veza/k8s/network-policies/README.md

# Network Policies

Network policies restrict traffic between pods for defense in depth.

## Dependencies

| Service       | Ingress From      | Egress To                    |
|---------------|-------------------|------------------------------|
| backend-api   | ingress-nginx     | PostgreSQL (5432), Redis (6379), DNS |
| frontend      | ingress-nginx     | -                            |
| chat-server   | ingress-nginx     | PostgreSQL (5432), Redis (6379), DNS |
| stream-server | ingress-nginx     | Redis, storage               |

## Usage

1. Apply default deny first:
   ```bash
   kubectl apply -f k8s/network-policies/default-deny.yaml
   ```

2. Apply allow policies for each component:
   ```bash
   kubectl apply -f k8s/network-policies/backend-api-allow.yaml
   kubectl apply -f k8s/network-policies/frontend-allow.yaml
   kubectl apply -f k8s/network-policies/chat-server-allow.yaml
   ```

## Ingress Controller

Policies reference `namespaceSelector.matchLabels.name: ingress-nginx`. Ensure your ingress controller namespace has this label:

```bash
kubectl label namespace ingress-nginx name=ingress-nginx
```

## External Services

If PostgreSQL or Redis run outside the cluster, the egress `ipBlock.cidr: 0.0.0.0/0` allows connections. For stricter policies, replace with specific CIDRs.
chore: consolidate CI, E2E, backend and frontend updates - CI: workflows updates (cd, ci), remove playwright.yml - E2E: global-setup, auth/playlists/profile specs - Remove playwright-report and test-results artifacts from tracking - Backend: auth, handlers, services, workers, migrations - Frontend: components, features, vite config - Add e2e-results.json to gitignore - Docs: REMEDIATION_PROGRESS, audit archive - Rust: chat-server, stream-server updates 2026-02-17 15:43:21 +00:00			`# Network Policies`

			`Network policies restrict traffic between pods for defense in depth.`

			`## Dependencies`

			`\| Service \| Ingress From \| Egress To \|`
			`\|---------------\|-------------------\|------------------------------\|`
			`\| backend-api \| ingress-nginx \| PostgreSQL (5432), Redis (6379), DNS \|`
			`\| frontend \| ingress-nginx \| - \|`
			`\| chat-server \| ingress-nginx \| PostgreSQL (5432), Redis (6379), DNS \|`
			`\| stream-server \| ingress-nginx \| Redis, storage \|`

			`## Usage`

			`1. Apply default deny first:`
			```bash
			`kubectl apply -f k8s/network-policies/default-deny.yaml`
			```

			`2. Apply allow policies for each component:`
			```bash
			`kubectl apply -f k8s/network-policies/backend-api-allow.yaml`
			`kubectl apply -f k8s/network-policies/frontend-allow.yaml`
			`kubectl apply -f k8s/network-policies/chat-server-allow.yaml`
			```

			`## Ingress Controller`

			Policies reference `namespaceSelector.matchLabels.name: ingress-nginx`. Ensure your ingress controller namespace has this label:

			```bash
			`kubectl label namespace ingress-nginx name=ingress-nginx`
			```

			`## External Services`

			If PostgreSQL or Redis run outside the cluster, the egress `ipBlock.cidr: 0.0.0.0/0` allows connections. For stricter policies, replace with specific CIDRs.