159 lines
3.2 KiB
YAML
159 lines
3.2 KiB
YAML
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: project-default-deny
|
|
namespace: bakery-ia
|
|
labels:
|
|
app: project-global
|
|
component: network-policy
|
|
tier: security
|
|
spec:
|
|
podSelector: {}
|
|
policyTypes:
|
|
- Ingress
|
|
- Egress
|
|
ingress: []
|
|
egress: []
|
|
---
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: project-allow-dns
|
|
namespace: bakery-ia
|
|
labels:
|
|
app: project-global
|
|
component: network-policy
|
|
tier: security
|
|
spec:
|
|
podSelector: {}
|
|
policyTypes:
|
|
- Egress
|
|
egress:
|
|
# Allow DNS resolution to kube-system namespace
|
|
- to:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
name: kube-system
|
|
ports:
|
|
- port: 53
|
|
protocol: UDP
|
|
- port: 53
|
|
protocol: TCP
|
|
---
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: project-allow-ingress-access
|
|
namespace: bakery-ia
|
|
labels:
|
|
app: project-global
|
|
component: network-policy
|
|
tier: security
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: ingress-nginx
|
|
policyTypes:
|
|
- Ingress
|
|
ingress:
|
|
# Allow all traffic to ingress controller
|
|
- from:
|
|
- ipBlock:
|
|
cidr: 0.0.0.0/0
|
|
---
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: project-allow-internal-comm
|
|
namespace: bakery-ia
|
|
labels:
|
|
app: project-global
|
|
component: network-policy
|
|
tier: security
|
|
spec:
|
|
podSelector: {}
|
|
policyTypes:
|
|
- Ingress
|
|
- Egress
|
|
ingress:
|
|
# Allow communication between project services
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
name: bakery-ia
|
|
egress:
|
|
# Allow communication to project services
|
|
- to:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
name: bakery-ia
|
|
---
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: project-allow-monitoring
|
|
namespace: bakery-ia
|
|
labels:
|
|
app: project-global
|
|
component: network-policy
|
|
tier: security
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
app: signoz
|
|
policyTypes:
|
|
- Ingress
|
|
ingress:
|
|
# Allow monitoring access from project services
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
name: bakery-ia
|
|
---
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: project-allow-database-access
|
|
namespace: bakery-ia
|
|
labels:
|
|
app: project-global
|
|
component: network-policy
|
|
tier: security
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
app: postgres
|
|
policyTypes:
|
|
- Ingress
|
|
ingress:
|
|
# Allow database access from application services
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
name: bakery-ia
|
|
ports:
|
|
- port: 5432
|
|
---
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: project-allow-cache-access
|
|
namespace: bakery-ia
|
|
labels:
|
|
app: project-global
|
|
component: network-policy
|
|
tier: security
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
app: redis
|
|
policyTypes:
|
|
- Ingress
|
|
ingress:
|
|
# Allow cache access from application services
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
name: bakery-ia
|
|
ports:
|
|
- port: 6379 |