forgejo_admin/pal-e-platform
1
0
Fork 1
Code Issues 35 Pull requests Projects Releases Packages Wiki Activity Actions

Phase 8a: Platform namespace NetworkPolicies in Terraform #76

New issue
Closed
opened 2026-03-15 03:35:24 +00:00 by forgejo_admin · 1 comment
forgejo_admin commented 2026-03-15 03:35:24 +00:00
Owner
Copy link

Lineage

plan-pal-e-platform → Phase 8 (Network Security Hardening) → Phase 8a (NetworkPolicy — Pod-Level Isolation) → Deliverable 3

Repo

forgejo_admin/pal-e-platform

User Story

As a platform operator
I want NetworkPolicies on all platform namespaces (monitoring, argocd, harbor, etc.)
So that platform infrastructure pods are isolated from unauthorized cross-namespace traffic

Context

Service namespaces (6) already have default-deny ingress via kustomize base (PR #7 on pal-e-deployments, merged 2026-03-15). Platform namespaces (10) still have NO NetworkPolicies — they're managed by Terraform, not kustomize.

The full traffic map is documented in doc-network-traffic-map (pal-e-docs). Key design decisions:

  • Ingress-only default-deny — no egress restrictions (avoids DNS gotcha, Woodpecker CI breakage)
  • Namespace selectors use kubernetes.io/metadata.name label (auto-set by k8s API server, verified)
  • Promtail collects via hostPath — no ingress rules needed on target pods
  • Node-exporter uses hostNetwork — bypasses NetworkPolicy entirely
  • Harbor has complex internal mesh (9 pods, 11 services) — allow all same-namespace traffic
  • Woodpecker CI pipeline pods are ephemeral — need broad egress (not restricted in this PR)

File Targets

Files to create:

  • terraform/network-policies.tf — all platform namespace NetworkPolicies

Files NOT to touch:

  • terraform/main.tf — no changes needed (namespaces already exist)
  • terraform/variables.tf — no new variables
  • Any files outside terraform/

Acceptance Criteria

  • network-policies.tf contains kubernetes_manifest resources for all 10 platform namespaces
  • tofu validate passes
  • tofu fmt passes
  • tofu plan shows only NetworkPolicy additions (no modifications to existing resources)
  • Each policy uses policyTypes: ["Ingress"] only (no egress restriction)
  • Each policy allows the correct ingress sources per the traffic map

Test Expectations

  • tofu validate in terraform/ directory
  • tofu plan output shows ~10 new kubernetes_manifest resources, 0 changes, 0 destroys
  • Run: cd terraform && tofu validate && tofu plan -var-file=k3s.tfvars

Constraints

  • Follow existing kubernetes_manifest pattern from main.tf (see CNPG Cluster at line ~1462, PrometheusRule at line ~486)
  • Reference namespace resources via kubernetes_namespace_v1.<name>.metadata[0].name
  • Use depends_on to reference the namespace resource
  • Do NOT use kubernetes_network_policy resource — use kubernetes_manifest for consistency with existing patterns
  • New file network-policies.tf — do NOT add to main.tf (already 2200+ lines)

Traffic Map (from doc-network-traffic-map)

monitoring — allow from: tailscale (grafana:80, alertmanager:9093), same-namespace (all internal mesh). Note: Prometheus cross-namespace EGRESS is not restricted.

argocd — allow from: tailscale (argocd-server:80,443), same-namespace (all internal mesh).

forgejo — allow from: tailscale (forgejo-http:80), woodpecker namespace (forgejo-http:80 for clone).

woodpecker — allow from: tailscale (woodpecker-server:80), same-namespace (agent→server:9000, server→db:5432).

harbor — allow from: tailscale (harbor-nginx:80), same-namespace (all internal mesh), monitoring (harbor pods:8001 for metrics scrape).

minio — allow from: tailscale (minio:9000,9001), postgres namespace (CNPG backup:9000), woodpecker namespace (CNPG backup:9000).

keycloak — allow from: tailscale (keycloak:80).

postgres — allow from: pal-e-docs namespace (pal-e-postgres-rw:5432), cnpg-system namespace (operator:5432).

ollama — allow from: pal-e-docs namespace (ollama:11434 for embedding worker).

cnpg-system — allow from: kube-system (webhook callbacks:443). Note: operator EGRESS to postgres/woodpecker namespaces is not restricted.

Checklist

  • PR opened
  • tofu validate passes
  • tofu fmt passes
  • No unrelated changes

