Skip to content

feat: add default-deny network policies and security hardening #1497

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
devantler wants to merge 14 commits into
base: main
Choose a base branch
from
Draft

feat: add default-deny network policies and security hardening #1497

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
74b3b54
feat: add default-deny network policies and security hardening
devantler May 5, 2026
7e8ce53
ci: enable kubescape scan in system test
devantler May 5, 2026
e74bfb0
feat: scale prod workers from cx23 to cx33
devantler May 5, 2026
87e8ad8
feat: enable full VPA CPU+memory management and lower resource defaults
devantler May 5, 2026
5efbc72
fix: correct CiliumNetworkPolicy webhook ports, add DNS egress, fix a…
devantler May 5, 2026
eecd584
fix: grant Kyverno RBAC for CiliumNetworkPolicy generation
devantler May 5, 2026
cafdcdf
fix: suspend FleetDM HelmRelease (MySQL PVC format failure)
devantler May 5, 2026
e61043e
fix: add intra-namespace ingress to KEDA network policy
devantler May 5, 2026
9adff2e
fix: add CNPG operator egress to managed DB pods and fix namespace label
devantler May 5, 2026
e82b62e
fix: switch to Let's Encrypt TLS, un-suspend FleetDM
devantler May 6, 2026
2216491
fix: allow external DNS egress for cert-manager ACME verification
devantler May 6, 2026
feb11ae
fix: use hcloud storageClass for FleetDM Redis persistence
devantler May 6, 2026
c63dad9
fix: add upgrade.force for FleetDM Redis StatefulSet migration
devantler May 6, 2026
f6dabba
fix: allow KEDA interceptor ingress to FleetDM
devantler May 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .github/workflows/ci.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,8 @@ jobs:
ksail-version: "7.12.2"
init: "false"
validate: "true"
scan: "true"
scan-framework: "nsa"
sops-age-key: ${{ secrets.SOPS_AGE_KEY }}
hosts-file: ${{ vars.HOSTS_FILE }}
root-ca-cert-file: ${{ vars.ROOT_CA_CERT_FILE }}
Expand Down
6 changes: 6 additions & 0 deletions k8s/bases/apps/fleetdm/helm-release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ spec:
remediation:
retries: -1
upgrade:
force: true
remediation:
retries: -1
remediateLastFailure: true
Expand Down Expand Up @@ -152,6 +153,9 @@ spec:
existingSecret: mysql
secondary:
replicaCount: ${fleetdm_mysql_secondary_replicas:=2}
persistence:
enabled: true
size: 20Gi
primary:
persistence:
enabled: true
Expand Down Expand Up @@ -179,11 +183,13 @@ spec:
persistence:
enabled: true
size: 8Gi
storageClass: hcloud
replica:
replicaCount: ${fleetdm_redis_replicas:=2}
persistence:
enabled: true
size: 8Gi
storageClass: hcloud
metrics:
enabled: true
image:
Expand Down
1 change: 1 addition & 0 deletions k8s/bases/apps/fleetdm/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,5 +8,6 @@ resources:
- http-scaled-object.yaml
- license-secret.yaml
- mysql-secret.yaml
- networkpolicy.yaml
- pod-disruption-budget.yaml
- redis-secret.yaml
46 changes: 46 additions & 0 deletions k8s/bases/apps/fleetdm/networkpolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-fleetdm
namespace: fleetdm
spec:
endpointSelector: {}
ingress:
# Gateway ingress (direct from Cilium envoy)
- fromEntities:
- ingress
toPorts:
- ports:
- port: "8080"
protocol: TCP
# KEDA HTTP interceptor forwards traffic from gateway
- fromEndpoints:
- matchLabels:
k8s:io.kubernetes.pod.namespace: keda
toPorts:
- ports:
- port: "8080"
protocol: TCP
