178 lines
3.1 KiB
YAML
178 lines
3.1 KiB
YAML
# Network Policy Templates
|
|
|
|
---
|
|
# Template 1: Default Deny All (Start Here)
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: default-deny-all
|
|
namespace: <namespace>
|
|
spec:
|
|
podSelector: {}
|
|
policyTypes:
|
|
- Ingress
|
|
- Egress
|
|
|
|
---
|
|
# Template 2: Allow DNS (Essential)
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-dns
|
|
namespace: <namespace>
|
|
spec:
|
|
podSelector: {}
|
|
policyTypes:
|
|
- Egress
|
|
egress:
|
|
- to:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
name: kube-system
|
|
ports:
|
|
- protocol: UDP
|
|
port: 53
|
|
|
|
---
|
|
# Template 3: Frontend to Backend
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-frontend-to-backend
|
|
namespace: <namespace>
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
app: backend
|
|
tier: backend
|
|
policyTypes:
|
|
- Ingress
|
|
ingress:
|
|
- from:
|
|
- podSelector:
|
|
matchLabels:
|
|
app: frontend
|
|
tier: frontend
|
|
ports:
|
|
- protocol: TCP
|
|
port: 8080
|
|
- protocol: TCP
|
|
port: 9090
|
|
|
|
---
|
|
# Template 4: Allow Ingress Controller
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-ingress-controller
|
|
namespace: <namespace>
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
app: web
|
|
policyTypes:
|
|
- Ingress
|
|
ingress:
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
name: ingress-nginx
|
|
ports:
|
|
- protocol: TCP
|
|
port: 80
|
|
- protocol: TCP
|
|
port: 443
|
|
|
|
---
|
|
# Template 5: Allow Monitoring (Prometheus)
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-prometheus-scraping
|
|
namespace: <namespace>
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
prometheus.io/scrape: "true"
|
|
policyTypes:
|
|
- Ingress
|
|
ingress:
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
name: monitoring
|
|
ports:
|
|
- protocol: TCP
|
|
port: 9090
|
|
|
|
---
|
|
# Template 6: Allow External HTTPS
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-external-https
|
|
namespace: <namespace>
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
app: api-client
|
|
policyTypes:
|
|
- Egress
|
|
egress:
|
|
- to:
|
|
- ipBlock:
|
|
cidr: 0.0.0.0/0
|
|
except:
|
|
- 169.254.169.254/32 # Block metadata service
|
|
ports:
|
|
- protocol: TCP
|
|
port: 443
|
|
|
|
---
|
|
# Template 7: Database Access
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-app-to-database
|
|
namespace: <namespace>
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
app: postgres
|
|
tier: database
|
|
policyTypes:
|
|
- Ingress
|
|
ingress:
|
|
- from:
|
|
- podSelector:
|
|
matchLabels:
|
|
tier: backend
|
|
ports:
|
|
- protocol: TCP
|
|
port: 5432
|
|
|
|
---
|
|
# Template 8: Cross-Namespace Communication
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-from-prod-namespace
|
|
namespace: <namespace>
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
app: api
|
|
policyTypes:
|
|
- Ingress
|
|
ingress:
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
environment: production
|
|
podSelector:
|
|
matchLabels:
|
|
app: frontend
|
|
ports:
|
|
- protocol: TCP
|
|
port: 8080
|