fix: re-enable NetworkPolicies + add monitoring ingress to postgres policy

forgejo_admin commented

2026-03-17 03:07:57 +00:00

Owner

Lineage

bug-kube-router-ipset-empty (bug fix)

Repo

forgejo_admin/pal-e-platform

User Story

As a platform operator
I want NetworkPolicies re-enabled with correct ingress rules
So that Layer 1 of the three-layer security model is operational again

Context

NetworkPolicies were emergency-rolled-back (all deleted) after kube-router ipset population failure blocked all cross-namespace traffic for 44h. Investigation revealed kube-router is now functioning correctly — test NetworkPolicy created ipsets with 72+ pod IPs and proper match-set iptables rules.

All 9 policies were re-applied via tofu taint + tofu apply -target. Validation found one gap: the postgres namespace policy was missing monitoring namespace ingress, causing Prometheus to lose the postgres scrape target (37 UP, 1 DOWN).

File Targets

Files to modify:

terraform/network-policies.tf — add monitoring namespace to postgres NetworkPolicy ingress rules

Files NOT to touch:

Everything else — the re-application was done via targeted tofu apply, not code changes

Acceptance Criteria

All 9 NetworkPolicies active across platform namespaces
Prometheus targets: 38/38 UP (including postgres)
All services reachable via Tailscale funnels (200/302 responses)
ipsets populated (32+ sets with pod IPs)

Test Expectations

kubectl get networkpolicies -A shows 9 policies
Prometheus targets check: wget -qO- http://localhost:9090/api/v1/targets shows 0 DOWN
Service reachability: curl all funnel URLs

Constraints

Must use -lock=false for tofu plan in agent prompts
Targeted applies already done for 9 policies — this PR only adds the missing monitoring ingress rule

Checklist

PR opened
tofu fmt -check passes
tofu validate passes
No unrelated changes

pal-e-platform — project
bug-kube-router-ipset-empty — root bug
sop-network-security — three-layer architecture

### Lineage `bug-kube-router-ipset-empty` (bug fix) ### Repo `forgejo_admin/pal-e-platform` ### User Story As a platform operator I want NetworkPolicies re-enabled with correct ingress rules So that Layer 1 of the three-layer security model is operational again ### Context NetworkPolicies were emergency-rolled-back (all deleted) after kube-router ipset population failure blocked all cross-namespace traffic for 44h. Investigation revealed kube-router is now functioning correctly — test NetworkPolicy created ipsets with 72+ pod IPs and proper `match-set` iptables rules. All 9 policies were re-applied via `tofu taint` + `tofu apply -target`. Validation found one gap: the postgres namespace policy was missing `monitoring` namespace ingress, causing Prometheus to lose the postgres scrape target (37 UP, 1 DOWN). ### File Targets Files to modify: - `terraform/network-policies.tf` — add `monitoring` namespace to postgres NetworkPolicy ingress rules Files NOT to touch: - Everything else — the re-application was done via targeted `tofu apply`, not code changes ### Acceptance Criteria - [ ] All 9 NetworkPolicies active across platform namespaces - [ ] Prometheus targets: 38/38 UP (including postgres) - [ ] All services reachable via Tailscale funnels (200/302 responses) - [ ] ipsets populated (32+ sets with pod IPs) ### Test Expectations - [ ] `kubectl get networkpolicies -A` shows 9 policies - [ ] Prometheus targets check: `wget -qO- http://localhost:9090/api/v1/targets` shows 0 DOWN - [ ] Service reachability: curl all funnel URLs ### Constraints - Must use `-lock=false` for `tofu plan` in agent prompts - Targeted applies already done for 9 policies — this PR only adds the missing monitoring ingress rule ### Checklist - [ ] PR opened - [ ] `tofu fmt -check` passes - [ ] `tofu validate` passes - [ ] No unrelated changes ### Related - `pal-e-platform` — project - `bug-kube-router-ipset-empty` — root bug - `sop-network-security` — three-layer architecture