[Infrastructure] Add network policies & scope Vault permissions per service #413
Description
Summary
The cluster lacks network segmentation and secrets management uses overly broad access policies.
Tasks
- Create NetworkPolicies with default-deny for the namespace
- Whitelist only required pod-to-pod communication
- Create per-service Vault policies instead of wildcard
- Implement per-service Vault roles with specific path restrictions
Impact
No network segmentation between pods. Broad secrets access increases compromise blast radius.
Details
Full details in internal audit document. Finding IDs: CRIT-INFRA-03, CRIT-INFRA-04, MED-INFRA-05
Related Issues (Security Hardening Pattern)
- [Infrastructure] Tighten RBAC cluster roles & DaemonSet security context #412 — [Infrastructure] Tighten RBAC & DaemonSet security
- [Infrastructure] Add network policies & scope Vault permissions per service #413 — [Infrastructure] Network policies & Vault scoping
- [Connector] Improve offline match endpoint authentication #409 — [Connector] Improve offline match authentication
- [API] Strengthen request authentication and proxy trust validation #372 — [API] Strengthen request authentication