net-kingdom/sso-mfa/k8s/network-policies/netpol-databases.yaml

# NetworkPolicies for the databases namespace (PostgreSQL via CloudNativePG)
#
# Allowed paths:
#   INGRESS: sso (Keycloak) → PostgreSQL :5432
#   INGRESS: mfa (privacyIDEA) → PostgreSQL :5432
#   EGRESS:  all pods → kube-dns :53   (needed by CloudNativePG operator probes)
#
# Everything else is denied — in particular, no direct internet egress.
# CloudNativePG operator itself runs in its own namespace (cnpg-system) and
# needs access to the cluster API, not to the database port from here.

# ── Default deny all ingress and egress ──────────────────────────────────────
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
  namespace: databases
spec:
  podSelector: {}
  policyTypes:
    - Ingress
    - Egress
---
# ── Allow ingress from Keycloak ──────────────────────────────────────────────
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-ingress-from-keycloak
  namespace: databases
spec:
  podSelector:
    matchLabels:
      # CloudNativePG sets cnpg.io/cluster=<cluster-name> on postgres pods.
      # Adjust the cluster name to match your CloudNativePG Cluster CR name.
      cnpg.io/cluster: net-kingdom-pg
  policyTypes:
    - Ingress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              net-kingdom/component: sso
          podSelector:
            matchLabels:
              app.kubernetes.io/name: keycloak
      ports:
        - port: 5432
          protocol: TCP
---
# ── Allow ingress from privacyIDEA ───────────────────────────────────────────
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-ingress-from-privacyidea
  namespace: databases
spec:
  podSelector:
    matchLabels:
      cnpg.io/cluster: net-kingdom-pg
  policyTypes:
    - Ingress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              net-kingdom/component: mfa
          podSelector:
            matchLabels:
              app.kubernetes.io/name: privacyidea
      ports:
        - port: 5432
          protocol: TCP
---
# ── Allow ingress from CloudNativePG operator ────────────────────────────────
# The CNPG operator (in cnpg-system) manages the cluster and performs health
# probes. Without this, operator reconciliation fails.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-ingress-from-cnpg-operator
  namespace: databases
spec:
  podSelector:
    matchLabels:
      cnpg.io/cluster: net-kingdom-pg
  policyTypes:
    - Ingress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: cnpg-system
      ports:
        - port: 5432
          protocol: TCP
        - port: 8000   # CloudNativePG instance manager HTTP API (used for status extraction)
          protocol: TCP
        - port: 9187   # CloudNativePG metrics exporter
          protocol: TCP
---
# ── Allow egress DNS (all pods) ──────────────────────────────────────────────
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-egress-dns
  namespace: databases
spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
    - to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: kube-system
      ports:
        - port: 53
          protocol: UDP
        - port: 53
          protocol: TCP
---
# ── Allow egress to K8s API (CNPG operator needs it from the pods) ───────────
# CloudNativePG instance pods post status updates to the API server.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-egress-kube-api
  namespace: databases
spec:
  podSelector:
    matchLabels:
      cnpg.io/cluster: net-kingdom-pg
  policyTypes:
    - Egress
  egress:
    - ports:
        - port: 6443
          protocol: TCP