generated from coulomb/repo-seed
Deploy privacyIDEA (MFA core) in the mfa namespace: - pvc.yaml: privacyidea-data (5Gi) and privacyidea-logs (2Gi) - configmap.yaml: pi.cfg reading secrets from env vars - deployment.yaml: Deployment + ClusterIP Service (port 8080) - middleware.yaml: Traefik RateLimit + admin IP AllowList - ingress.yaml: pink.coulomb.social (portal + admin), pink-account.coulomb.social (self-service) - create-secrets.sh: creates privacyidea-config Secret - enckey-bootstrap.sh: post-deploy key extraction + DR Secrets - bootstrap-admin.sh: pi-admin, trigger-admin, privacyidea-trigger-admin Secret - verify-t04.sh: 8-section done-criteria checker Config points CP-NK-002 (pink.coulomb.social) and CP-NK-003 (pink-account.coulomb.social) registered in CONFIG.md. pink = PrivacyIDEA Net Knights (project mnemonic). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
113 lines
3.2 KiB
YAML
113 lines
3.2 KiB
YAML
# NetworkPolicies for the mfa namespace (privacyIDEA)
|
|
#
|
|
# Allowed paths:
|
|
# INGRESS: Traefik (kube-system) → privacyIDEA :8080 (user-facing portal)
|
|
# INGRESS: Keycloak (sso) → privacyIDEA :8080 (Provider API calls)
|
|
# EGRESS: privacyIDEA → databases :5432 (PostgreSQL)
|
|
# EGRESS: all pods → kube-dns :53 (UDP+TCP)
|
|
#
|
|
# Everything else is denied.
|
|
|
|
# ── Default deny all ingress and egress ──────────────────────────────────────
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: default-deny-all
|
|
namespace: mfa
|
|
spec:
|
|
podSelector: {}
|
|
policyTypes:
|
|
- Ingress
|
|
- Egress
|
|
---
|
|
# ── Allow ingress from Traefik ───────────────────────────────────────────────
|
|
# pink.coulomb.social and pink-account.coulomb.social both terminate at Traefik.
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-ingress-from-traefik
|
|
namespace: mfa
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: privacyidea
|
|
policyTypes:
|
|
- Ingress
|
|
ingress:
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: kube-system
|
|
podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: traefik
|
|
ports:
|
|
- port: 8080
|
|
protocol: TCP
|
|
---
|
|
# ── Allow ingress from Keycloak (Provider API calls) ─────────────────────────
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-ingress-from-keycloak
|
|
namespace: mfa
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: privacyidea
|
|
policyTypes:
|
|
- Ingress
|
|
ingress:
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
net-kingdom/component: sso
|
|
podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: keycloak
|
|
ports:
|
|
- port: 8080
|
|
protocol: TCP
|
|
---
|
|
# ── Allow egress to PostgreSQL ───────────────────────────────────────────────
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-egress-to-postgres
|
|
namespace: mfa
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: privacyidea
|
|
policyTypes:
|
|
- Egress
|
|
egress:
|
|
- to:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
net-kingdom/component: databases
|
|
ports:
|
|
- port: 5432
|
|
protocol: TCP
|
|
---
|
|
# ── Allow egress DNS (all pods) ──────────────────────────────────────────────
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-egress-dns
|
|
namespace: mfa
|
|
spec:
|
|
podSelector: {}
|
|
policyTypes:
|
|
- Egress
|
|
egress:
|
|
- to:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: kube-system
|
|
ports:
|
|
- port: 53
|
|
protocol: UDP
|
|
- port: 53
|
|
protocol: TCP
|