fix: update network policy to allow S3 traffic and kubelet health checks
This commit is contained in:
@@ -48,7 +48,7 @@ spec:
|
||||
httpGet:
|
||||
path: /
|
||||
port: 8000
|
||||
initialDelaySeconds: 30
|
||||
initialDelaySeconds: 90
|
||||
periodSeconds: 10
|
||||
timeoutSeconds: 5
|
||||
failureThreshold: 3
|
||||
|
||||
@@ -10,10 +10,12 @@ resources:
|
||||
- configmap.yaml
|
||||
|
||||
# Common labels to apply to all resources
|
||||
commonLabels:
|
||||
app.kubernetes.io/name: math-exercises
|
||||
app.kubernetes.io/instance: math-exercises-instance
|
||||
app.kubernetes.io/version: "1.0"
|
||||
app.kubernetes.io/component: web
|
||||
app.kubernetes.io/part-of: math-suite
|
||||
app.kubernetes.io/managed-by: kustomize
|
||||
labels:
|
||||
- includeSelectors: true
|
||||
pairs:
|
||||
app.kubernetes.io/component: web
|
||||
app.kubernetes.io/instance: math-exercises-instance
|
||||
app.kubernetes.io/managed-by: kustomize
|
||||
app.kubernetes.io/name: math-exercises
|
||||
app.kubernetes.io/part-of: math-suite
|
||||
app.kubernetes.io/version: "1.0"
|
||||
|
||||
@@ -18,6 +18,14 @@ spec:
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 8000
|
||||
# Allow inbound traffic from kubelet for health checks
|
||||
- from:
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
name: kube-system
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 8000
|
||||
egress:
|
||||
# Allow outbound DNS resolution
|
||||
- to:
|
||||
@@ -29,7 +37,25 @@ spec:
|
||||
port: 53
|
||||
- protocol: UDP
|
||||
port: 53
|
||||
# Allow outbound HTTPS for package updates or external APIs
|
||||
- ports:
|
||||
# Allow outbound HTTPS to Kubernetes API server
|
||||
- to:
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
name: kube-system
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 443
|
||||
port: 443
|
||||
# Allow outbound HTTPS to Infomaniak S3
|
||||
- to:
|
||||
- ipBlock:
|
||||
cidr: 45.157.188.56/29 # Infomaniak S3 IPv4 range
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 443
|
||||
# Allow outbound NTP for time synchronization
|
||||
- to:
|
||||
- ipBlock:
|
||||
cidr: 0.0.0.0/0
|
||||
ports:
|
||||
- protocol: UDP
|
||||
port: 123
|
||||
@@ -32,5 +32,5 @@ spec:
|
||||
memory: "64Mi"
|
||||
cpu: "250m"
|
||||
limits:
|
||||
memory: "128Mi"
|
||||
memory: "256Mi"
|
||||
cpu: "1"
|
||||
@@ -8,10 +8,6 @@ resources:
|
||||
- namespace.yaml
|
||||
|
||||
# Production-specific patches
|
||||
patchesStrategicMerge:
|
||||
- deployment-patch.yaml
|
||||
- security-patch.yaml
|
||||
- ingress-patch.yaml
|
||||
|
||||
# Production-specific configurations
|
||||
images:
|
||||
@@ -20,11 +16,17 @@ images:
|
||||
newTag: 1.0.2
|
||||
|
||||
# Production-specific labels
|
||||
commonLabels:
|
||||
environment: production
|
||||
security-level: high
|
||||
|
||||
secretGenerator:
|
||||
- name: s3-credentials
|
||||
envs:
|
||||
- s3-credentials.env
|
||||
- envs:
|
||||
- s3-credentials.env
|
||||
name: s3-credentials
|
||||
labels:
|
||||
- includeSelectors: true
|
||||
pairs:
|
||||
environment: production
|
||||
security-level: high
|
||||
patches:
|
||||
- path: deployment-patch.yaml
|
||||
- path: security-patch.yaml
|
||||
- path: ingress-patch.yaml
|
||||
|
||||
@@ -10,8 +10,8 @@ spec:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
fsGroup: 2000
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
# seccompProfile:
|
||||
# type: RuntimeDefault
|
||||
containers:
|
||||
- name: math-exercises
|
||||
# Additional security settings for production
|
||||
|
||||
Reference in New Issue
Block a user