generated from coulomb/repo-seed
Bernd Worsch
bececac7b8
privacyidea/privacyidea:3.12 and privacyidea/otpserver:3.12.2 do not exist on Docker Hub. Correct image is ghcr.io/gpappsoft/privacyidea-docker:3.12.2 which listens on port 8080. Update all port references: deployment, service, ingress, netpol-mfa, netpol-sso (keycape→privacyIDEA egress rule). Also: creds-bootstrap-agent.sh — restart privacyIDEA deployment after applying new secrets so the pod picks up updated env vars. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
113 lines
3.2 KiB
YAML
113 lines
3.2 KiB
YAML
# NetworkPolicies for the mfa namespace (privacyIDEA)
|
|
#
|
|
# Allowed paths:
|
|
# INGRESS: Traefik (kube-system) → privacyIDEA :8080 (user-facing portal)
|
|
# INGRESS: KeyCape (sso) → privacyIDEA :8080 (Provider API calls)
|
|
# EGRESS: privacyIDEA → databases :5432 (PostgreSQL)
|
|
# EGRESS: all pods → kube-dns :53 (UDP+TCP)
|
|
#
|
|
# Everything else is denied.
|
|
|
|
# ── Default deny all ingress and egress ──────────────────────────────────────
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: default-deny-all
|
|
namespace: mfa
|
|
spec:
|
|
podSelector: {}
|
|
policyTypes:
|
|
- Ingress
|
|
- Egress
|
|
---
|
|
# ── Allow ingress from Traefik ───────────────────────────────────────────────
|
|
# pink.coulomb.social and pink-account.coulomb.social both terminate at Traefik.
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-ingress-from-traefik
|
|
namespace: mfa
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: privacyidea
|
|
policyTypes:
|
|
- Ingress
|
|
ingress:
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: kube-system
|
|
podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: traefik
|
|
ports:
|
|
- port: 8080
|
|
protocol: TCP
|
|
---
|
|
# ── Allow ingress from KeyCape (Provider API calls) ──────────────────────────
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-ingress-from-keycape
|
|
namespace: mfa
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: privacyidea
|
|
policyTypes:
|
|
- Ingress
|
|
ingress:
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
net-kingdom/component: sso
|
|
podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: keycape
|
|
ports:
|
|
- port: 8080
|
|
protocol: TCP
|
|
---
|
|
# ── Allow egress to PostgreSQL ───────────────────────────────────────────────
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-egress-to-postgres
|
|
namespace: mfa
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: privacyidea
|
|
policyTypes:
|
|
- Egress
|
|
egress:
|
|
- to:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
net-kingdom/component: databases
|
|
ports:
|
|
- port: 5432
|
|
protocol: TCP
|
|
---
|
|
# ── Allow egress DNS (all pods) ──────────────────────────────────────────────
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-egress-dns
|
|
namespace: mfa
|
|
spec:
|
|
podSelector: {}
|
|
policyTypes:
|
|
- Egress
|
|
egress:
|
|
- to:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: kube-system
|
|
ports:
|
|
- port: 53
|
|
protocol: UDP
|
|
- port: 53
|
|
protocol: TCP
|