# Updated NetworkPolicy with DNS Egress # Phase 10-07, Task 5: Network Policy Operational Gate # Status: READY FOR IMPLEMENTATION # Original policy enhanced with explicit DNS egress apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: gravl-default-deny namespace: gravl-prod spec: podSelector: {} policyTypes: - Ingress - Egress --- # INGRESS: Allow traffic FROM ingress-nginx TO gravl services apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-from-ingress namespace: gravl-prod spec: podSelector: matchLabels: app: backend policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: name: ingress-nginx ports: - protocol: TCP port: 3000 --- # INGRESS: Allow traffic TO frontend FROM ingress-nginx apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-ingress-to-frontend namespace: gravl-prod spec: podSelector: matchLabels: app: frontend policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: name: ingress-nginx ports: - protocol: TCP port: 80 - protocol: TCP port: 443 --- # INGRESS: Allow traffic TO database FROM backend apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-backend-to-db namespace: gravl-prod spec: podSelector: matchLabels: app: postgres policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app: backend ports: - protocol: TCP port: 5432 --- # INGRESS: Allow monitoring scraping (Prometheus) apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-monitoring-scrape namespace: gravl-prod spec: podSelector: {} policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: name: gravl-monitoring ports: - protocol: TCP port: 3001 # metrics port --- # EGRESS: Allow DNS queries (CRITICAL FIX) apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-dns-egress namespace: gravl-prod spec: podSelector: {} policyTypes: - Egress egress: # DNS queries to CoreDNS (port 53 UDP/TCP) - to: - namespaceSelector: matchLabels: name: kube-system ports: - protocol: UDP port: 53 - protocol: TCP port: 53 --- # EGRESS: Backend to Database apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-backend-db-egress namespace: gravl-prod spec: podSelector: matchLabels: app: backend policyTypes: - Egress egress: - to: - podSelector: matchLabels: app: postgres ports: - protocol: TCP port: 5432 --- # EGRESS: External API calls (if needed) # Example: Slack notifications, external logging, etc. apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-external-apis namespace: gravl-prod spec: podSelector: matchLabels: app: backend policyTypes: - Egress egress: # Allow HTTPS outbound (e.g., for Slack webhooks) - to: - podSelector: {} # any external ports: - protocol: TCP port: 443 --- # EGRESS: Allow frontend CDN/external resources (if using external CSS/JS) apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-frontend-cdn-egress namespace: gravl-prod spec: podSelector: matchLabels: app: frontend policyTypes: - Egress egress: # Allow HTTPS to external CDNs - to: - namespaceSelector: {} # unrestricted egress for CDN ports: - protocol: TCP port: 443 - protocol: TCP port: 80