# Kubernetes NetworkPolicy for Provisioning Namespace # Restricts network traffic to improve security # Default: deny all ingress (except specific rules below) # Allow: orchestrator <-> control-center <-> mcp-server # # Usage: # nickel eval --format json network-policy.yaml.ncl | yq -P > network-policy.yaml # kubectl apply -f network-policy.yaml { apiVersion = "networking.k8s.io/v1", kind = "NetworkPolicy", metadata = { name = "provisioning-network-policy", namespace = "provisioning", labels = { component = "provisioning-platform", }, }, spec = { podSelector = {}, # Apply to all pods in namespace # Deny all ingress by default policyTypes = ["Ingress", "Egress"], # Ingress rules: Allow specific traffic ingress = [ # Allow ingress from Nginx controller (for external traffic) { from = [ { namespaceSelector = { matchLabels = { "name" = "ingress-nginx", }, }, }, ], ports = [ { protocol = "TCP", port = 8080, # Control Center }, { protocol = "TCP", port = 9090, # Orchestrator }, { protocol = "TCP", port = 8888, # MCP Server }, ], }, # Allow inter-pod communication within provisioning namespace { from = [ { podSelector = {}, # All pods in this namespace }, ], ports = [ { protocol = "TCP", port = 9090, # Orchestrator }, { protocol = "TCP", port = 8080, # Control Center }, { protocol = "TCP", port = 8888, # MCP Server }, { protocol = "TCP", port = 9091, # Orchestrator metrics }, { protocol = "TCP", port = 8081, # Control Center metrics }, { protocol = "TCP", port = 8889, # MCP Server metrics }, ], }, # Allow Prometheus scraping (if monitoring is in different namespace) { from = [ { namespaceSelector = { matchLabels = { "name" = "monitoring", }, }, }, ], ports = [ { protocol = "TCP", port = 9091, # Orchestrator metrics }, { protocol = "TCP", port = 8081, # Control Center metrics }, { protocol = "TCP", port = 8889, # MCP Server metrics }, ], }, # Allow DNS (port 53) { from = [ { namespaceSelector = {}, # From any namespace }, ], ports = [ { protocol = "UDP", port = 53, }, { protocol = "TCP", port = 53, }, ], }, ], # Egress rules: Allow specific outbound traffic egress = [ # Allow DNS queries to any namespace { to = [ { namespaceSelector = {}, }, ], ports = [ { protocol = "UDP", port = 53, }, { protocol = "TCP", port = 53, }, ], }, # Allow inter-pod communication within namespace { to = [ { podSelector = {}, }, ], ports = [ { protocol = "TCP", port = 5432, # PostgreSQL }, { protocol = "TCP", port = 8000, # SurrealDB }, { protocol = "TCP", port = 9090, # Orchestrator }, { protocol = "TCP", port = 8080, # Control Center }, { protocol = "TCP", port = 8888, # MCP Server }, ], }, # Allow external HTTPS (for API calls, webhooks, etc) { to = [ { namespaceSelector = {}, }, ], ports = [ { protocol = "TCP", port = 443, }, { protocol = "TCP", port = 80, }, ], }, ], }, }