forgejo_admin/westside-ai-assistant
1
0
Fork 0
Code Issues 13 Pull requests Projects Releases Packages Wiki Activity Actions

Discovered scope: basketball-api default-deny NetworkPolicy #9

New issue
Open
opened 2026-03-28 19:25:25 +00:00 by forgejo_admin · 1 comment
forgejo_admin commented 2026-03-28 19:25:25 +00:00
Owner
Copy link

Type

Feature

Lineage

Discovered during review-595-2026-03-28 scope review. basketball-api currently has no NetworkPolicy — traffic from all namespaces is unrestricted.

Repo

forgejo_admin/pal-e-platform

User Story

As a platform operator
I want basketball-api to have a default-deny ingress NetworkPolicy
So that only authorized namespaces can reach it

Context

During the westside-ai-assistant NetworkPolicy review, it was discovered that basketball-api has no ingress NetworkPolicy in network-policies.tf. All platform services (monitoring, forgejo, woodpecker, harbor, minio, keycloak, postgres, ollama, cnpg-system) have NetworkPolicies, but application namespaces do not. This means any pod in any namespace can reach basketball-api. Not urgent for V1 but should be addressed for security posture.

File Targets

Files the agent should modify:

  • terraform/network-policies.tf — add default-deny ingress + allowlist for basketball-api namespace (allow from: westsidekingsandqueens, westside-ai-assistant, monitoring)

Files the agent should NOT touch:

  • Other NetworkPolicies
  • Application code

Acceptance Criteria

  • basketball-api namespace has default-deny ingress NetworkPolicy
  • Allowlist includes: westsidekingsandqueens, westside-ai-assistant, monitoring, tailscale
  • tofu plan -lock=false shows only basketball-api NetworkPolicy addition
  • Existing services (westside-app) still reach basketball-api after apply

Test Expectations

  • tofu validate passes
  • tofu plan -lock=false output in PR
  • Run command: cd terraform && tofu validate && tofu plan -lock=false

Constraints

  • Follow existing NetworkPolicy pattern in network-policies.tf
  • Must include tailscale namespace for funnel ingress
  • Do NOT run tofu apply
  • PR goes to pal-e-platform repo

Checklist

  • PR opened on pal-e-platform
  • tofu plan output in PR
  • No unrelated changes

Related

  • project-westside-ai-assistant — discovered during this project
  • project-pal-e-platform — target repo
### Type Feature ### Lineage Discovered during review-595-2026-03-28 scope review. basketball-api currently has no NetworkPolicy — traffic from all namespaces is unrestricted. ### Repo `forgejo_admin/pal-e-platform` ### User Story As a platform operator I want basketball-api to have a default-deny ingress NetworkPolicy So that only authorized namespaces can reach it ### Context During the westside-ai-assistant NetworkPolicy review, it was discovered that basketball-api has no ingress NetworkPolicy in network-policies.tf. All platform services (monitoring, forgejo, woodpecker, harbor, minio, keycloak, postgres, ollama, cnpg-system) have NetworkPolicies, but application namespaces do not. This means any pod in any namespace can reach basketball-api. Not urgent for V1 but should be addressed for security posture. ### File Targets Files the agent should modify: - `terraform/network-policies.tf` — add default-deny ingress + allowlist for basketball-api namespace (allow from: westsidekingsandqueens, westside-ai-assistant, monitoring) Files the agent should NOT touch: - Other NetworkPolicies - Application code ### Acceptance Criteria - [ ] basketball-api namespace has default-deny ingress NetworkPolicy - [ ] Allowlist includes: westsidekingsandqueens, westside-ai-assistant, monitoring, tailscale - [ ] `tofu plan -lock=false` shows only basketball-api NetworkPolicy addition - [ ] Existing services (westside-app) still reach basketball-api after apply ### Test Expectations - [ ] `tofu validate` passes - [ ] `tofu plan -lock=false` output in PR - Run command: `cd terraform && tofu validate && tofu plan -lock=false` ### Constraints - Follow existing NetworkPolicy pattern in network-policies.tf - Must include tailscale namespace for funnel ingress - Do NOT run `tofu apply` - PR goes to pal-e-platform repo ### Checklist - [ ] PR opened on pal-e-platform - [ ] tofu plan output in PR - [ ] No unrelated changes ### Related - `project-westside-ai-assistant` — discovered during this project - `project-pal-e-platform` — target repo
forgejo_admin commented 2026-03-28 19:32:25 +00:00
Author
Owner
Copy link

Scope Review: NEEDS_REFINEMENT

Review note: review-605-2026-03-28

Wrong repo and wrong layer. The ticket targets terraform/network-policies.tf in pal-e-platform, but basketball-api is an application namespace managed by pal-e-deployments (kustomize/ArgoCD), not a platform namespace managed by terraform. A commented-out NetworkPolicy base and overlay patch already exist in pal-e-deployments.

Key issues:

  • Repo mismatch: Should target pal-e-deployments, not pal-e-platform. The work is uncommenting existing code + adding westside-ai-assistant to the allowlist.
  • Blocker: All application NetworkPolicies are disabled due to kube-router ipset bug (Forgejo #24). Ticket is not actionable until that's resolved.
  • Blast radius: Uncommenting the base networkpolicy.yaml enables NetworkPolicies for ALL 8 app namespaces, not just basketball-api. Needs a scoping decision on per-app vs platform-wide enablement.
  • Wrong test commands: Should use kustomize build, not tofu plan.

Two decisions needed before refinement:

  1. Should the kube-router bug (#24) be resolved first, or should this ticket be deferred?
  2. Should this be re-scoped as "enable all application NetworkPolicies" or just basketball-api?
## Scope Review: NEEDS_REFINEMENT Review note: `review-605-2026-03-28` **Wrong repo and wrong layer.** The ticket targets `terraform/network-policies.tf` in pal-e-platform, but basketball-api is an application namespace managed by pal-e-deployments (kustomize/ArgoCD), not a platform namespace managed by terraform. A commented-out NetworkPolicy base and overlay patch already exist in pal-e-deployments. Key issues: - **Repo mismatch**: Should target `pal-e-deployments`, not `pal-e-platform`. The work is uncommenting existing code + adding westside-ai-assistant to the allowlist. - **Blocker**: All application NetworkPolicies are disabled due to kube-router ipset bug (Forgejo #24). Ticket is not actionable until that's resolved. - **Blast radius**: Uncommenting the base `networkpolicy.yaml` enables NetworkPolicies for ALL 8 app namespaces, not just basketball-api. Needs a scoping decision on per-app vs platform-wide enablement. - **Wrong test commands**: Should use `kustomize build`, not `tofu plan`. Two decisions needed before refinement: 1. Should the kube-router bug (#24) be resolved first, or should this ticket be deferred? 2. Should this be re-scoped as "enable all application NetworkPolicies" or just basketball-api?
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo_admin/westside-ai-assistant#9
No description provided.