b103a09a25
- CI: workflows updates (cd, ci), remove playwright.yml - E2E: global-setup, auth/playlists/profile specs - Remove playwright-report and test-results artifacts from tracking - Backend: auth, handlers, services, workers, migrations - Frontend: components, features, vite config - Add e2e-results.json to gitignore - Docs: REMEDIATION_PROGRESS, audit archive - Rust: chat-server, stream-server updates |
||
|---|---|---|
| .. | ||
| backend-api-allow.yaml | ||
| chat-server-allow.yaml | ||
| default-deny.yaml | ||
| frontend-allow.yaml | ||
| README.md | ||
Network Policies
Network policies restrict traffic between pods for defense in depth.
Dependencies
| Service | Ingress From | Egress To |
|---|---|---|
| backend-api | ingress-nginx | PostgreSQL (5432), Redis (6379), DNS |
| frontend | ingress-nginx | - |
| chat-server | ingress-nginx | PostgreSQL (5432), Redis (6379), DNS |
| stream-server | ingress-nginx | Redis, storage |
Usage
-
Apply default deny first:
kubectl apply -f k8s/network-policies/default-deny.yaml -
Apply allow policies for each component:
kubectl apply -f k8s/network-policies/backend-api-allow.yaml kubectl apply -f k8s/network-policies/frontend-allow.yaml kubectl apply -f k8s/network-policies/chat-server-allow.yaml
Ingress Controller
Policies reference namespaceSelector.matchLabels.name: ingress-nginx. Ensure your ingress controller namespace has this label:
kubectl label namespace ingress-nginx name=ingress-nginx
External Services
If PostgreSQL or Redis run outside the cluster, the egress ipBlock.cidr: 0.0.0.0/0 allows connections. For stricter policies, replace with specific CIDRs.