fix: update network policy to allow S3 traffic and kubelet health checks

2025-09-03 23:45:16 +02:00
parent fac44d2246
commit e0dddb70ec
6 changed files with 54 additions and 24 deletions
@@ -48,7 +48,7 @@ spec:
          httpGet:
            path: /
            port: 8000
-          initialDelaySeconds: 30
+          initialDelaySeconds: 90
          periodSeconds: 10
          timeoutSeconds: 5
          failureThreshold: 3
@@ -10,10 +10,12 @@ resources:
 - configmap.yaml

 # Common labels to apply to all resources
-commonLabels:
-  app.kubernetes.io/name: math-exercises
-  app.kubernetes.io/instance: math-exercises-instance
-  app.kubernetes.io/version: "1.0"
-  app.kubernetes.io/component: web
-  app.kubernetes.io/part-of: math-suite
-  app.kubernetes.io/managed-by: kustomize
+labels:
+- includeSelectors: true
+  pairs:
+    app.kubernetes.io/component: web
+    app.kubernetes.io/instance: math-exercises-instance
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: math-exercises
+    app.kubernetes.io/part-of: math-suite
+    app.kubernetes.io/version: "1.0"
@@ -18,6 +18,14 @@ spec:
    ports:
    - protocol: TCP
      port: 8000
+  # Allow inbound traffic from kubelet for health checks
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          name: kube-system
+    ports:
+    - protocol: TCP
+      port: 8000
  egress:
  # Allow outbound DNS resolution
  - to:
@@ -29,7 +37,25 @@ spec:
      port: 53
    - protocol: UDP
      port: 53
-  # Allow outbound HTTPS for package updates or external APIs
-  - ports:
+  # Allow outbound HTTPS to Kubernetes API server
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          name: kube-system
+    ports:
    - protocol: TCP
-      port: 443
+      port: 443
+  # Allow outbound HTTPS to Infomaniak S3
+  - to:
+    - ipBlock:
+        cidr: 45.157.188.56/29  # Infomaniak S3 IPv4 range
+    ports:
+    - protocol: TCP
+      port: 443
+  # Allow outbound NTP for time synchronization
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+    ports:
+    - protocol: UDP
+      port: 123