Files
net-kingdom/sso-mfa/k8s/network-policies/netpol-mfa.yaml
Bernd Worsch afbf968c76 fix(privacyidea): bootstrap-realm scope fixes + netpol for PI→LLDAP
bootstrap-realm.sh:
- Remove Content-Type header from GET requests (Werkzeug 3.x BadRequest fix)
- Fix resolver type check — result path is result.value.<name>.type, not .data
- Fix self-enrollment policy scope: 'user' not 'enrollment' (PI 3.12)

NetworkPolicies:
- allow-egress-to-lldap (mfa ns): privacyIDEA → LLDAP :3890
- allow-privacyidea-to-lldap (sso ns): ingress from mfa/privacyIDEA → LLDAP :3890

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-25 11:49:26 +00:00

165 lines
4.7 KiB
YAML

# NetworkPolicies for the mfa namespace (privacyIDEA)
#
# Allowed paths:
# INGRESS: Traefik (kube-system) → privacyIDEA :8080 (user-facing portal)
# INGRESS: KeyCape (sso) → privacyIDEA :8080 (Provider API calls)
# EGRESS: privacyIDEA → databases :5432 (PostgreSQL)
# EGRESS: privacyIDEA → sso/lldap :3890 (LDAP resolver for realm)
# EGRESS: all pods → kube-dns :53 (UDP+TCP)
#
# Everything else is denied.
# ── Default deny all ingress and egress ──────────────────────────────────────
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: mfa
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
---
# ── Allow ingress from Traefik ───────────────────────────────────────────────
# pink.coulomb.social and pink-account.coulomb.social both terminate at Traefik.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-ingress-from-traefik
namespace: mfa
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: privacyidea
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
app.kubernetes.io/name: traefik
ports:
- port: 8080
protocol: TCP
---
# ── Allow ingress from KeyCape (Provider API calls) ──────────────────────────
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-ingress-from-keycape
namespace: mfa
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: privacyidea
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
net-kingdom/component: sso
podSelector:
matchLabels:
app.kubernetes.io/name: keycape
ports:
- port: 8080
protocol: TCP
---
# ── Allow egress to PostgreSQL ───────────────────────────────────────────────
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-egress-to-postgres
namespace: mfa
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: privacyidea
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
net-kingdom/component: databases
ports:
- port: 5432
protocol: TCP
---
# ── privacyIDEA → LLDAP :3890 ────────────────────────────────────────────────
# privacyIDEA's LDAP resolver binds to LLDAP to resolve users in the coulomb realm.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-egress-to-lldap
namespace: mfa
labels:
net-kingdom/component: mfa
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: privacyidea
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
net-kingdom/component: sso
podSelector:
matchLabels:
app.kubernetes.io/name: lldap
ports:
- port: 3890
protocol: TCP
---
# ── Traefik → ACME HTTP-01 solver pods :8089 ─────────────────────────────────
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-traefik-to-acme-solver
namespace: mfa
spec:
podSelector:
matchLabels:
acme.cert-manager.io/http01-solver: "true"
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
app.kubernetes.io/name: traefik
ports:
- port: 8089
protocol: TCP
---
# ── Allow egress DNS (all pods) ──────────────────────────────────────────────
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-egress-dns
namespace: mfa
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP