d-bis/Sankofa
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
Sankofa/infrastructure/network/network-policies.yaml
defiQUG 9daf1fd378 Apply Composer changes: comprehensive API updates, migrations, middleware, and infrastructure improvements 
- Add comprehensive database migrations (001-024) for schema evolution
- Enhance API schema with expanded type definitions and resolvers
- Add new middleware: audit logging, rate limiting, MFA enforcement, security, tenant auth
- Implement new services: AI optimization, billing, blockchain, compliance, marketplace
- Add adapter layer for cloud integrations (Cloudflare, Kubernetes, Proxmox, storage)
- Update Crossplane provider with enhanced VM management capabilities
- Add comprehensive test suite for API endpoints and services
- Update frontend components with improved GraphQL subscriptions and real-time updates
- Enhance security configurations and headers (CSP, CORS, etc.)
- Update documentation and configuration files
- Add new CI/CD workflows and validation scripts
- Implement design system improvements and UI enhancements
2025-12-12 18:01:35 -08:00

145 lines
2.9 KiB
YAML
Raw Permalink Blame History

# Network Policies for DoD/MilSpec Compliance
#
# Implements network segmentation per:
# - NIST SP 800-53: SC-7 (Boundary Protection)
# - NIST SP 800-171: 3.13.1 (Network Segmentation)
#
# Zero Trust network architecture with micro-segmentation
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-default
namespace: default
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
# Deny all traffic by default (whitelist approach)
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: api-allow-ingress
namespace: default
spec:
podSelector:
matchLabels:
app: sankofa-api
policyTypes:
- Ingress
- Egress
ingress:
# Allow ingress from ingress controller only
- from:
- namespaceSelector:
matchLabels:
name: ingress-nginx
- podSelector:
matchLabels:
app: ingress-nginx
ports:
- protocol: TCP
port: 4000
egress:
# Allow egress to database
- to:
- namespaceSelector:
matchLabels:
name: database
- podSelector:
matchLabels:
app: postgres
ports:
- protocol: TCP
port: 5432
# Allow egress to Keycloak
- to:
- namespaceSelector:
matchLabels:
name: identity
- podSelector:
matchLabels:
app: keycloak
ports:
- protocol: TCP
port: 8080
# Allow DNS
- to:
- namespaceSelector:
matchLabels:
name: kube-system
- podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- protocol: UDP
port: 53
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database-isolate
namespace: database
spec:
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
- Egress
ingress:
# Only allow from API namespace
- from:
- namespaceSelector:
matchLabels:
name: default
podSelector:
matchLabels:
app: sankofa-api
ports:
- protocol: TCP
port: 5432
egress:
# Deny all egress (database should not initiate connections)
- {}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: classification-based-segmentation
namespace: default
spec:
podSelector:
matchLabels:
classification: classified
policyTypes:
- Ingress
- Egress
ingress:
# Only allow from same classification level or higher
- from:
- podSelector:
matchLabels:
classification: classified
- podSelector:
matchLabels:
classification: secret
- podSelector:
matchLabels:
classification: top-secret
egress:
# Restricted egress for classified data
- to:
- podSelector:
matchLabels:
classification: classified
- podSelector:
matchLabels:
classification: secret
- podSelector:
matchLabels:
classification: top-secret
Reference in New Issue View Git Blame Copy Permalink