generated from coulomb/repo-seed
namespaces/namespaces.yaml:
- sso, mfa, databases with net-kingdom/component labels for NetworkPolicy selectors
network-policies/{netpol-sso,netpol-mfa,netpol-databases}.yaml:
- Default-deny-all posture on all three namespaces
- sso: ingress from Traefik; egress to databases:5432 and mfa:8080
- mfa: ingress from Traefik + Keycloak; egress to databases:5432
- databases: ingress from sso/mfa + CNPG operator; egress to kube-dns + K8s API
- DNS (kube-system:53) allowed for all pods in all namespaces
cert-manager/issuers.yaml:
- selfsigned-issuer (ClusterIssuer) for internal/test use
- letsencrypt-prod (ClusterIssuer, HTTP-01/Traefik) — fill ACME_EMAIL before apply
cert-manager/test-certificate.yaml:
- 24h self-signed cert to smoke-test cert-manager
storage/verify-pvc.yaml:
- Test PVC + Pod to confirm default StorageClass provisioning
verify-t02.sh:
- Full verification script: namespaces, NetworkPolicies, issuers, certs, StorageClass
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
113 lines
3.2 KiB
YAML
113 lines
3.2 KiB
YAML
# NetworkPolicies for the mfa namespace (privacyIDEA)
|
|
#
|
|
# Allowed paths:
|
|
# INGRESS: Traefik (kube-system) → privacyIDEA :8080 (user-facing portal)
|
|
# INGRESS: Keycloak (sso) → privacyIDEA :8080 (Provider API calls)
|
|
# EGRESS: privacyIDEA → databases :5432 (PostgreSQL)
|
|
# EGRESS: all pods → kube-dns :53 (UDP+TCP)
|
|
#
|
|
# Everything else is denied.
|
|
|
|
# ── Default deny all ingress and egress ──────────────────────────────────────
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: default-deny-all
|
|
namespace: mfa
|
|
spec:
|
|
podSelector: {}
|
|
policyTypes:
|
|
- Ingress
|
|
- Egress
|
|
---
|
|
# ── Allow ingress from Traefik ───────────────────────────────────────────────
|
|
# pi.yourdomain.com and pi-account.yourdomain.com both terminate at Traefik.
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-ingress-from-traefik
|
|
namespace: mfa
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: privacyidea
|
|
policyTypes:
|
|
- Ingress
|
|
ingress:
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: kube-system
|
|
podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: traefik
|
|
ports:
|
|
- port: 8080
|
|
protocol: TCP
|
|
---
|
|
# ── Allow ingress from Keycloak (Provider API calls) ─────────────────────────
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-ingress-from-keycloak
|
|
namespace: mfa
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: privacyidea
|
|
policyTypes:
|
|
- Ingress
|
|
ingress:
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
net-kingdom/component: sso
|
|
podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: keycloak
|
|
ports:
|
|
- port: 8080
|
|
protocol: TCP
|
|
---
|
|
# ── Allow egress to PostgreSQL ───────────────────────────────────────────────
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-egress-to-postgres
|
|
namespace: mfa
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: privacyidea
|
|
policyTypes:
|
|
- Egress
|
|
egress:
|
|
- to:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
net-kingdom/component: databases
|
|
ports:
|
|
- port: 5432
|
|
protocol: TCP
|
|
---
|
|
# ── Allow egress DNS (all pods) ──────────────────────────────────────────────
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-egress-dns
|
|
namespace: mfa
|
|
spec:
|
|
podSelector: {}
|
|
policyTypes:
|
|
- Egress
|
|
egress:
|
|
- to:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: kube-system
|
|
ports:
|
|
- port: 53
|
|
protocol: UDP
|
|
- port: 53
|
|
protocol: TCP
|