Skip to content

Add NetworkPolicy for the ZTWIM namespace #145

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
p-rog wants to merge 25 commits into
base: main
Choose a base branch
from
+105 −0
Open

Add NetworkPolicy for the ZTWIM namespace #145

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
139b81f
Fixing db network policy bug, adding new qtodo egress network policie…
Apr 9, 2026
0e270ec
cleaning all changes
Apr 10, 2026
e3d7b40
db network policy file change
Apr 10, 2026
e460c98
feat: add qtodo egress NetworkPolicy (port-restricted, no default-deny)
Apr 10, 2026
eb893da
fixing the namespace name
Apr 10, 2026
df49c66
changing the ingress policy, to allow qtodo correct network communica…
Apr 10, 2026
41b8407
NP tweaks
Apr 10, 2026
95968d2
removing egress qtodo network policies due to problems with OVN-K and…
Apr 10, 2026
ddf1f4f
Merge branch 'main' of github.com:validatedpatterns/layered-zero-trus…
Apr 21, 2026
6e845a9
sync with PR#125
Apr 22, 2026
53cfef9
Pushing correct, fully covered network polices, with correct DNS port…
Apr 22, 2026
edc5e46
openshift-ingress labels update, because policy-group.network.openshi…
Apr 22, 2026
a545391
changing the namespaceSelector: for Keycloak, because here Keycloak a…
Apr 22, 2026
bed618b
Adding default deny policy
Apr 22, 2026
b495244
Merge branch 'validatedpatterns:main' into network-policy
p-rog Apr 29, 2026
8706879
Testing Vault ingress/egress network policies
Apr 30, 2026
ad649cf
Testing Vault network policies
Apr 30, 2026
33d9f5b
adding Vault network policies
p-rog May 7, 2026
d05932d
Merge branch 'validatedpatterns:main' into network-policy
p-rog May 12, 2026
054629a
Enabling keyclok network policies
p-rog May 13, 2026
c842e9b
Merge branch 'validatedpatterns:main' into network-policy
p-rog May 15, 2026
d673207
adding realmImport NP
p-rog May 15, 2026
3017777
Merge branch 'validatedpatterns:main' into network-policy
p-rog Jun 2, 2026
d8e60d9
Merge branch 'validatedpatterns:main' into network-policy
p-rog Jun 12, 2026
df45821
Add NetworkPolicy for the ZTWIM namespace
p-rog Jun 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
103 changes: 103 additions & 0 deletions overrides/values-ztwim-network-policy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
defaultDenyNetworkPolicy:
enabled: true

networkPolicy:
spireServer:
enabled: true
ingress:
# gRPC API — from spire-agents (hostNetwork, node IPs — port-only rule required)
- ports:
- protocol: TCP
port: 8081
# Federation bundle endpoint — from OCP router
- ports:
- protocol: TCP
port: 8443
from:
- namespaceSelector:
matchLabels:
policy-group.network.openshift.io/ingress: ""
# Controller-manager webhook — from K8s API (node IPs after DNAT — port-only rule)
- ports:
- protocol: TCP
port: 9443
# Prometheus metrics
- ports:
- protocol: TCP
port: 9402
egress:
# DNS resolution via CoreDNS
- ports:
- protocol: UDP
port: 5353
- protocol: TCP
port: 5353
to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: openshift-dns
# Kubernetes API server — k8s_psat token validation, k8sbundle notifier
- ports:
- protocol: TCP
port: 6443

oidcDiscoveryProvider:
enabled: true
ingress:
# HTTPS — from OCP router (reencrypt route for JWKS/OIDC discovery)
# Consumed by Vault (JWT auth) and Keycloak (SPIFFE IdP) via external route
- ports:
- protocol: TCP
port: 8443
from:
- namespaceSelector:
matchLabels:
policy-group.network.openshift.io/ingress: ""
egress:
# DNS resolution via CoreDNS
- ports:
- protocol: UDP
port: 5353
- protocol: TCP
port: 5353
to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: openshift-dns

csiDriver:
enabled: true
egress:
# DNS resolution via CoreDNS
- ports:
- protocol: UDP
port: 5353
- protocol: TCP
port: 5353
to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: openshift-dns

operator:
enabled: true
ingress:
# Metrics
- ports:
- protocol: TCP
port: 8443
egress:
# DNS resolution via CoreDNS
- ports:
- protocol: UDP
port: 5353
- protocol: TCP
port: 5353
to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: openshift-dns
# Kubernetes API server — manages SPIRE CRs, watches resources
- ports:
- protocol: TCP
port: 6443
2 changes: 2 additions & 0 deletions values-hub.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -470,6 +470,8 @@ clusterGroup:
argoProject: hub
chart: ztwim
chartVersion: 0.1.*
extraValueFiles:
- /overrides/values-ztwim-network-policy.yaml
annotations:
argocd.argoproj.io/sync-wave: "30"
overrides:
Expand Down
Loading