Skip to content

Commit 527ff9c

Browse files
authored
fix(netpol): vervang per-tenant allow-all NetworkPolicy door least-privilege baseline (#76)
* fix(netpol): vervang per-tenant allow-all NetworkPolicy door least-privilege baseline
1 parent 7fe71cd commit 527ff9c

15 files changed

Lines changed: 834 additions & 269 deletions

File tree

bootstrap/rig-system/kustomize/operations-manager/overlays/sandboxed-local/configmap.yaml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,11 @@ data:
88
CLUSTER_MANAGER=sandboxed-local
99
KEYCLOAK_BOOTSTRAP_CONFIG=sandbox
1010
11+
# Stable SECRET_KEY zodat dev-sessies overleven na pod-restarts (zonder
12+
# zou de Field(default_factory=generate_secret_key) per process een nieuwe
13+
# random key minten). Niet-internet-facing dev cluster, plaintext is OK.
14+
SECRET_KEY=sandbox-dev-secret-key-fixed-for-stable-sessions-32min
15+
1116
ENABLE_GIT_MONITOR=false
1217
GIT_PROJECTS_SERVER_URL=http://forgejo.rig-system.svc.cluster.local:3000/rig-admin/zad-projects.git
1318
GIT_PROJECTS_SERVER_USERNAME=rig-admin

operations-manager/python/manifests/allow-all-network-policy.yaml.jinja

Lines changed: 0 additions & 14 deletions
This file was deleted.
Lines changed: 121 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,121 @@
1+
kind: NetworkPolicy
2+
apiVersion: networking.k8s.io/v1
3+
metadata:
4+
name: "{{ name }}"
5+
namespace: "{{ namespace }}"
6+
spec:
7+
# Per-deployment policy: selects only pods of this deployment so that
8+
# multiple deployments in the same project namespace stay isolated from
9+
# each other and from helm/helmfile workloads (which do not carry this
10+
# label and therefore fall through to Kubernetes' default-allow).
11+
#
12+
# This is a permissive baseline: it blocks cross-tenant traffic via the
13+
# explicit allow-list (only own deployment + platform namespaces) but
14+
# leaves internet egress open. Tightening internet egress is intentionally
15+
# deferred (see features/restrictive-network-policies.md).
16+
{% if deployment_selector %}
17+
podSelector:
18+
matchLabels:
19+
deployment: "{{ deployment_selector }}"
20+
{% else %}
21+
# No deployment selector: apply to every pod in the namespace. Used for
22+
# the project infrastructure namespace (CNPG cluster) where there is no
23+
# OPI-managed deployment whose pods we could label.
24+
podSelector: {}
25+
{% endif %}
26+
policyTypes:
27+
- Ingress
28+
- Egress
29+
ingress:
30+
# Pods of this deployment may talk to each other.
31+
{% if deployment_selector %}
32+
- from:
33+
- podSelector:
34+
matchLabels:
35+
deployment: "{{ deployment_selector }}"
36+
{% else %}
37+
- from:
38+
- podSelector: {}
39+
{% endif %}
40+
# Ingress controller: published web apps stay reachable from outside.
41+
# Op odcn matchen we pod-specifiek (alleen 'rig' router pods, niet
42+
# eventuele andere customer-routers in dezelfde namespace).
43+
- from:
44+
- namespaceSelector:
45+
matchLabels:
46+
kubernetes.io/metadata.name: "{{ ingress_controller_selector.namespace }}"
47+
{% if ingress_controller_selector.pod_labels %}
48+
podSelector:
49+
matchLabels:
50+
{% for k, v in ingress_controller_selector.pod_labels.items() %}
51+
{{ k }}: "{{ v }}"
52+
{% endfor %}
53+
{% endif %}
54+
# Operations / platform namespace (OPI, shared datastores, Keycloak).
55+
- from:
56+
- namespaceSelector:
57+
matchLabels:
58+
kubernetes.io/metadata.name: "{{ ops_namespace }}"
59+
# Backup destination namespace.
60+
- from:
61+
- namespaceSelector:
62+
matchLabels:
63+
kubernetes.io/metadata.name: "{{ backup_namespace }}"
64+
{% if allowed_ingress_namespaces %}
65+
# Explicit cross-namespace ingress (e.g. the project's app namespaces
66+
# reaching the project's own infrastructure namespace).
67+
- from:
68+
{% for ns in allowed_ingress_namespaces %}
69+
- namespaceSelector:
70+
matchLabels:
71+
kubernetes.io/metadata.name: "{{ ns }}"
72+
{% endfor %}
73+
{% endif %}
74+
egress:
75+
# DNS resolution against the cluster DNS service.
76+
- to:
77+
- namespaceSelector: {}
78+
podSelector:
79+
matchLabels:
80+
k8s-app: kube-dns
81+
ports:
82+
- protocol: UDP
83+
port: 53
84+
- protocol: TCP
85+
port: 53
86+
# Pods of this deployment may talk to each other.
87+
{% if deployment_selector %}
88+
- to:
89+
- podSelector:
90+
matchLabels:
91+
deployment: "{{ deployment_selector }}"
92+
{% else %}
93+
- to:
94+
- podSelector: {}
95+
{% endif %}
96+
# Operations / platform namespace (shared Postgres, Redis, MinIO, Keycloak).
97+
- to:
98+
- namespaceSelector:
99+
matchLabels:
100+
kubernetes.io/metadata.name: "{{ ops_namespace }}"
101+
# Backup destination namespace.
102+
- to:
103+
- namespaceSelector:
104+
matchLabels:
105+
kubernetes.io/metadata.name: "{{ backup_namespace }}"
106+
{% if project_infra_namespace and project_infra_namespace != ops_namespace %}
107+
# Project's own infrastructure namespace (dedicated CNPG cluster, etc.).
108+
- to:
109+
- namespaceSelector:
110+
matchLabels:
111+
kubernetes.io/metadata.name: "{{ project_infra_namespace }}"
112+
{% endif %}
113+
# Internet egress (HTTP/HTTPS) zodat tenant-apps externe APIs kunnen aanroepen.
114+
- to:
115+
- ipBlock:
116+
cidr: 0.0.0.0/0
117+
ports:
118+
- protocol: TCP
119+
port: 443
120+
- protocol: TCP
121+
port: 80

0 commit comments

Comments
 (0)