# Network Policies — default-deny with explicit allows # Apply AFTER namespace and deployments are created. # Verify: kubectl get networkpolicy -n honeydue # --- Default deny all ingress and egress --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-all namespace: honeydue spec: podSelector: {} policyTypes: - Ingress - Egress --- # --- Allow DNS for all pods (required for service discovery) --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-dns namespace: honeydue spec: podSelector: {} policyTypes: - Egress egress: - to: [] ports: - protocol: UDP port: 53 - protocol: TCP port: 53 --- # --- API: allow ingress from Traefik (kube-system namespace) --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-ingress-to-api namespace: honeydue spec: podSelector: matchLabels: app.kubernetes.io/name: api policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: kube-system ports: - protocol: TCP port: 8000 --- # --- Admin: allow ingress from Traefik (kube-system namespace) --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-ingress-to-admin namespace: honeydue spec: podSelector: matchLabels: app.kubernetes.io/name: admin policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: kube-system ports: - protocol: TCP port: 3000 --- # --- Redis: allow ingress ONLY from api + worker pods --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-ingress-to-redis namespace: honeydue spec: podSelector: matchLabels: app.kubernetes.io/name: redis policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app.kubernetes.io/name: api - podSelector: matchLabels: app.kubernetes.io/name: worker ports: - protocol: TCP port: 6379 --- # --- API: allow egress to Redis, external services (Neon DB, APNs, FCM, B2, SMTP) --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-egress-from-api namespace: honeydue spec: podSelector: matchLabels: app.kubernetes.io/name: api policyTypes: - Egress egress: # Redis (in-cluster) - to: - podSelector: matchLabels: app.kubernetes.io/name: redis ports: - protocol: TCP port: 6379 # External services: Neon DB (5432), SMTP (587), HTTPS (443 — APNs, FCM, B2, PostHog) - to: - ipBlock: cidr: 0.0.0.0/0 except: - 10.0.0.0/8 - 172.16.0.0/12 - 192.168.0.0/16 ports: - protocol: TCP port: 5432 - protocol: TCP port: 587 - protocol: TCP port: 443 --- # --- Worker: allow egress to Redis, external services --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-egress-from-worker namespace: honeydue spec: podSelector: matchLabels: app.kubernetes.io/name: worker policyTypes: - Egress egress: # Redis (in-cluster) - to: - podSelector: matchLabels: app.kubernetes.io/name: redis ports: - protocol: TCP port: 6379 # External services: Neon DB (5432), SMTP (587), HTTPS (443 — APNs, FCM, B2) - to: - ipBlock: cidr: 0.0.0.0/0 except: - 10.0.0.0/8 - 172.16.0.0/12 - 192.168.0.0/16 ports: - protocol: TCP port: 5432 - protocol: TCP port: 587 - protocol: TCP port: 443 --- # --- Admin: allow egress to API (internal) for SSR --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-egress-from-admin namespace: honeydue spec: podSelector: matchLabels: app.kubernetes.io/name: admin policyTypes: - Egress egress: # API service (in-cluster, for server-side API calls) - to: - podSelector: matchLabels: app.kubernetes.io/name: api ports: - protocol: TCP port: 8000