# Intra-namespace (fleet → mysql, fleet → redis)
- fromEndpoints:
- matchLabels:
k8s:io.kubernetes.pod.namespace: fleetdm
egress:
# Intra-namespace (fleet → mysql, fleet → redis)
- toEndpoints:
- matchLabels:
k8s:io.kubernetes.pod.namespace: fleetdm
# Kube API
- toEntities:
- kube-apiserver
# DNS resolution
- toEndpoints:
- matchLabels:
k8s:io.kubernetes.pod.namespace: kube-system
k8s-app: kube-dns
toPorts:
- ports:
- port: "53"
protocol: UDP
- port: "53"
protocol: TCP
1 change: 1 addition & 0 deletions k8s/bases/apps/headlamp/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,4 @@ resources:
- helm-repository.yaml
- httproute.yaml
- http-scaled-object.yaml
- networkpolicy.yaml
31 changes: 31 additions & 0 deletions k8s/bases/apps/headlamp/networkpolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-headlamp
namespace: headlamp
spec:
endpointSelector: {}
ingress:
# KEDA interceptor proxy routes traffic from gateway
- fromEndpoints:
- matchLabels:
k8s:io.kubernetes.pod.namespace: keda
toPorts:
- ports:
- port: "4466"
protocol: TCP
egress:
# Kube API for dashboard
- toEntities:
- kube-apiserver
Comment on lines +17 to +20
Comment on lines +17 to +20
# DNS resolution
- toEndpoints:
- matchLabels:
k8s:io.kubernetes.pod.namespace: kube-system
k8s-app: kube-dns
Comment on lines +17 to +25
toPorts:
- ports:
- port: "53"
protocol: UDP
- port: "53"
protocol: TCP
1 change: 1 addition & 0 deletions k8s/bases/apps/homepage/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,4 @@ resources:
- httproute.yaml
- namespace.yaml
- pod-disruption-budget.yaml
- networkpolicy.yaml
31 changes: 31 additions & 0 deletions k8s/bases/apps/homepage/networkpolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-homepage
namespace: homepage
spec:
endpointSelector: {}
ingress:
# Traffic from oauth2-proxy (via gateway → oauth2-proxy → homepage)
- fromEndpoints:
- matchLabels:
k8s:io.kubernetes.pod.namespace: oauth2-proxy
toPorts:
- ports:
- port: "3000"
protocol: TCP
egress:
# Kube API for widget data
- toEntities:
- kube-apiserver
# DNS resolution
- toEndpoints:
- matchLabels:
k8s:io.kubernetes.pod.namespace: kube-system
k8s-app: kube-dns
toPorts:
- ports:
- port: "53"
protocol: UDP
- port: "53"
protocol: TCP
1 change: 1 addition & 0 deletions k8s/bases/apps/wedding-app/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,4 @@ resources:
- serviceaccount.yaml
- sops-age-secret.enc.yaml
- sync.yaml
- networkpolicy.yaml
56 changes: 56 additions & 0 deletions k8s/bases/apps/wedding-app/networkpolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-wedding-app
namespace: wedding-app
spec:
endpointSelector: {}
ingress:
# Gateway ingress
- fromEntities:
- ingress
toPorts:
- ports:
- port: "3000"
protocol: TCP
# Intra-namespace (app → db, db replication)
- fromEndpoints:
- matchLabels:
k8s:io.kubernetes.pod.namespace: wedding-app
# CNPG operator needs to reach DB status endpoint (port 8000)
- fromEndpoints:
- matchLabels:
k8s:io.kubernetes.pod.namespace: cnpg-system
toPorts:
- ports:
- port: "8000"
protocol: TCP
- port: "5432"
protocol: TCP
# Metrics scraping from monitoring namespace
- fromEndpoints:
- matchLabels:
k8s:io.kubernetes.pod.namespace: monitoring
toPorts:
- ports:
- port: "9187"
protocol: TCP
egress:
# Intra-namespace (app → db)
- toEndpoints:
- matchLabels:
k8s:io.kubernetes.pod.namespace: wedding-app
# Kube API (for CNPG operator managing the cluster)
- toEntities:
- kube-apiserver
