fix: update network policy to allow S3 traffic and kubelet health checks

deploy/base/deployment.yaml

@@ -48,7 +48,7 @@ spec:
           httpGet:
             path: /
             port: 8000
-          initialDelaySeconds: 30
+          initialDelaySeconds: 90
           periodSeconds: 10
           timeoutSeconds: 5
           failureThreshold: 3

deploy/base/kustomization.yaml

@@ -10,10 +10,12 @@ resources:
 - configmap.yaml
 
 # Common labels to apply to all resources
-commonLabels:
-  app.kubernetes.io/name: math-exercises
-  app.kubernetes.io/instance: math-exercises-instance
-  app.kubernetes.io/version: "1.0"
-  app.kubernetes.io/component: web
-  app.kubernetes.io/part-of: math-suite
-  app.kubernetes.io/managed-by: kustomize
+labels:
+- includeSelectors: true
+  pairs:
+    app.kubernetes.io/component: web
+    app.kubernetes.io/instance: math-exercises-instance
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: math-exercises
+    app.kubernetes.io/part-of: math-suite
+    app.kubernetes.io/version: "1.0"

deploy/base/network-policy.yaml

@@ -18,6 +18,14 @@ spec:
     ports:
     - protocol: TCP
       port: 8000
+  # Allow inbound traffic from kubelet for health checks
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          name: kube-system
+    ports:
+    - protocol: TCP
+      port: 8000
   egress:
   # Allow outbound DNS resolution
   - to:
@@ -29,7 +37,25 @@ spec:
       port: 53
     - protocol: UDP
       port: 53
-  # Allow outbound HTTPS for package updates or external APIs
-  - ports:
+  # Allow outbound HTTPS to Kubernetes API server
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          name: kube-system
+    ports:
     - protocol: TCP
-      port: 443
+      port: 443
+  # Allow outbound HTTPS to Infomaniak S3
+  - to:
+    - ipBlock:
+        cidr: 45.157.188.56/29  # Infomaniak S3 IPv4 range
+    ports:
+    - protocol: TCP
+      port: 443
+  # Allow outbound NTP for time synchronization
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+    ports:
+    - protocol: UDP
+      port: 123

deploy/overlays/production/deployment-patch.yaml

@@ -32,5 +32,5 @@ spec:
             memory: "64Mi"
             cpu: "250m"
           limits:
-            memory: "128Mi"
+            memory: "256Mi"
             cpu: "1"

deploy/overlays/production/kustomization.yaml

@@ -8,10 +8,6 @@ resources:
 - namespace.yaml
 
 # Production-specific patches
-patchesStrategicMerge:
-- deployment-patch.yaml
-- security-patch.yaml
-- ingress-patch.yaml
 
 # Production-specific configurations
 images:
@@ -20,11 +16,17 @@ images:
   newTag: 1.0.2
 
 # Production-specific labels
-commonLabels:
-  environment: production
-  security-level: high
 
 secretGenerator:
-  - name: s3-credentials
-    envs:
-      - s3-credentials.env
+- envs:
+  - s3-credentials.env
+  name: s3-credentials
+labels:
+- includeSelectors: true
+  pairs:
+    environment: production
+    security-level: high
+patches:
+- path: deployment-patch.yaml
+- path: security-patch.yaml
+- path: ingress-patch.yaml

deploy/overlays/production/security-patch.yaml

@@ -10,8 +10,8 @@ spec:
         runAsNonRoot: true
         runAsUser: 1000
         fsGroup: 2000
-        seccompProfile:
-          type: RuntimeDefault
+        # seccompProfile:
+        #   type: RuntimeDefault
       containers:
       - name: math-exercises
         # Additional security settings for production