Add default-deny-ingress NetworkPolicy for basketball-api namespace #268

New issue

Open

opened 2026-04-05 19:07:17 +00:00 by forgejo_admin · 0 comments

forgejo_admin commented

2026-04-05 19:07:17 +00:00

Owner

Type

Bug fix / security hardening

Lineage

Investigation of forgejo_admin/basketball-api#343 (Stripe webhooks unreachable)

Repo

forgejo_admin/pal-e-platform

Context

Investigation of forgejo_admin/basketball-api#343 revealed the basketball-api namespace is the only service namespace missing a default-deny-ingress NetworkPolicy. Every other namespace (monitoring, forgejo, woodpecker, harbor, minio, keycloak, postgres, ollama, staging) has one. This is a security gap — all ingress to basketball-api pods is currently unrestricted.

User Story

As a platform operator, I need the basketball-api namespace to have the same default-deny-ingress NetworkPolicy as every other service namespace, so that ingress traffic is explicitly allowed only from tailscale (funnel proxy) and monitoring (Prometheus scraping).

File Targets

terraform/network-policies.tf — add netpol_basketball_api resource

Acceptance Criteria

basketball-api namespace has a default-deny-ingress NetworkPolicy
Policy allows ingress from tailscale namespace
Policy allows ingress from monitoring namespace
tofu validate passes
tofu plan shows only the new NetworkPolicy resource

Test Expectations

kubectl get networkpolicy -n basketball-api returns default-deny-ingress
Funnel traffic from tailscale proxy still reaches basketball-api pods
Prometheus metrics scraping still works

Constraints

Must follow existing pattern in network-policies.tf
Must not disrupt existing basketball-api funnel traffic

Checklist

tofu fmt run
tofu validate passes
tofu plan -lock=false output included in PR

forgejo_admin/basketball-api#343

### Type Bug fix / security hardening ### Lineage Investigation of forgejo_admin/basketball-api#343 (Stripe webhooks unreachable) ### Repo forgejo_admin/pal-e-platform ### Context Investigation of forgejo_admin/basketball-api#343 revealed the basketball-api namespace is the only service namespace missing a default-deny-ingress NetworkPolicy. Every other namespace (monitoring, forgejo, woodpecker, harbor, minio, keycloak, postgres, ollama, staging) has one. This is a security gap — all ingress to basketball-api pods is currently unrestricted. ### User Story As a platform operator, I need the basketball-api namespace to have the same default-deny-ingress NetworkPolicy as every other service namespace, so that ingress traffic is explicitly allowed only from tailscale (funnel proxy) and monitoring (Prometheus scraping). ### File Targets - `terraform/network-policies.tf` — add `netpol_basketball_api` resource ### Acceptance Criteria - [ ] basketball-api namespace has a default-deny-ingress NetworkPolicy - [ ] Policy allows ingress from tailscale namespace - [ ] Policy allows ingress from monitoring namespace - [ ] `tofu validate` passes - [ ] `tofu plan` shows only the new NetworkPolicy resource ### Test Expectations - `kubectl get networkpolicy -n basketball-api` returns `default-deny-ingress` - Funnel traffic from tailscale proxy still reaches basketball-api pods - Prometheus metrics scraping still works ### Constraints - Must follow existing pattern in network-policies.tf - Must not disrupt existing basketball-api funnel traffic ### Checklist - [ ] `tofu fmt` run - [ ] `tofu validate` passes - [ ] `tofu plan -lock=false` output included in PR ### Related - forgejo_admin/basketball-api#343