Skip to content

fix: add network policies and scope Vault permissions per service#425

Open
Flegma wants to merge 3 commits intomainfrom
audit/413-network-policies
Open

fix: add network policies and scope Vault permissions per service#425
Flegma wants to merge 3 commits intomainfrom
audit/413-network-policies

Conversation

@Flegma
Copy link
Copy Markdown
Contributor

@Flegma Flegma commented Apr 2, 2026

Summary

Network Policies — Implements network segmentation for the 5stack namespace:

Policy Effect
default-deny-ingress Blocks all ingress traffic by default
allow-ingress-to-services NGINX ingress → web, api, hasura, minio, typesense
allow-timescaledb-ingress Only hasura + api → timescaledb:5432
allow-redis-ingress Only api + connector → redis:6379
allow-hasura-ingress Only api + web + ingress → hasura:8080
allow-api-ingress Only ingress + connector → api:5585
allow-connector-ingress Only api → connector:8585

Vault Policy — Replaced wildcard path "*" with explicit per-service read-only paths:

  • Each service secret path (kv/data/api, kv/data/redis, etc.) gets read, list only
  • Removed create, update, delete capabilities from external-secrets role
  • Matches the exact paths used by migrate_secrets_to_vault in setup-env.sh

Test plan

  • kubectl kustomize base builds successfully (7 NetworkPolicies generated)
  • All services can communicate as expected after applying policies
  • External-secrets operator can still read secrets from Vault
  • External-secrets CANNOT write/delete secrets

Note: Network policies require a CNI that supports them (Calico, Cilium, etc.). K3s with default Flannel may need --flannel-backend=none + Calico.

Closes #413

Flegma added 3 commits April 2, 2026 15:03
@Flegma
fix: add network policies and scope Vault permissions per service
1c6f58c 
Network policies:
- Default-deny ingress for 5stack namespace
- Allow ingress controller to reach web, api, hasura, minio, typesense
- TimescaleDB: only reachable from hasura and api
- Redis: only reachable from api and connector
- Hasura: only from api, web, and ingress
- API: only from ingress and connector
- Connector: only from api

Vault:
- Replace wildcard path "*" with explicit per-service read-only paths
  matching the kv/data/* paths used by migrate_secrets_to_vault
- External-secrets can only read specific service secrets, not
  create/update/delete or access arbitrary vault paths

Closes #413
@Flegma
fix: allow game server pods to reach API for match events
2548c56 
Game server pods (labeled app: game-server) need WebSocket access to
the API for match event communication. Without this, match events
would be blocked by the default-deny policy.
@Flegma
fix: add missing network policies for hasura, minio, typesense, backups
9b0fa10 
Per code review — 4 critical/important missing policies:
- Hasura → API: needed for auth/event/action webhooks
- Backup CronJob → TimescaleDB + MinIO: needed for pg_dump + S3 upload
- API → MinIO: needed for S3 operations (demos, assets)
- API → Typesense: needed for player search indexing

Also adds app: postgres-backup label to backup CronJob pod template
so it can be selected by network policies.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Infrastructure] Add network policies & scope Vault permissions per service

1 participant

@Flegma