fix: add network policies and scope Vault permissions per service

base/backups/postgres-backup-cronjob.yaml

@@ -10,6 +10,9 @@ spec:
   jobTemplate:
     spec:
       template:
+        metadata:
+          labels:
+            app: postgres-backup
         spec:
           restartPolicy: Never
           containers:

base/kustomization.yaml

@@ -13,4 +13,5 @@ resources:
   - web
   - volumes
   - nginx
-  - backups
+  - backups
+  - network-policies

base/network-policies/allow-ingress.yaml

@@ -0,0 +1,32 @@
+# Allow NGINX ingress controller to reach web, api, hasura, minio, typesense
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-ingress-to-services
+  namespace: 5stack
+spec:
+  podSelector:
+    matchExpressions:
+      - key: app
+        operator: In
+        values: [web, api, hasura, minio, typesense]
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: ingress-nginx
+      ports:
+        - port: 3000
+          protocol: TCP
+        - port: 5585
+          protocol: TCP
+        - port: 8080
+          protocol: TCP
+        - port: 9000
+          protocol: TCP
+        - port: 9090
+          protocol: TCP
+        - port: 8108
+          protocol: TCP
+  policyTypes:
+    - Ingress

base/network-policies/allow-internal.yaml

@@ -0,0 +1,183 @@
+# TimescaleDB: allow from hasura, api, and backup jobs
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-timescaledb-ingress
+  namespace: 5stack
+spec:
+  podSelector:
+    matchLabels:
+      app: timescaledb
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app: hasura
+        - podSelector:
+            matchLabels:
+              app: api
+        - podSelector:
+            matchLabels:
+              app: postgres-backup
+      ports:
+        - port: 5432
+          protocol: TCP
+  policyTypes:
+    - Ingress
+---
+# Redis: allow from api and game-server-node-connector
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-redis-ingress
+  namespace: 5stack
+spec:
+  podSelector:
+    matchLabels:
+      app: redis
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app: api
+        - podSelector:
+            matchLabels:
+              app: game-server-node-connector
+      ports:
+        - port: 6379
+          protocol: TCP
+  policyTypes:
+    - Ingress
+---
+# Hasura: allow from web, api, and ingress
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-hasura-ingress
+  namespace: 5stack
+spec:
+  podSelector:
+    matchLabels:
+      app: hasura
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app: api
+        - podSelector:
+            matchLabels:
+              app: web
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: ingress-nginx
+      ports:
+        - port: 8080
+          protocol: TCP
+  policyTypes:
+    - Ingress
+---
+# API: allow from ingress, hasura (webhooks), connector, and game server pods
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-api-ingress
+  namespace: 5stack
+spec:
+  podSelector:
+    matchLabels:
+      app: api
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: ingress-nginx
+        - podSelector:
+            matchLabels:
+              app: hasura
+        - podSelector:
+            matchLabels:
+              app: game-server-node-connector
+        - podSelector:
+            matchExpressions:
+              - key: app
+                operator: In
+                values: [game-server]
+      ports:
+        - port: 5585
+          protocol: TCP
+  policyTypes:
+    - Ingress
+---
+# MinIO: allow from api and backup jobs
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-minio-ingress
+  namespace: 5stack
+spec:
+  podSelector:
+    matchLabels:
+      app: minio
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app: api
+        - podSelector:
+            matchLabels:
+              app: postgres-backup
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: ingress-nginx
+      ports:
+        - port: 9000
+          protocol: TCP
+        - port: 9090
+          protocol: TCP
+  policyTypes:
+    - Ingress
+---
+# Typesense: allow from api and ingress
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-typesense-ingress
+  namespace: 5stack
+spec:
+  podSelector:
+    matchLabels:
+      app: typesense
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app: api
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: ingress-nginx
+      ports:
+        - port: 8108
+          protocol: TCP
+  policyTypes:
+    - Ingress
+---
+# Game server node connector: allow from api (Redis transport)
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-connector-ingress
+  namespace: 5stack
+spec:
+  podSelector:
+    matchLabels:
+      app: game-server-node-connector
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app: api
+      ports:
+        - port: 8585
+          protocol: TCP
+  policyTypes:
+    - Ingress

base/network-policies/default-deny.yaml

@@ -0,0 +1,9 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-ingress
+  namespace: 5stack
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress

base/network-policies/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - default-deny.yaml
+  - allow-ingress.yaml
+  - allow-internal.yaml

overlays/vault/scripts/setup-vault.sh

@@ -70,8 +70,41 @@ fi
 
 echo "Creating Vault policy for external-secrets..."
 cat <<EOF | vault policy write external-secrets -
-path "*" {
-  capabilities = ["read", "list", "create", "update", "delete"]
+path "kv/data/api" {
+  capabilities = ["read", "list"]
+}
+path "kv/data/steam" {
+  capabilities = ["read", "list"]
+}
+path "kv/data/timescaledb" {
+  capabilities = ["read", "list"]
+}
+path "kv/data/typesense" {
+  capabilities = ["read", "list"]
+}
+path "kv/data/tailscale" {
+  capabilities = ["read", "list"]
+}
+path "kv/data/s3" {
+  capabilities = ["read", "list"]
+}
+path "kv/data/redis" {
+  capabilities = ["read", "list"]
+}
+path "kv/data/minio" {
+  capabilities = ["read", "list"]
+}
+path "kv/data/hasura" {
+  capabilities = ["read", "list"]
+}
+path "kv/data/faceit" {
+  capabilities = ["read", "list"]
+}
+path "kv/data/discord" {
+  capabilities = ["read", "list"]
+}
+path "kv/metadata/*" {
+  capabilities = ["read", "list"]
 }
 EOF