generated from coulomb/repo-seed
bootstrap-realm.sh: - Remove Content-Type header from GET requests (Werkzeug 3.x BadRequest fix) - Fix resolver type check — result path is result.value.<name>.type, not .data - Fix self-enrollment policy scope: 'user' not 'enrollment' (PI 3.12) NetworkPolicies: - allow-egress-to-lldap (mfa ns): privacyIDEA → LLDAP :3890 - allow-privacyidea-to-lldap (sso ns): ingress from mfa/privacyIDEA → LLDAP :3890 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
165 lines
4.7 KiB
YAML
165 lines
4.7 KiB
YAML
# NetworkPolicies for the mfa namespace (privacyIDEA)
|
|
#
|
|
# Allowed paths:
|
|
# INGRESS: Traefik (kube-system) → privacyIDEA :8080 (user-facing portal)
|
|
# INGRESS: KeyCape (sso) → privacyIDEA :8080 (Provider API calls)
|
|
# EGRESS: privacyIDEA → databases :5432 (PostgreSQL)
|
|
# EGRESS: privacyIDEA → sso/lldap :3890 (LDAP resolver for realm)
|
|
# EGRESS: all pods → kube-dns :53 (UDP+TCP)
|
|
#
|
|
# Everything else is denied.
|
|
|
|
# ── Default deny all ingress and egress ──────────────────────────────────────
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: default-deny-all
|
|
namespace: mfa
|
|
spec:
|
|
podSelector: {}
|
|
policyTypes:
|
|
- Ingress
|
|
- Egress
|
|
---
|
|
# ── Allow ingress from Traefik ───────────────────────────────────────────────
|
|
# pink.coulomb.social and pink-account.coulomb.social both terminate at Traefik.
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-ingress-from-traefik
|
|
namespace: mfa
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: privacyidea
|
|
policyTypes:
|
|
- Ingress
|
|
ingress:
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: kube-system
|
|
podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: traefik
|
|
ports:
|
|
- port: 8080
|
|
protocol: TCP
|
|
---
|
|
# ── Allow ingress from KeyCape (Provider API calls) ──────────────────────────
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-ingress-from-keycape
|
|
namespace: mfa
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: privacyidea
|
|
policyTypes:
|
|
- Ingress
|
|
ingress:
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
net-kingdom/component: sso
|
|
podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: keycape
|
|
ports:
|
|
- port: 8080
|
|
protocol: TCP
|
|
---
|
|
# ── Allow egress to PostgreSQL ───────────────────────────────────────────────
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-egress-to-postgres
|
|
namespace: mfa
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: privacyidea
|
|
policyTypes:
|
|
- Egress
|
|
egress:
|
|
- to:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
net-kingdom/component: databases
|
|
ports:
|
|
- port: 5432
|
|
protocol: TCP
|
|
---
|
|
# ── privacyIDEA → LLDAP :3890 ────────────────────────────────────────────────
|
|
# privacyIDEA's LDAP resolver binds to LLDAP to resolve users in the coulomb realm.
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-egress-to-lldap
|
|
namespace: mfa
|
|
labels:
|
|
net-kingdom/component: mfa
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: privacyidea
|
|
policyTypes:
|
|
- Egress
|
|
egress:
|
|
- to:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
net-kingdom/component: sso
|
|
podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: lldap
|
|
ports:
|
|
- port: 3890
|
|
protocol: TCP
|
|
---
|
|
# ── Traefik → ACME HTTP-01 solver pods :8089 ─────────────────────────────────
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-traefik-to-acme-solver
|
|
namespace: mfa
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
acme.cert-manager.io/http01-solver: "true"
|
|
policyTypes:
|
|
- Ingress
|
|
ingress:
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: kube-system
|
|
podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: traefik
|
|
ports:
|
|
- port: 8089
|
|
protocol: TCP
|
|
---
|
|
# ── Allow egress DNS (all pods) ──────────────────────────────────────────────
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-egress-dns
|
|
namespace: mfa
|
|
spec:
|
|
podSelector: {}
|
|
policyTypes:
|
|
- Egress
|
|
egress:
|
|
- to:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: kube-system
|
|
ports:
|
|
- port: 53
|
|
protocol: UDP
|
|
- port: 53
|
|
protocol: TCP
|