docs/operations/status-reports/REVIEW_NETWORK_POLICIES.md

# Network Policies Review

## Overview

Network Policies have been created to restrict pod-to-pod communication in the besu-network namespace.

## Policies Created

### 1. default-deny-all
- **Purpose**: Default deny all traffic
- **Scope**: All pods in namespace
- **Status**: ✅ Created

### 2. allow-validator-internal
- **Purpose**: Allow validators to communicate with sentries and other validators
- **Scope**: Validator pods
- **Ports**: 30303 (TCP/UDP), 9545 (TCP)
- **Status**: ✅ Created

### 3. allow-sentry-p2p
- **Purpose**: Allow sentries to accept P2P connections
- **Scope**: Sentry pods
- **Ports**: 30303 (TCP/UDP), 9545 (TCP)
- **Status**: ✅ Created

### 4. allow-rpc-http
- **Purpose**: Allow RPC nodes to receive HTTP traffic from gateway
- **Scope**: RPC pods
- **Ports**: 8545, 8546, 9545 (TCP)
- **Status**: ✅ Created

### 5. allow-gateway-external
- **Purpose**: Allow gateway to receive external traffic and forward to RPC nodes
- **Scope**: Gateway pods
- **Ports**: 80, 443 (TCP)
- **Status**: ✅ Created

## Validation

Run the validation script:
```bash
./scripts/validation/validate-network-policies.sh
```

## Application

Apply Network Policies:
```bash
kubectl apply -f k8s/network-policies/default-deny.yaml
```

## Testing

Test pod-to-pod communication restrictions to ensure policies are working correctly.
Add Oracle Aggregator and CCIP Integration - Introduced Aggregator.sol for Chainlink-compatible oracle functionality, including round-based updates and access control. - Added OracleWithCCIP.sol to extend Aggregator with CCIP cross-chain messaging capabilities. - Created .gitmodules to include OpenZeppelin contracts as a submodule. - Developed a comprehensive deployment guide in NEXT_STEPS_COMPLETE_GUIDE.md for Phase 2 and smart contract deployment. - Implemented Vite configuration for the orchestration portal, supporting both Vue and React frameworks. - Added server-side logic for the Multi-Cloud Orchestration Portal, including API endpoints for environment management and monitoring. - Created scripts for resource import and usage validation across non-US regions. - Added tests for CCIP error handling and integration to ensure robust functionality. - Included various new files and directories for the orchestration portal and deployment scripts. 2025-12-12 14:57:48 -08:00			`# Network Policies Review`

			`## Overview`

			`Network Policies have been created to restrict pod-to-pod communication in the besu-network namespace.`

			`## Policies Created`

			`### 1. default-deny-all`
			`- Purpose: Default deny all traffic`
			`- Scope: All pods in namespace`
			`- Status: ✅ Created`

			`### 2. allow-validator-internal`
			`- Purpose: Allow validators to communicate with sentries and other validators`
			`- Scope: Validator pods`
			`- Ports: 30303 (TCP/UDP), 9545 (TCP)`
			`- Status: ✅ Created`

			`### 3. allow-sentry-p2p`
			`- Purpose: Allow sentries to accept P2P connections`
			`- Scope: Sentry pods`
			`- Ports: 30303 (TCP/UDP), 9545 (TCP)`
			`- Status: ✅ Created`

			`### 4. allow-rpc-http`
			`- Purpose: Allow RPC nodes to receive HTTP traffic from gateway`
			`- Scope: RPC pods`
			`- Ports: 8545, 8546, 9545 (TCP)`
			`- Status: ✅ Created`

			`### 5. allow-gateway-external`
			`- Purpose: Allow gateway to receive external traffic and forward to RPC nodes`
			`- Scope: Gateway pods`
			`- Ports: 80, 443 (TCP)`
			`- Status: ✅ Created`

			`## Validation`

			`Run the validation script:`
			```bash
			`./scripts/validation/validate-network-policies.sh`
			```

			`## Application`

			`Apply Network Policies:`
			```bash
			`kubectl apply -f k8s/network-policies/default-deny.yaml`
			```

			`## Testing`

			`Test pod-to-pod communication restrictions to ensure policies are working correctly.`