bakery-admin/bakery-ia
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add new infra architecture

Browse Source
This commit is contained in:
Urtzi Alfaro
2026-01-19 11:55:17 +01:00
parent 21d35ea92b
commit 35f164f0cd
311 changed files with 13241 additions and 3700 deletions
Download Patch File Download Diff File Expand all files Collapse all files

108
infrastructure/platform/security/network-policies/global-default-networkpolicy.yaml Normal file
View File

@@ -0,0 +1,108 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: bakery-ia
labels:
app: global
component: network-policy
tier: security
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress: []
egress: []
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-kube-dns
namespace: bakery-ia
labels:
app: global
component: network-policy
tier: security
spec:
podSelector: {}
policyTypes:
- Egress
egress:
# Allow DNS resolution to kube-system namespace
- to:
- namespaceSelector:
matchLabels:
name: kube-system
ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-ingress-controller
namespace: bakery-ia
labels:
app: global
component: network-policy
tier: security
spec:
podSelector:
matchLabels:
# This label should match your ingress controller's namespace
# Adjust as needed for your specific ingress controller
app: nginx-ingress-microk8s
policyTypes:
- Ingress
ingress:
# Allow all traffic to ingress controller
- from:
- ipBlock:
cidr: 0.0.0.0/0
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-internal-communication
namespace: bakery-ia
labels:
app: global
component: network-policy
tier: security
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress:
# Allow communication between pods in the same namespace
- from:
- podSelector: {}
egress:
# Allow communication to pods in the same namespace
- to:
- podSelector: {}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-egress-external
namespace: bakery-ia
labels:
app: global
component: network-policy
tier: security
spec:
podSelector:
matchLabels:
app: external-egress-allowed
policyTypes:
- Egress
egress:
# Allow external communication for services that need it
- to:
- ipBlock:
cidr: 0.0.0.0/0

159
infrastructure/platform/security/network-policies/global-project-networkpolicy.yaml Normal file
View File

@@ -0,0 +1,159 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: project-default-deny
namespace: bakery-ia
labels:
app: project-global
component: network-policy
tier: security
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress: []
egress: []
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: project-allow-dns
namespace: bakery-ia
labels:
app: project-global
component: network-policy
tier: security
spec:
podSelector: {}
policyTypes:
- Egress
egress:
# Allow DNS resolution to kube-system namespace
- to:
- namespaceSelector:
matchLabels:
name: kube-system
ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: project-allow-ingress-access
namespace: bakery-ia
labels:
app: project-global
component: network-policy
tier: security
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
policyTypes:
- Ingress
ingress:
# Allow all traffic to ingress controller
- from:
- ipBlock:
cidr: 0.0.0.0/0
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: project-allow-internal-comm
namespace: bakery-ia
labels:
app: project-global
component: network-policy
tier: security
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress:
# Allow communication between project services
- from:
- namespaceSelector:
matchLabels:
name: bakery-ia
egress:
# Allow communication to project services
- to:
- namespaceSelector:
matchLabels:
name: bakery-ia
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: project-allow-monitoring
namespace: bakery-ia
labels:
app: project-global
component: network-policy
tier: security
spec:
podSelector:
matchLabels:
app: signoz
policyTypes:
- Ingress
ingress:
# Allow monitoring access from project services
- from:
- namespaceSelector:
matchLabels:
name: bakery-ia
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: project-allow-database-access
namespace: bakery-ia
labels:
app: project-global
component: network-policy
tier: security
spec:
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
ingress:
# Allow database access from application services
- from:
- namespaceSelector:
matchLabels:
name: bakery-ia
ports:
- port: 5432
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: project-allow-cache-access
namespace: bakery-ia
labels:
app: project-global
component: network-policy
tier: security
spec:
podSelector:
matchLabels:
app: redis
policyTypes:
- Ingress
ingress:
# Allow cache access from application services
- from:
- namespaceSelector:
matchLabels:
name: bakery-ia
ports:
- port: 6379