# Network Policy for rdev-api # Restricts network access to only required endpoints apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: rdev-api-policy namespace: rdev labels: app.kubernetes.io/name: rdev-api app.kubernetes.io/part-of: rdev spec: podSelector: matchLabels: app: rdev-api policyTypes: - Ingress - Egress ingress: # Allow ingress from Traefik ingress controller (k3s default) - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: kube-system ports: - protocol: TCP port: 8080 # Allow ingress from within the rdev namespace (for service mesh, probes) - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: rdev ports: - protocol: TCP port: 8080 egress: # Allow egress to PostgreSQL in databases namespace - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: databases ports: - protocol: TCP port: 5432 # Allow egress to CockroachDB in databases namespace - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: databases ports: - protocol: TCP port: 26257 # Allow egress to Redis in databases namespace - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: databases ports: - protocol: TCP port: 6379 # Allow egress to claudebox pods within the rdev namespace - to: - podSelector: matchLabels: rdev.orchard9.ai/project: "true" # Allow egress to threesix namespace (Gitea, Woodpecker CI) - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: threesix # Allow DNS resolution - to: - namespaceSelector: {} podSelector: matchLabels: k8s-app: kube-dns ports: - protocol: UDP port: 53 - protocol: TCP port: 53 # Allow egress to external HTTPS services (Gitea, Cloudflare, Woodpecker CI) - to: - ipBlock: cidr: 0.0.0.0/0 except: - 10.0.0.0/8 - 172.16.0.0/12 - 192.168.0.0/16 ports: - protocol: TCP port: 443