generated from coulomb/repo-seed
namespaces/namespaces.yaml:
- sso, mfa, databases with net-kingdom/component labels for NetworkPolicy selectors
network-policies/{netpol-sso,netpol-mfa,netpol-databases}.yaml:
- Default-deny-all posture on all three namespaces
- sso: ingress from Traefik; egress to databases:5432 and mfa:8080
- mfa: ingress from Traefik + Keycloak; egress to databases:5432
- databases: ingress from sso/mfa + CNPG operator; egress to kube-dns + K8s API
- DNS (kube-system:53) allowed for all pods in all namespaces
cert-manager/issuers.yaml:
- selfsigned-issuer (ClusterIssuer) for internal/test use
- letsencrypt-prod (ClusterIssuer, HTTP-01/Traefik) — fill ACME_EMAIL before apply
cert-manager/test-certificate.yaml:
- 24h self-signed cert to smoke-test cert-manager
storage/verify-pvc.yaml:
- Test PVC + Pod to confirm default StorageClass provisioning
verify-t02.sh:
- Full verification script: namespaces, NetworkPolicies, issuers, certs, StorageClass
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
137 lines
4.1 KiB
YAML
137 lines
4.1 KiB
YAML
# NetworkPolicies for the databases namespace (PostgreSQL via CloudNativePG)
|
|
#
|
|
# Allowed paths:
|
|
# INGRESS: sso (Keycloak) → PostgreSQL :5432
|
|
# INGRESS: mfa (privacyIDEA) → PostgreSQL :5432
|
|
# EGRESS: all pods → kube-dns :53 (needed by CloudNativePG operator probes)
|
|
#
|
|
# Everything else is denied — in particular, no direct internet egress.
|
|
# CloudNativePG operator itself runs in its own namespace (cnpg-system) and
|
|
# needs access to the cluster API, not to the database port from here.
|
|
|
|
# ── Default deny all ingress and egress ──────────────────────────────────────
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: default-deny-all
|
|
namespace: databases
|
|
spec:
|
|
podSelector: {}
|
|
policyTypes:
|
|
- Ingress
|
|
- Egress
|
|
---
|
|
# ── Allow ingress from Keycloak ──────────────────────────────────────────────
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-ingress-from-keycloak
|
|
namespace: databases
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
# CloudNativePG sets cnpg.io/cluster=<cluster-name> on postgres pods.
|
|
# Adjust the cluster name to match your CloudNativePG Cluster CR name.
|
|
cnpg.io/cluster: net-kingdom-pg
|
|
policyTypes:
|
|
- Ingress
|
|
ingress:
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
net-kingdom/component: sso
|
|
podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: keycloak
|
|
ports:
|
|
- port: 5432
|
|
protocol: TCP
|
|
---
|
|
# ── Allow ingress from privacyIDEA ───────────────────────────────────────────
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-ingress-from-privacyidea
|
|
namespace: databases
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
cnpg.io/cluster: net-kingdom-pg
|
|
policyTypes:
|
|
- Ingress
|
|
ingress:
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
net-kingdom/component: mfa
|
|
podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: privacyidea
|
|
ports:
|
|
- port: 5432
|
|
protocol: TCP
|
|
---
|
|
# ── Allow ingress from CloudNativePG operator ────────────────────────────────
|
|
# The CNPG operator (in cnpg-system) manages the cluster and performs health
|
|
# probes. Without this, operator reconciliation fails.
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-ingress-from-cnpg-operator
|
|
namespace: databases
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
cnpg.io/cluster: net-kingdom-pg
|
|
policyTypes:
|
|
- Ingress
|
|
ingress:
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: cnpg-system
|
|
ports:
|
|
- port: 5432
|
|
protocol: TCP
|
|
- port: 9187 # CloudNativePG metrics exporter
|
|
protocol: TCP
|
|
---
|
|
# ── Allow egress DNS (all pods) ──────────────────────────────────────────────
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-egress-dns
|
|
namespace: databases
|
|
spec:
|
|
podSelector: {}
|
|
policyTypes:
|
|
- Egress
|
|
egress:
|
|
- to:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: kube-system
|
|
ports:
|
|
- port: 53
|
|
protocol: UDP
|
|
- port: 53
|
|
protocol: TCP
|
|
---
|
|
# ── Allow egress to K8s API (CNPG operator needs it from the pods) ───────────
|
|
# CloudNativePG instance pods post status updates to the API server.
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-egress-kube-api
|
|
namespace: databases
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
cnpg.io/cluster: net-kingdom-pg
|
|
policyTypes:
|
|
- Egress
|
|
egress:
|
|
- ports:
|
|
- port: 6443
|
|
protocol: TCP
|