# DNS resolution
- toEndpoints:
- matchLabels:
k8s:io.kubernetes.pod.namespace: kube-system
k8s-app: kube-dns
toPorts:
- ports:
- port: "53"
protocol: UDP
- port: "53"
protocol: TCP
1 change: 1 addition & 0 deletions k8s/bases/apps/whoami/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,4 @@ resources:
- helm-repository.yaml
- httproute.yaml
- http-scaled-object.yaml
- networkpolicy.yaml
28 changes: 28 additions & 0 deletions k8s/bases/apps/whoami/networkpolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-whoami
namespace: whoami
spec:
endpointSelector: {}
ingress:
# KEDA interceptor proxy routes traffic from gateway
- fromEndpoints:
- matchLabels:
k8s:io.kubernetes.pod.namespace: keda
toPorts:
- ports:
- port: "80"
protocol: TCP
egress:
# DNS resolution
- toEndpoints:
- matchLabels:
k8s:io.kubernetes.pod.namespace: kube-system
k8s-app: kube-dns
toPorts:
- ports:
- port: "53"
protocol: UDP
- port: "53"
protocol: TCP
76 changes: 76 additions & 0 deletions k8s/bases/infrastructure/cluster-policies/best-practices/add-default-deny.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
# Generates a default-deny CiliumNetworkPolicy and a DNS-allow policy
# in every namespace. This ensures zero-trust networking by default —
# workloads must explicitly allow the traffic they need.
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-default-deny
annotations:
policies.kyverno.io/title: Default Deny Network Policy
policies.kyverno.io/category: Networking, Best Practices
policies.kyverno.io/subject: CiliumNetworkPolicy
policies.kyverno.io/minversion: 1.6.0
policies.kyverno.io/description: >-
Generates a CiliumNetworkPolicy that activates Cilium's whitelist
mode for all endpoints in a namespace (effectively deny-all), plus
a companion policy that allows DNS egress to kube-dns so pods can
still resolve names.
spec:
rules:
- name: generate-default-deny
match:
any:
- resources:
kinds:
Comment on lines +20 to +24
- Namespace
exclude:
any:
- resources:
names:
- kube-system
- kube-public
- kube-node-lease
Comment on lines +27 to +32
generate:
Comment on lines +26 to +33
Comment on lines +20 to +33
Comment on lines +26 to +33
generateExisting: true
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
name: default-deny
synchronize: true
namespace: "{{request.object.metadata.name}}"
data:
spec:
endpointSelector: {}
- name: generate-allow-dns
match:
any:
- resources:
kinds:
- Namespace
exclude:
any:
- resources:
names:
- kube-system
- kube-public
- kube-node-lease
generate:
generateExisting: true
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
name: allow-dns
synchronize: true
namespace: "{{request.object.metadata.name}}"
data:
spec:
endpointSelector: {}
egress:
- toEndpoints:
- matchLabels:
k8s:io.kubernetes.pod.namespace: kube-system
k8s-app: kube-dns
toPorts:
- ports:
- port: "53"
protocol: UDP
- port: "53"
protocol: TCP
12 changes: 6 additions & 6 deletions k8s/bases/infrastructure/cluster-policies/best-practices/add-ns-quota.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,10 +38,10 @@ spec:
data:
spec:
hard:
requests.cpu: "4"
requests.cpu: "8"
requests.memory: 16Gi
limits.cpu: "4"
limits.memory: 16Gi
limits.cpu: "16"
limits.memory: 32Gi
- name: generate-limitrange
match:
any:
Expand All @@ -68,8 +68,8 @@ spec:
limits:
- default:
cpu: 500m
memory: 1Gi
memory: 512Mi
defaultRequest:
cpu: 200m
memory: 256Mi
cpu: 50m
memory: 128Mi
type: Container
Loading
Loading