyCape calls privacyIDEA to check and validate MFA tokens. apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-keycape-egress-to-privacyidea namespace: sso spec: podSelector: matchLabels: app.kubernetes.io/name: keycape policyTypes: - Egress egress: - to: - namespaceSelector: matchLabels: net-kingdom/component: mfa ports: - port: 8080 protocol: TCP --- # ── Authelia egress → LLDAP (within sso namespace) ─────────────────────────── apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-authelia-egress-to-lldap namespace: sso spec: podSelector: matchLabels: app.kubernetes.io/name: authelia policyTypes: - Egress egress: - to: - podSelector: matchLabels: app.kubernetes.io/name: lldap ports: - port: 3890 protocol: TCP --- # ── Allow egress DNS (all pods) ────────────────────────────────────────────── apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-egress-dns namespace: sso spec: podSelector: {} policyTypes: - Egress egress: - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: kube-system ports: - port: 53 protocol: UDP - port: 53 protocol: TCP