Files
net-kingdom/sso-mfa/k8s/network-policies/netpol-databases.yaml
tegwick ee794a61ab feat(sso-mfa): T02 K8s foundations manifests (NK-WP-0001-T02)
namespaces/namespaces.yaml:
  - sso, mfa, databases with net-kingdom/component labels for NetworkPolicy selectors

network-policies/{netpol-sso,netpol-mfa,netpol-databases}.yaml:
  - Default-deny-all posture on all three namespaces
  - sso: ingress from Traefik; egress to databases:5432 and mfa:8080
  - mfa: ingress from Traefik + Keycloak; egress to databases:5432
  - databases: ingress from sso/mfa + CNPG operator; egress to kube-dns + K8s API
  - DNS (kube-system:53) allowed for all pods in all namespaces

cert-manager/issuers.yaml:
  - selfsigned-issuer (ClusterIssuer) for internal/test use
  - letsencrypt-prod (ClusterIssuer, HTTP-01/Traefik) — fill ACME_EMAIL before apply
cert-manager/test-certificate.yaml:
  - 24h self-signed cert to smoke-test cert-manager

storage/verify-pvc.yaml:
  - Test PVC + Pod to confirm default StorageClass provisioning

verify-t02.sh:
  - Full verification script: namespaces, NetworkPolicies, issuers, certs, StorageClass

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-02 09:49:39 +01:00

137 lines
4.1 KiB
YAML

# NetworkPolicies for the databases namespace (PostgreSQL via CloudNativePG)
#
# Allowed paths:
# INGRESS: sso (Keycloak) → PostgreSQL :5432
# INGRESS: mfa (privacyIDEA) → PostgreSQL :5432
# EGRESS: all pods → kube-dns :53 (needed by CloudNativePG operator probes)
#
# Everything else is denied — in particular, no direct internet egress.
# CloudNativePG operator itself runs in its own namespace (cnpg-system) and
# needs access to the cluster API, not to the database port from here.
# ── Default deny all ingress and egress ──────────────────────────────────────
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: databases
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
---
# ── Allow ingress from Keycloak ──────────────────────────────────────────────
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-ingress-from-keycloak
namespace: databases
spec:
podSelector:
matchLabels:
# CloudNativePG sets cnpg.io/cluster=<cluster-name> on postgres pods.
# Adjust the cluster name to match your CloudNativePG Cluster CR name.
cnpg.io/cluster: net-kingdom-pg
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
net-kingdom/component: sso
podSelector:
matchLabels:
app.kubernetes.io/name: keycloak
ports:
- port: 5432
protocol: TCP
---
# ── Allow ingress from privacyIDEA ───────────────────────────────────────────
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-ingress-from-privacyidea
namespace: databases
spec:
podSelector:
matchLabels:
cnpg.io/cluster: net-kingdom-pg
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
net-kingdom/component: mfa
podSelector:
matchLabels:
app.kubernetes.io/name: privacyidea
ports:
- port: 5432
protocol: TCP
---
# ── Allow ingress from CloudNativePG operator ────────────────────────────────
# The CNPG operator (in cnpg-system) manages the cluster and performs health
# probes. Without this, operator reconciliation fails.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-ingress-from-cnpg-operator
namespace: databases
spec:
podSelector:
matchLabels:
cnpg.io/cluster: net-kingdom-pg
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: cnpg-system
ports:
- port: 5432
protocol: TCP
- port: 9187 # CloudNativePG metrics exporter
protocol: TCP
---
# ── Allow egress DNS (all pods) ──────────────────────────────────────────────
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-egress-dns
namespace: databases
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
---
# ── Allow egress to K8s API (CNPG operator needs it from the pods) ───────────
# CloudNativePG instance pods post status updates to the API server.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-egress-kube-api
namespace: databases
spec:
podSelector:
matchLabels:
cnpg.io/cluster: net-kingdom-pg
policyTypes:
- Egress
egress:
- ports:
- port: 6443
protocol: TCP