railiance-platform/helm/apps-pg-networkpolicies.yaml

72 lines
1.8 KiB
YAML
Raw Normal View History

# NetworkPolicies for the shared apps-pg cnpg cluster (RAILIANCE-WP-0003).
# The databases namespace has a default-deny-all policy; each cluster
# needs explicit egress-to-kube-api, ingress-from-cnpg-operator, and
# ingress-from-app-namespace policies.
#
# Unlike gitea-db (which hard-codes `default` as the consumer ns), this
# triplet uses a label-based opt-in: any namespace carrying the label
# `railiance.io/postgres-client=apps-pg` may connect on TCP/5432. The
# shared cluster cannot know its consumer namespaces in advance, so it
# expects each consumer to add this label as part of its onboarding.
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-egress-kube-api-apps-pg
namespace: databases
spec:
podSelector:
matchLabels:
cnpg.io/cluster: apps-pg
policyTypes:
- Egress
egress:
- ports:
- port: 6443
protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-ingress-from-cnpg-operator-apps-pg
namespace: databases
spec:
podSelector:
matchLabels:
cnpg.io/cluster: apps-pg
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: cnpg-system
ports:
- port: 5432
protocol: TCP
- port: 8000
protocol: TCP
- port: 9187
protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-ingress-from-app-namespaces-apps-pg
namespace: databases
spec:
podSelector:
matchLabels:
cnpg.io/cluster: apps-pg
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
railiance.io/postgres-client: apps-pg
podSelector: {}
ports:
- port: 5432
protocol: TCP