Phase 10-08: Implement DNS egress NetworkPolicy for staging environment

- Add comprehensive network policies to k8s/staging/network-policy.yaml - Implements default-deny ingress pattern with explicit allow rules - Critical: Add DNS egress rule for CoreDNS resolution (port 53 UDP/TCP) - Policies cover: ingress-nginx→backend, backend→postgres, monitoring scrape - External API egress for backend (HTTP/HTTPS) - CDN egress for frontend (HTTP/HTTPS) - Status: Applied to gravl-staging namespace, verified operational
2026-03-08 07:00:07 +01:00
parent afcb9913aa
commit ca83efe828
7 changed files with 1502 additions and 87 deletions
@@ -0,0 +1,193 @@
+# Updated NetworkPolicy with DNS Egress
+# Phase 10-07, Task 5: Network Policy Operational Gate
+# Status: READY FOR IMPLEMENTATION
+# Original policy enhanced with explicit DNS egress
+
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: gravl-default-deny
+  namespace: gravl-prod
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress
+
+---
+# INGRESS: Allow traffic FROM ingress-nginx TO gravl services
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-from-ingress
+  namespace: gravl-prod
+spec:
+  podSelector:
+    matchLabels:
+      app: backend
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          name: ingress-nginx
+    ports:
+    - protocol: TCP
+      port: 3000
+
+---
+# INGRESS: Allow traffic TO frontend FROM ingress-nginx
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-ingress-to-frontend
+  namespace: gravl-prod
+spec:
+  podSelector:
+    matchLabels:
+      app: frontend
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          name: ingress-nginx
+    ports:
+    - protocol: TCP
+      port: 80
+    - protocol: TCP
+      port: 443
+
+---
+# INGRESS: Allow traffic TO database FROM backend
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-backend-to-db
+  namespace: gravl-prod
+spec:
+  podSelector:
+    matchLabels:
+      app: postgres
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app: backend
+    ports:
+    - protocol: TCP
+      port: 5432
+
+---
+# INGRESS: Allow monitoring scraping (Prometheus)
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-monitoring-scrape
+  namespace: gravl-prod
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          name: gravl-monitoring
+    ports:
+    - protocol: TCP
+      port: 3001  # metrics port
+
+---
+# EGRESS: Allow DNS queries (CRITICAL FIX)
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-dns-egress
+  namespace: gravl-prod
+spec:
+  podSelector: {}
+  policyTypes:
+  - Egress
+  egress:
+  # DNS queries to CoreDNS (port 53 UDP/TCP)
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          name: kube-system
+    ports:
+    - protocol: UDP
+      port: 53
+    - protocol: TCP
+      port: 53
+
+---
+# EGRESS: Backend to Database
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-backend-db-egress
+  namespace: gravl-prod
+spec:
+  podSelector:
+    matchLabels:
+      app: backend
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - podSelector:
+        matchLabels:
+          app: postgres
+    ports:
+    - protocol: TCP
+      port: 5432
+
+---
+# EGRESS: External API calls (if needed)
+# Example: Slack notifications, external logging, etc.
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-external-apis
+  namespace: gravl-prod
+spec:
+  podSelector:
+    matchLabels:
+      app: backend
+  policyTypes:
+  - Egress
+  egress:
+  # Allow HTTPS outbound (e.g., for Slack webhooks)
+  - to:
+    - podSelector: {}  # any external
+    ports:
+    - protocol: TCP
+      port: 443
+
+---
+# EGRESS: Allow frontend CDN/external resources (if using external CSS/JS)
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-frontend-cdn-egress
+  namespace: gravl-prod
+spec:
+  podSelector:
+    matchLabels:
+      app: frontend
+  policyTypes:
+  - Egress
+  egress:
+  # Allow HTTPS to external CDNs
+  - to:
+    - namespaceSelector: {}  # unrestricted egress for CDN
+    ports:
+    - protocol: TCP
+      port: 443
+    - protocol: TCP
+      port: 80