Related

  • pal-e-platform — parent project
  • doc-network-traffic-map — traffic assessment doc
  • phase-pal-e-platform-network-security — phase note
  • pal-e-deployments PR #7 — service namespace policies (already merged)
### Lineage `plan-pal-e-platform` → Phase 8 (Network Security Hardening) → Phase 8a (NetworkPolicy — Pod-Level Isolation) → Deliverable 3 ### Repo `forgejo_admin/pal-e-platform` ### User Story As a platform operator I want NetworkPolicies on all platform namespaces (monitoring, argocd, harbor, etc.) So that platform infrastructure pods are isolated from unauthorized cross-namespace traffic ### Context Service namespaces (6) already have default-deny ingress via kustomize base (PR #7 on pal-e-deployments, merged 2026-03-15). Platform namespaces (10) still have NO NetworkPolicies — they're managed by Terraform, not kustomize. The full traffic map is documented in `doc-network-traffic-map` (pal-e-docs). Key design decisions: - **Ingress-only default-deny** — no egress restrictions (avoids DNS gotcha, Woodpecker CI breakage) - **Namespace selectors** use `kubernetes.io/metadata.name` label (auto-set by k8s API server, verified) - **Promtail** collects via hostPath — no ingress rules needed on target pods - **Node-exporter** uses hostNetwork — bypasses NetworkPolicy entirely - **Harbor** has complex internal mesh (9 pods, 11 services) — allow all same-namespace traffic - **Woodpecker CI pipeline pods** are ephemeral — need broad egress (not restricted in this PR) ### File Targets Files to create: - `terraform/network-policies.tf` — all platform namespace NetworkPolicies Files NOT to touch: - `terraform/main.tf` — no changes needed (namespaces already exist) - `terraform/variables.tf` — no new variables - Any files outside `terraform/` ### Acceptance Criteria - [ ] `network-policies.tf` contains `kubernetes_manifest` resources for all 10 platform namespaces - [ ] `tofu validate` passes - [ ] `tofu fmt` passes - [ ] `tofu plan` shows only NetworkPolicy additions (no modifications to existing resources) - [ ] Each policy uses `policyTypes: ["Ingress"]` only (no egress restriction) - [ ] Each policy allows the correct ingress sources per the traffic map ### Test Expectations - [ ] `tofu validate` in `terraform/` directory - [ ] `tofu plan` output shows ~10 new `kubernetes_manifest` resources, 0 changes, 0 destroys - Run: `cd terraform && tofu validate && tofu plan -var-file=k3s.tfvars` ### Constraints - Follow existing `kubernetes_manifest` pattern from main.tf (see CNPG Cluster at line ~1462, PrometheusRule at line ~486) - Reference namespace resources via `kubernetes_namespace_v1.<name>.metadata[0].name` - Use `depends_on` to reference the namespace resource - Do NOT use `kubernetes_network_policy` resource — use `kubernetes_manifest` for consistency with existing patterns - New file `network-policies.tf` — do NOT add to main.tf (already 2200+ lines) ### Traffic Map (from doc-network-traffic-map) **monitoring** — allow from: tailscale (grafana:80, alertmanager:9093), same-namespace (all internal mesh). Note: Prometheus cross-namespace EGRESS is not restricted. **argocd** — allow from: tailscale (argocd-server:80,443), same-namespace (all internal mesh). **forgejo** — allow from: tailscale (forgejo-http:80), woodpecker namespace (forgejo-http:80 for clone). **woodpecker** — allow from: tailscale (woodpecker-server:80), same-namespace (agent→server:9000, server→db:5432). **harbor** — allow from: tailscale (harbor-nginx:80), same-namespace (all internal mesh), monitoring (harbor pods:8001 for metrics scrape). **minio** — allow from: tailscale (minio:9000,9001), postgres namespace (CNPG backup:9000), woodpecker namespace (CNPG backup:9000). **keycloak** — allow from: tailscale (keycloak:80). **postgres** — allow from: pal-e-docs namespace (pal-e-postgres-rw:5432), cnpg-system namespace (operator:5432). **ollama** — allow from: pal-e-docs namespace (ollama:11434 for embedding worker). **cnpg-system** — allow from: kube-system (webhook callbacks:443). Note: operator EGRESS to postgres/woodpecker namespaces is not restricted. ### Checklist - [ ] PR opened - [ ] tofu validate passes - [ ] tofu fmt passes - [ ] No unrelated changes ### Related - `pal-e-platform` — parent project - `doc-network-traffic-map` — traffic assessment doc - `phase-pal-e-platform-network-security` — phase note - pal-e-deployments PR #7 — service namespace policies (already merged)
forgejo_admin commented 2026-03-15 03:43:21 +00:00
Author
Owner
Copy link

Reading issue body for review context...

Reading issue body for review context...
forgejo_admin 2026-03-15 03:45:40 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
188-cross-repo-worktree-isolation-for-parall
111-fix-keycloak-probe
86-fix-rotate-woodpecker-api-token-in-salt
71-feat-deploy-pyrra-slo-manager-with-servi
64-hotfix-woodpecker-oauth-login-broken-for
18-fix-grafana-duplicate-default-datasource-v2
18-fix-grafana-duplicate-default-datasource
13-fix-cnpg-all-parameters
No results found.
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend

   
status:approved

QA passed, awaiting merge approval

  
status:in-progress

Dev agent is actively working

  
status:needs-fix

QA found issues, back to dev

  
status:qa

PR submitted, awaiting QA review

  
type:bug

Bug fix

  
type:devops

Infrastructure/CI/config work

  
type:feature

New functionality

No labels
domain:backend
domain:devops
domain:frontend
status:approved
status:in-progress
status:needs-fix
status:qa
type:bug
type:devops
type:feature
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo_admin/pal-e-platform#76
No description provided.