clawd/gravl
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
9d7cfddb4ff0082b72762406a926941cc4c16a40
gravl/k8s/production/network-policy-with-dns.yaml
T
clawd ca83efe828 Phase 10-08: Implement DNS egress NetworkPolicy for staging environment 
- Add comprehensive network policies to k8s/staging/network-policy.yaml
- Implements default-deny ingress pattern with explicit allow rules
- Critical: Add DNS egress rule for CoreDNS resolution (port 53 UDP/TCP)
- Policies cover: ingress-nginx→backend, backend→postgres, monitoring scrape
- External API egress for backend (HTTP/HTTPS)
- CDN egress for frontend (HTTP/HTTPS)
- Status: Applied to gravl-staging namespace, verified operational
2026-03-08 07:00:07 +01:00

194 lines
3.6 KiB
YAML
Raw Blame History

# Updated NetworkPolicy with DNS Egress
# Phase 10-07, Task 5: Network Policy Operational Gate
# Status: READY FOR IMPLEMENTATION
# Original policy enhanced with explicit DNS egress
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: gravl-default-deny
namespace: gravl-prod
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
---
# INGRESS: Allow traffic FROM ingress-nginx TO gravl services
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-from-ingress
namespace: gravl-prod
spec:
podSelector:
matchLabels:
app: backend
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: ingress-nginx
ports:
- protocol: TCP
port: 3000
---
# INGRESS: Allow traffic TO frontend FROM ingress-nginx
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-ingress-to-frontend
namespace: gravl-prod
spec:
podSelector:
matchLabels:
app: frontend
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: ingress-nginx
ports:
- protocol: TCP
port: 80
- protocol: TCP
port: 443
---
# INGRESS: Allow traffic TO database FROM backend
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-backend-to-db
namespace: gravl-prod
spec:
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: backend
ports:
- protocol: TCP
port: 5432
---
# INGRESS: Allow monitoring scraping (Prometheus)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-monitoring-scrape
namespace: gravl-prod
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: gravl-monitoring
ports:
- protocol: TCP
port: 3001 # metrics port
---
# EGRESS: Allow DNS queries (CRITICAL FIX)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-dns-egress
namespace: gravl-prod
spec:
podSelector: {}
policyTypes:
- Egress
egress:
# DNS queries to CoreDNS (port 53 UDP/TCP)
- to:
- namespaceSelector:
matchLabels:
name: kube-system
ports:
- protocol: UDP
port: 53
- protocol: TCP
port: 53
---
# EGRESS: Backend to Database
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-backend-db-egress
namespace: gravl-prod
spec:
podSelector:
matchLabels:
app: backend
policyTypes:
- Egress
egress:
- to:
- podSelector:
matchLabels:
app: postgres
ports:
- protocol: TCP
port: 5432
---
# EGRESS: External API calls (if needed)
# Example: Slack notifications, external logging, etc.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-external-apis
namespace: gravl-prod
spec:
podSelector:
matchLabels:
app: backend
policyTypes:
- Egress
egress:
# Allow HTTPS outbound (e.g., for Slack webhooks)
- to:
- podSelector: {} # any external
ports:
- protocol: TCP
port: 443
---
# EGRESS: Allow frontend CDN/external resources (if using external CSS/JS)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-frontend-cdn-egress
namespace: gravl-prod
spec:
podSelector:
matchLabels:
app: frontend
policyTypes:
- Egress
egress:
# Allow HTTPS to external CDNs
- to:
- namespaceSelector: {} # unrestricted egress for CDN
ports:
- protocol: TCP
port: 443
- protocol: TCP
port: 80
Reference in New Issue View Git Blame Copy Permalink