diff --git a/base/backups/postgres-backup-cronjob.yaml b/base/backups/postgres-backup-cronjob.yaml index d8d46a9..c2daf93 100644 --- a/base/backups/postgres-backup-cronjob.yaml +++ b/base/backups/postgres-backup-cronjob.yaml @@ -10,6 +10,9 @@ spec: jobTemplate: spec: template: + metadata: + labels: + app: postgres-backup spec: restartPolicy: Never containers: diff --git a/base/kustomization.yaml b/base/kustomization.yaml index da90a6b..e829f5b 100644 --- a/base/kustomization.yaml +++ b/base/kustomization.yaml @@ -13,4 +13,5 @@ resources: - web - volumes - nginx - - backups \ No newline at end of file + - backups + - network-policies \ No newline at end of file diff --git a/base/network-policies/allow-ingress.yaml b/base/network-policies/allow-ingress.yaml new file mode 100644 index 0000000..1f986a6 --- /dev/null +++ b/base/network-policies/allow-ingress.yaml @@ -0,0 +1,32 @@ +# Allow NGINX ingress controller to reach web, api, hasura, minio, typesense +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-ingress-to-services + namespace: 5stack +spec: + podSelector: + matchExpressions: + - key: app + operator: In + values: [web, api, hasura, minio, typesense] + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: ingress-nginx + ports: + - port: 3000 + protocol: TCP + - port: 5585 + protocol: TCP + - port: 8080 + protocol: TCP + - port: 9000 + protocol: TCP + - port: 9090 + protocol: TCP + - port: 8108 + protocol: TCP + policyTypes: + - Ingress diff --git a/base/network-policies/allow-internal.yaml b/base/network-policies/allow-internal.yaml new file mode 100644 index 0000000..1d8ab56 --- /dev/null +++ b/base/network-policies/allow-internal.yaml @@ -0,0 +1,183 @@ +# TimescaleDB: allow from hasura, api, and backup jobs +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-timescaledb-ingress + namespace: 5stack +spec: + podSelector: + matchLabels: + app: timescaledb + ingress: + - from: + - podSelector: + matchLabels: + app: hasura + - podSelector: + matchLabels: + app: api + - podSelector: + matchLabels: + app: postgres-backup + ports: + - port: 5432 + protocol: TCP + policyTypes: + - Ingress +--- +# Redis: allow from api and game-server-node-connector +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-redis-ingress + namespace: 5stack +spec: + podSelector: + matchLabels: + app: redis + ingress: + - from: + - podSelector: + matchLabels: + app: api + - podSelector: + matchLabels: + app: game-server-node-connector + ports: + - port: 6379 + protocol: TCP + policyTypes: + - Ingress +--- +# Hasura: allow from web, api, and ingress +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-hasura-ingress + namespace: 5stack +spec: + podSelector: + matchLabels: + app: hasura + ingress: + - from: + - podSelector: + matchLabels: + app: api + - podSelector: + matchLabels: + app: web + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: ingress-nginx + ports: + - port: 8080 + protocol: TCP + policyTypes: + - Ingress +--- +# API: allow from ingress, hasura (webhooks), connector, and game server pods +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-api-ingress + namespace: 5stack +spec: + podSelector: + matchLabels: + app: api + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: ingress-nginx + - podSelector: + matchLabels: + app: hasura + - podSelector: + matchLabels: + app: game-server-node-connector + - podSelector: + matchExpressions: + - key: app + operator: In + values: [game-server] + ports: + - port: 5585 + protocol: TCP + policyTypes: + - Ingress +--- +# MinIO: allow from api and backup jobs +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-minio-ingress + namespace: 5stack +spec: + podSelector: + matchLabels: + app: minio + ingress: + - from: + - podSelector: + matchLabels: + app: api + - podSelector: + matchLabels: + app: postgres-backup + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: ingress-nginx + ports: + - port: 9000 + protocol: TCP + - port: 9090 + protocol: TCP + policyTypes: + - Ingress +--- +# Typesense: allow from api and ingress +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-typesense-ingress + namespace: 5stack +spec: + podSelector: + matchLabels: + app: typesense + ingress: + - from: + - podSelector: + matchLabels: + app: api + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: ingress-nginx + ports: + - port: 8108 + protocol: TCP + policyTypes: + - Ingress +--- +# Game server node connector: allow from api (Redis transport) +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-connector-ingress + namespace: 5stack +spec: + podSelector: + matchLabels: + app: game-server-node-connector + ingress: + - from: + - podSelector: + matchLabels: + app: api + ports: + - port: 8585 + protocol: TCP + policyTypes: + - Ingress diff --git a/base/network-policies/default-deny.yaml b/base/network-policies/default-deny.yaml new file mode 100644 index 0000000..856ca34 --- /dev/null +++ b/base/network-policies/default-deny.yaml @@ -0,0 +1,9 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny-ingress + namespace: 5stack +spec: + podSelector: {} + policyTypes: + - Ingress diff --git a/base/network-policies/kustomization.yaml b/base/network-policies/kustomization.yaml new file mode 100644 index 0000000..1811d9e --- /dev/null +++ b/base/network-policies/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - default-deny.yaml + - allow-ingress.yaml + - allow-internal.yaml diff --git a/overlays/vault/scripts/setup-vault.sh b/overlays/vault/scripts/setup-vault.sh index 81cdae0..6c01236 100755 --- a/overlays/vault/scripts/setup-vault.sh +++ b/overlays/vault/scripts/setup-vault.sh @@ -70,8 +70,41 @@ fi echo "Creating Vault policy for external-secrets..." cat <