jesus/provisioning
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
provisioning/schemas/platform/templates/kubernetes/network-policy.yaml.ncl
Jesús Pérez 44648e3206
chore: complete nickel migration and consolidate legacy configs 
- Remove KCL ecosystem (~220 files deleted)
- Migrate all infrastructure to Nickel schema system
- Consolidate documentation: legacy docs → provisioning/docs/src/
- Add CI/CD workflows (.github/) and Rust build config (.cargo/)
- Update core system for Nickel schema parsing
- Update README.md and CHANGES.md for v5.0.0 release
- Fix pre-commit hooks: end-of-file, trailing-whitespace
- Breaking changes: KCL workspaces require migration
- Migration bridge available in docs/src/development/
2026-01-08 09:55:37 +00:00

210 lines
4.5 KiB
Plaintext
Raw Blame History

# Kubernetes NetworkPolicy for Provisioning Namespace
# Restricts network traffic to improve security
# Default: deny all ingress (except specific rules below)
# Allow: orchestrator <-> control-center <-> mcp-server
#
# Usage:
# nickel eval --format json network-policy.yaml.ncl | yq -P > network-policy.yaml
# kubectl apply -f network-policy.yaml
{
apiVersion = "networking.k8s.io/v1",
kind = "NetworkPolicy",
metadata = {
name = "provisioning-network-policy",
namespace = "provisioning",
labels = {
component = "provisioning-platform",
},
},
spec = {
podSelector = {}, # Apply to all pods in namespace
# Deny all ingress by default
policyTypes = ["Ingress", "Egress"],
# Ingress rules: Allow specific traffic
ingress = [
# Allow ingress from Nginx controller (for external traffic)
{
from = [
{
namespaceSelector = {
matchLabels = {
"name" = "ingress-nginx",
},
},
},
],
ports = [
{
protocol = "TCP",
port = 8080, # Control Center
},
{
protocol = "TCP",
port = 9090, # Orchestrator
},
{
protocol = "TCP",
port = 8888, # MCP Server
},
],
},
# Allow inter-pod communication within provisioning namespace
{
from = [
{
podSelector = {}, # All pods in this namespace
},
],
ports = [
{
protocol = "TCP",
port = 9090, # Orchestrator
},
{
protocol = "TCP",
port = 8080, # Control Center
},
{
protocol = "TCP",
port = 8888, # MCP Server
},
{
protocol = "TCP",
port = 9091, # Orchestrator metrics
},
{
protocol = "TCP",
port = 8081, # Control Center metrics
},
{
protocol = "TCP",
port = 8889, # MCP Server metrics
},
],
},
# Allow Prometheus scraping (if monitoring is in different namespace)
{
from = [
{
namespaceSelector = {
matchLabels = {
"name" = "monitoring",
},
},
},
],
ports = [
{
protocol = "TCP",
port = 9091, # Orchestrator metrics
},
{
protocol = "TCP",
port = 8081, # Control Center metrics
},
{
protocol = "TCP",
port = 8889, # MCP Server metrics
},
],
},
# Allow DNS (port 53)
{
from = [
{
namespaceSelector = {}, # From any namespace
},
],
ports = [
{
protocol = "UDP",
port = 53,
},
{
protocol = "TCP",
port = 53,
},
],
},
],
# Egress rules: Allow specific outbound traffic
egress = [
# Allow DNS queries to any namespace
{
to = [
{
namespaceSelector = {},
},
],
ports = [
{
protocol = "UDP",
port = 53,
},
{
protocol = "TCP",
port = 53,
},
],
},
# Allow inter-pod communication within namespace
{
to = [
{
podSelector = {},
},
],
ports = [
{
protocol = "TCP",
port = 5432, # PostgreSQL
},
{
protocol = "TCP",
port = 8000, # SurrealDB
},
{
protocol = "TCP",
port = 9090, # Orchestrator
},
{
protocol = "TCP",
port = 8080, # Control Center
},
{
protocol = "TCP",
port = 8888, # MCP Server
},
],
},
# Allow external HTTPS (for API calls, webhooks, etc)
{
to = [
{
namespaceSelector = {},
},
],
ports = [
{
protocol = "TCP",
port = 443,
},
{
protocol = "TCP",
port = 80,
},
],
},
],
},
}
Reference in New Issue View Git Blame Copy Permalink