veza/k8s/network-policies/README.md

# Network Policies

Network policies restrict traffic between pods for defense in depth.

## Dependencies

| Service       | Ingress From  | Egress To                            |
| ------------- | ------------- | ------------------------------------ |
| backend-api   | ingress-nginx | PostgreSQL (5432), Redis (6379), DNS |
| frontend      | ingress-nginx | -                                    |
| stream-server | ingress-nginx | Redis, storage                       |

<!-- chat-server was merged into backend-api in v0.502 (commit 05d02386d) -->
<!-- Chat traffic now uses backend-api ingress on /api/v1/ws -->

## Usage

1. Apply default deny first:

    ```bash
    kubectl apply -f k8s/network-policies/default-deny.yaml
    ```

2. Apply allow policies for each component:
    ```bash
    kubectl apply -f k8s/network-policies/backend-api-allow.yaml
    kubectl apply -f k8s/network-policies/frontend-allow.yaml
    ```

## Ingress Controller

Policies reference `namespaceSelector.matchLabels.name: ingress-nginx`. Ensure your ingress controller namespace has this label:

```bash
kubectl label namespace ingress-nginx name=ingress-nginx
```

## External Services

If PostgreSQL or Redis run outside the cluster, the egress `ipBlock.cidr: 0.0.0.0/0` allows connections. For stricter policies, replace with specific CIDRs.