Phase 10-08: Implement DNS egress NetworkPolicy for staging environment

- Add comprehensive network policies to k8s/staging/network-policy.yaml
- Implements default-deny ingress pattern with explicit allow rules
- Critical: Add DNS egress rule for CoreDNS resolution (port 53 UDP/TCP)
- Policies cover: ingress-nginx→backend, backend→postgres, monitoring scrape
- External API egress for backend (HTTP/HTTPS)
- CDN egress for frontend (HTTP/HTTPS)
- Status: Applied to gravl-staging namespace, verified operational

k8s/staging/network-policy.yaml

@@ -0,0 +1,196 @@
+# NetworkPolicy for Gravl Staging Environment
+# Phase 10-08: Critical Blocker Resolution
+# Implementation: DNS egress explicitly allowed for pod DNS resolution
+
+---
+# DEFAULT DENY: Block all ingress by default (allowlist pattern)
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: gravl-default-deny
+  namespace: gravl-staging
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress
+
+---
+# INGRESS: Allow traffic FROM ingress-nginx TO backend (port 3000)
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-from-ingress-to-backend
+  namespace: gravl-staging
+spec:
+  podSelector:
+    matchLabels:
+      app: backend
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          name: ingress-nginx
+    ports:
+    - protocol: TCP
+      port: 3000
+
+---
+# INGRESS: Allow traffic FROM ingress-nginx TO frontend (port 80/443)
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-ingress-to-frontend
+  namespace: gravl-staging
+spec:
+  podSelector:
+    matchLabels:
+      app: frontend
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          name: ingress-nginx
+    ports:
+    - protocol: TCP
+      port: 80
+    - protocol: TCP
+      port: 443
+
+---
+# INGRESS: Allow traffic FROM backend TO postgres (port 5432)
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-backend-to-db
+  namespace: gravl-staging
+spec:
+  podSelector:
+    matchLabels:
+      app: postgres
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app: backend
+    ports:
+    - protocol: TCP
+      port: 5432
+
+---
+# INGRESS: Allow monitoring scraping (Prometheus metrics on port 3001)
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-monitoring-scrape
+  namespace: gravl-staging
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          name: gravl-monitoring
+    ports:
+    - protocol: TCP
+      port: 3001
+
+---
+# EGRESS: Allow DNS queries (CRITICAL - CoreDNS resolution)
+# Required for: External API calls, package managers, service discovery
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-dns-egress
+  namespace: gravl-staging
+spec:
+  podSelector: {}
+  policyTypes:
+  - Egress
+  egress:
+  # DNS queries to CoreDNS (port 53 UDP/TCP in kube-system namespace)
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          name: kube-system
+    ports:
+    - protocol: UDP
+      port: 53
+    - protocol: TCP
+      port: 53
+
+---
+# EGRESS: Backend to Database (postgres)
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-backend-db-egress
+  namespace: gravl-staging
+spec:
+  podSelector:
+    matchLabels:
+      app: backend
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - podSelector:
+        matchLabels:
+          app: postgres
+    ports:
+    - protocol: TCP
+      port: 5432
+
+---
+# EGRESS: Backend external APIs (HTTPS for webhooks, external services)
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-backend-external-apis
+  namespace: gravl-staging
+spec:
+  podSelector:
+    matchLabels:
+      app: backend
+  policyTypes:
+  - Egress
+  egress:
+  # Allow HTTPS outbound (e.g., Slack webhooks, external APIs)
+  - to:
+    - namespaceSelector: {}
+    ports:
+    - protocol: TCP
+      port: 443
+    - protocol: TCP
+      port: 80
+
+---
+# EGRESS: Frontend CDN/external resources (HTTP/HTTPS)
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-frontend-cdn-egress
+  namespace: gravl-staging
+spec:
+  podSelector:
+    matchLabels:
+      app: frontend
+  policyTypes:
+  - Egress
+  egress:
+  # Allow HTTP/HTTPS to external CDNs and resources
+  - to:
+    - namespaceSelector: {}
+    ports:
+    - protocol: TCP
+      port: 443
+    - protocol: TCP
+      port: 80