senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
veza/k8s/network-policies
History
senke f5bca2b642 v0.9.5
2026-03-06 10:02:53 +01:00
..
backend-api-allow.yaml chore: consolidate CI, E2E, backend and frontend updates 2026-02-17 16:43:21 +01:00
default-deny.yaml chore: consolidate CI, E2E, backend and frontend updates 2026-02-17 16:43:21 +01:00
frontend-allow.yaml chore: consolidate CI, E2E, backend and frontend updates 2026-02-17 16:43:21 +01:00
README.md chore: consolidate CI, E2E, backend and frontend updates 2026-02-17 16:43:21 +01:00

README.md

Network Policies

Network policies restrict traffic between pods for defense in depth.

Dependencies

Service Ingress From Egress To
backend-api ingress-nginx PostgreSQL (5432), Redis (6379), DNS
frontend ingress-nginx -
chat-server ingress-nginx PostgreSQL (5432), Redis (6379), DNS
stream-server ingress-nginx Redis, storage

Usage

  1. Apply default deny first:

    kubectl apply -f k8s/network-policies/default-deny.yaml

  2. Apply allow policies for each component:

    kubectl apply -f k8s/network-policies/backend-api-allow.yaml
kubectl apply -f k8s/network-policies/frontend-allow.yaml
kubectl apply -f k8s/network-policies/chat-server-allow.yaml

Ingress Controller

Policies reference namespaceSelector.matchLabels.name: ingress-nginx. Ensure your ingress controller namespace has this label:

kubectl label namespace ingress-nginx name=ingress-nginx

External Services

If PostgreSQL or Redis run outside the cluster, the egress ipBlock.cidr: 0.0.0.0/0 allows connections. For stricter policies, replace with specific CIDRs.