Files
net-kingdom/sso-mfa/k8s/network-policies/netpol-mfa.yaml
tegwick ee794a61ab feat(sso-mfa): T02 K8s foundations manifests (NK-WP-0001-T02)
namespaces/namespaces.yaml:
  - sso, mfa, databases with net-kingdom/component labels for NetworkPolicy selectors

network-policies/{netpol-sso,netpol-mfa,netpol-databases}.yaml:
  - Default-deny-all posture on all three namespaces
  - sso: ingress from Traefik; egress to databases:5432 and mfa:8080
  - mfa: ingress from Traefik + Keycloak; egress to databases:5432
  - databases: ingress from sso/mfa + CNPG operator; egress to kube-dns + K8s API
  - DNS (kube-system:53) allowed for all pods in all namespaces

cert-manager/issuers.yaml:
  - selfsigned-issuer (ClusterIssuer) for internal/test use
  - letsencrypt-prod (ClusterIssuer, HTTP-01/Traefik) — fill ACME_EMAIL before apply
cert-manager/test-certificate.yaml:
  - 24h self-signed cert to smoke-test cert-manager

storage/verify-pvc.yaml:
  - Test PVC + Pod to confirm default StorageClass provisioning

verify-t02.sh:
  - Full verification script: namespaces, NetworkPolicies, issuers, certs, StorageClass

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-02 09:49:39 +01:00

113 lines
3.2 KiB
YAML

# NetworkPolicies for the mfa namespace (privacyIDEA)
#
# Allowed paths:
# INGRESS: Traefik (kube-system) → privacyIDEA :8080 (user-facing portal)
# INGRESS: Keycloak (sso) → privacyIDEA :8080 (Provider API calls)
# EGRESS: privacyIDEA → databases :5432 (PostgreSQL)
# EGRESS: all pods → kube-dns :53 (UDP+TCP)
#
# Everything else is denied.
# ── Default deny all ingress and egress ──────────────────────────────────────
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: mfa
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
---
# ── Allow ingress from Traefik ───────────────────────────────────────────────
# pi.yourdomain.com and pi-account.yourdomain.com both terminate at Traefik.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-ingress-from-traefik
namespace: mfa
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: privacyidea
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
app.kubernetes.io/name: traefik
ports:
- port: 8080
protocol: TCP
---
# ── Allow ingress from Keycloak (Provider API calls) ─────────────────────────
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-ingress-from-keycloak
namespace: mfa
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: privacyidea
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
net-kingdom/component: sso
podSelector:
matchLabels:
app.kubernetes.io/name: keycloak
ports:
- port: 8080
protocol: TCP
---
# ── Allow egress to PostgreSQL ───────────────────────────────────────────────
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-egress-to-postgres
namespace: mfa
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: privacyidea
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
net-kingdom/component: databases
ports:
- port: 5432
protocol: TCP
---
# ── Allow egress DNS (all pods) ──────────────────────────────────────────────
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-egress-dns
namespace: mfa
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP