coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
df09dd42f4e7f05ab1121b5603f2fdf875e91194
net-kingdom/sso-mfa/k8s/network-policies/netpol-sso.yaml
Bernd Worsch bececac7b8 fix(privacyidea): correct image to ghcr.io/gpappsoft, port 5001→8080 
privacyidea/privacyidea:3.12 and privacyidea/otpserver:3.12.2 do not
exist on Docker Hub. Correct image is ghcr.io/gpappsoft/privacyidea-docker:3.12.2
which listens on port 8080.

Update all port references: deployment, service, ingress, netpol-mfa,
netpol-sso (keycape→privacyIDEA egress rule).

Also: creds-bootstrap-agent.sh — restart privacyIDEA deployment after
applying new secrets so the pod picks up updated env vars.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-21 09:37:38 +00:00

267 lines
7.8 KiB
YAML
Raw Blame History

# NetworkPolicies for the sso namespace (KeyCape + Authelia + LLDAP)
#
# Components in this namespace:
# keycape — OIDC orchestration layer (port 8080)
# authelia — authentication frontend (port 9091)
# lldap — LDAP directory (port 3890 LDAP, port 17170 Web UI)
#
# Allowed ingress paths:
# Traefik → keycape :8080 (OIDC endpoints, user-facing)
# Traefik → authelia :9091 (login portal, user-facing)
# Traefik → lldap :17170 (admin web UI; IP-restricted at Traefik layer)
#
# Allowed egress paths:
# keycape → authelia :9091 (OIDC callback orchestration)
# keycape → lldap :3890 (LDAP user lookups)
# keycape → mfa :8080 (privacyIDEA MFA check and token validation)
# authelia → lldap :3890 (LDAP authentication backend)
# all pods → kube-dns :53 (DNS resolution)
#
# No egress to databases namespace — KeyCape is stateless;
# LLDAP uses SQLite on a PVC (no external DB needed in lightweight mode).
# ── Default deny all ingress and egress ──────────────────────────────────────
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: sso
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
---
# ── Traefik → KeyCape :8080 ───────────────────────────────────────────────────
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-traefik-to-keycape
namespace: sso
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: keycape
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
app.kubernetes.io/name: traefik
ports:
- port: 8080
protocol: TCP
---
# ── Traefik → Authelia :9091 ──────────────────────────────────────────────────
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-traefik-to-authelia
namespace: sso
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: authelia
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
app.kubernetes.io/name: traefik
ports:
- port: 9091
protocol: TCP
---
# ── Traefik → LLDAP :17170 (admin web UI) ────────────────────────────────────
# IP-based restriction is enforced at the Traefik layer (lldap-admin-allowlist
# middleware in lldap/middleware.yaml). This NetworkPolicy opens the port;
# Traefik enforces the IP allowlist before traffic reaches LLDAP.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-traefik-to-lldap-ui
namespace: sso
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: lldap
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
app.kubernetes.io/name: traefik
ports:
- port: 17170
protocol: TCP
---
# ── KeyCape → Authelia :9091 ──────────────────────────────────────────────────
# KeyCape redirects the browser to Authelia and exchanges auth codes at /token.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-keycape-to-authelia
namespace: sso
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: authelia
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app.kubernetes.io/name: keycape
ports:
- port: 9091
protocol: TCP
---
# ── KeyCape → LLDAP :3890 ────────────────────────────────────────────────────
# KeyCape queries LLDAP for user attributes after authentication.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-keycape-to-lldap
namespace: sso
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: lldap
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app.kubernetes.io/name: keycape
ports:
- port: 3890
protocol: TCP
---
# ── Authelia → LLDAP :3890 ───────────────────────────────────────────────────
# Authelia binds to LLDAP to validate credentials and resolve group membership.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-authelia-to-lldap
namespace: sso
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: lldap
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app.kubernetes.io/name: authelia
ports:
- port: 3890
protocol: TCP
---
# ── KeyCape egress → Authelia + LLDAP (within sso namespace) ─────────────────
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-keycape-egress-internal
namespace: sso
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: keycape
policyTypes:
- Egress
egress:
- to:
- podSelector:
matchLabels:
app.kubernetes.io/name: authelia
ports:
- port: 9091
protocol: TCP
- to:
- podSelector:
matchLabels:
app.kubernetes.io/name: lldap
ports:
- port: 3890
protocol: TCP
---
# ── KeyCape egress → privacyIDEA (mfa namespace) :8080 ───────────────────────
# KeyCape calls privacyIDEA to check and validate MFA tokens.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-keycape-egress-to-privacyidea
namespace: sso
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: keycape
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
net-kingdom/component: mfa
ports:
- port: 8080
protocol: TCP
---
# ── Authelia egress → LLDAP (within sso namespace) ───────────────────────────
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-authelia-egress-to-lldap
namespace: sso
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: authelia
policyTypes:
- Egress
egress:
- to:
- podSelector:
matchLabels:
app.kubernetes.io/name: lldap
ports:
- port: 3890
protocol: TCP
---
# ── Allow egress DNS (all pods) ──────────────────────────────────────────────
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-egress-dns
namespace: sso
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
Reference in New Issue View Git Blame Copy Permalink