This repository has been archived on 2026-07-08. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
net-kingdom/sso-mfa/k8s/network-policies/netpol-sso.yaml
Bernd Worsch afbf968c76 fix(privacyidea): bootstrap-realm scope fixes + netpol for PI→LLDAP
bootstrap-realm.sh:
- Remove Content-Type header from GET requests (Werkzeug 3.x BadRequest fix)
- Fix resolver type check — result path is result.value.<name>.type, not .data
- Fix self-enrollment policy scope: 'user' not 'enrollment' (PI 3.12)

NetworkPolicies:
- allow-egress-to-lldap (mfa ns): privacyIDEA → LLDAP :3890
- allow-privacyidea-to-lldap (sso ns): ingress from mfa/privacyIDEA → LLDAP :3890

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-25 11:49:26 +00:00

320 lines
9.3 KiB
YAML

# NetworkPolicies for the sso namespace (KeyCape + Authelia + LLDAP)
#
# Components in this namespace:
# keycape — OIDC orchestration layer (port 8080)
# authelia — authentication frontend (port 9091)
# lldap — LDAP directory (port 3890 LDAP, port 17170 Web UI)
#
# Allowed ingress paths:
# Traefik → keycape :8080 (OIDC endpoints, user-facing)
# Traefik → authelia :9091 (login portal, user-facing)
# Traefik → lldap :17170 (admin web UI; IP-restricted at Traefik layer)
#
# Allowed egress paths:
# keycape → authelia :9091 (OIDC callback orchestration)
# keycape → lldap :3890 (LDAP user lookups)
# keycape → mfa :8080 (privacyIDEA MFA check and token validation)
# authelia → lldap :3890 (LDAP authentication backend)
# all pods → kube-dns :53 (DNS resolution)
#
# No egress to databases namespace — KeyCape is stateless;
# LLDAP uses SQLite on a PVC (no external DB needed in lightweight mode).
# ── Default deny all ingress and egress ──────────────────────────────────────
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: sso
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
---
# ── Traefik → KeyCape :8080 ───────────────────────────────────────────────────
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-traefik-to-keycape
namespace: sso
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: keycape
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
app.kubernetes.io/name: traefik
ports:
- port: 8080
protocol: TCP
---
# ── Traefik → Authelia :9091 ──────────────────────────────────────────────────
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-traefik-to-authelia
namespace: sso
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: authelia
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
app.kubernetes.io/name: traefik
ports:
- port: 9091
protocol: TCP
---
# ── Traefik → LLDAP :17170 (admin web UI) ────────────────────────────────────
# IP-based restriction is enforced at the Traefik layer (lldap-admin-allowlist
# middleware in lldap/middleware.yaml). This NetworkPolicy opens the port;
# Traefik enforces the IP allowlist before traffic reaches LLDAP.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-traefik-to-lldap-ui
namespace: sso
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: lldap
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
app.kubernetes.io/name: traefik
ports:
- port: 17170
protocol: TCP
---
# ── KeyCape → Authelia :9091 ──────────────────────────────────────────────────
# KeyCape redirects the browser to Authelia and exchanges auth codes at /token.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-keycape-to-authelia
namespace: sso
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: authelia
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app.kubernetes.io/name: keycape
ports:
- port: 9091
protocol: TCP
---
# ── KeyCape → LLDAP :3890 ────────────────────────────────────────────────────
# KeyCape queries LLDAP for user attributes after authentication.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-keycape-to-lldap
namespace: sso
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: lldap
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app.kubernetes.io/name: keycape
ports:
- port: 3890
protocol: TCP
---
# ── Authelia → LLDAP :3890 ───────────────────────────────────────────────────
# Authelia binds to LLDAP to validate credentials and resolve group membership.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-authelia-to-lldap
namespace: sso
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: lldap
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app.kubernetes.io/name: authelia
ports:
- port: 3890
protocol: TCP
---
# ── privacyIDEA (mfa ns) → LLDAP :3890 ──────────────────────────────────────
# privacyIDEA's LDAP resolver binds to LLDAP to resolve users in the coulomb realm.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-privacyidea-to-lldap
namespace: sso
labels:
net-kingdom/component: sso
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: lldap
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
net-kingdom/component: mfa
podSelector:
matchLabels:
app.kubernetes.io/name: privacyidea
ports:
- port: 3890
protocol: TCP
---
# ── KeyCape egress → Authelia + LLDAP (within sso namespace) ─────────────────
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-keycape-egress-internal
namespace: sso
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: keycape
policyTypes:
- Egress
egress:
- to:
- podSelector:
matchLabels:
app.kubernetes.io/name: authelia
ports:
- port: 9091
protocol: TCP
- to:
- podSelector:
matchLabels:
app.kubernetes.io/name: lldap
ports:
- port: 3890
protocol: TCP
---
# ── KeyCape egress → privacyIDEA (mfa namespace) :8080 ───────────────────────
# KeyCape calls privacyIDEA to check and validate MFA tokens.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-keycape-egress-to-privacyidea
namespace: sso
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: keycape
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
net-kingdom/component: mfa
ports:
- port: 8080
protocol: TCP
---
# ── Authelia egress → LLDAP (within sso namespace) ───────────────────────────
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-authelia-egress-to-lldap
namespace: sso
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: authelia
policyTypes:
- Egress
egress:
- to:
- podSelector:
matchLabels:
app.kubernetes.io/name: lldap
ports:
- port: 3890
protocol: TCP
---
# ── Traefik → ACME HTTP-01 solver pods :8089 ─────────────────────────────────
# cert-manager creates temporary solver pods during TLS cert issuance.
# default-deny-all blocks Traefik from reaching them; this policy allows it.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-traefik-to-acme-solver
namespace: sso
spec:
podSelector:
matchLabels:
acme.cert-manager.io/http01-solver: "true"
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
app.kubernetes.io/name: traefik
ports:
- port: 8089
protocol: TCP
---
# ── Allow egress DNS (all pods) ──────────────────────────────────────────────
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-egress-dns
namespace: sso
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP