# Network Policies — default-deny with explicit allows # Same pattern as prod, with added rules for in-cluster postgres and minio. # --- Default deny all ingress and egress --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-all namespace: honeydue spec: podSelector: {} policyTypes: - Ingress - Egress --- # --- Allow DNS for all pods (required for service discovery) --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-dns namespace: honeydue spec: podSelector: {} policyTypes: - Egress egress: - to: [] ports: - protocol: UDP port: 53 - protocol: TCP port: 53 --- # --- API: allow ingress from Traefik (kube-system namespace) --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-ingress-to-api namespace: honeydue spec: podSelector: matchLabels: app.kubernetes.io/name: api policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: kube-system ports: - protocol: TCP port: 8000 --- # --- Admin: allow ingress from Traefik (kube-system namespace) --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-ingress-to-admin namespace: honeydue spec: podSelector: matchLabels: app.kubernetes.io/name: admin policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: kube-system ports: - protocol: TCP port: 3000 --- # --- Redis: allow ingress ONLY from api + worker pods --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-ingress-to-redis namespace: honeydue spec: podSelector: matchLabels: app.kubernetes.io/name: redis policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app.kubernetes.io/name: api - podSelector: matchLabels: app.kubernetes.io/name: worker ports: - protocol: TCP port: 6379 --- # --- PostgreSQL: allow ingress ONLY from api + worker pods --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-ingress-to-postgres namespace: honeydue spec: podSelector: matchLabels: app.kubernetes.io/name: postgres policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app.kubernetes.io/name: api - podSelector: matchLabels: app.kubernetes.io/name: worker ports: - protocol: TCP port: 5432 --- # --- MinIO: allow ingress from api + worker + minio-init job pods --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-ingress-to-minio namespace: honeydue spec: podSelector: matchLabels: app.kubernetes.io/name: minio policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app.kubernetes.io/name: api - podSelector: matchLabels: app.kubernetes.io/name: worker - podSelector: matchLabels: app.kubernetes.io/name: minio-init ports: - protocol: TCP port: 9000 - protocol: TCP port: 9001 --- # --- API: allow egress to Redis, PostgreSQL, MinIO, external services --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-egress-from-api namespace: honeydue spec: podSelector: matchLabels: app.kubernetes.io/name: api policyTypes: - Egress egress: # Redis (in-cluster) - to: - podSelector: matchLabels: app.kubernetes.io/name: redis ports: - protocol: TCP port: 6379 # PostgreSQL (in-cluster) - to: - podSelector: matchLabels: app.kubernetes.io/name: postgres ports: - protocol: TCP port: 5432 # MinIO (in-cluster) - to: - podSelector: matchLabels: app.kubernetes.io/name: minio ports: - protocol: TCP port: 9000 # External services: SMTP (587), HTTPS (443 — APNs, FCM, PostHog) - to: - ipBlock: cidr: 0.0.0.0/0 except: - 10.0.0.0/8 - 172.16.0.0/12 - 192.168.0.0/16 ports: - protocol: TCP port: 587 - protocol: TCP port: 443 --- # --- Worker: allow egress to Redis, PostgreSQL, MinIO, external services --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-egress-from-worker namespace: honeydue spec: podSelector: matchLabels: app.kubernetes.io/name: worker policyTypes: - Egress egress: # Redis (in-cluster) - to: - podSelector: matchLabels: app.kubernetes.io/name: redis ports: - protocol: TCP port: 6379 # PostgreSQL (in-cluster) - to: - podSelector: matchLabels: app.kubernetes.io/name: postgres ports: - protocol: TCP port: 5432 # MinIO (in-cluster) - to: - podSelector: matchLabels: app.kubernetes.io/name: minio ports: - protocol: TCP port: 9000 # External services: SMTP (587), HTTPS (443 — APNs, FCM) - to: - ipBlock: cidr: 0.0.0.0/0 except: - 10.0.0.0/8 - 172.16.0.0/12 - 192.168.0.0/16 ports: - protocol: TCP port: 587 - protocol: TCP port: 443 --- # --- Admin: allow egress to API (internal) for SSR --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-egress-from-admin namespace: honeydue spec: podSelector: matchLabels: app.kubernetes.io/name: admin policyTypes: - Egress egress: - to: - podSelector: matchLabels: app.kubernetes.io/name: api ports: - protocol: TCP port: 8000 --- # --- MinIO init job: allow egress to MinIO --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-egress-from-minio-init namespace: honeydue spec: podSelector: matchLabels: app.kubernetes.io/name: minio-init policyTypes: - Egress egress: - to: - podSelector: matchLabels: app.kubernetes.io/name: minio ports: - protocol: TCP port: 9000