New platform/network-policies/ Blueprint scaffold per design doc §3.9 row 8.
Ships the cluster-wide zero-trust primitives that EPIC-5 (#1100) activates
as part of the networking roll-out.
What ships:
- platform/network-policies/blueprint.yaml — bp-network-policies 1.0.0
- platform/network-policies/chart/Chart.yaml — Helm chart, no upstream sub-chart
- platform/network-policies/chart/values.yaml — gate (enabled: false default)
- platform/network-policies/chart/templates/default-deny.yaml — CCNP that
denies all ingress + egress at endpointSelector: {} (full-cluster scope)
- platform/network-policies/chart/templates/allow-system-namespaces.yaml —
CCNP allowing full traffic for kube-system, flux-system, cilium,
cert-manager, catalyst, openova-system, monitoring, ingress (set is
parametric via .Values.allowSystemNamespaces — operator extends per
Sovereign for gitea/harbor/loki etc.)
- platform/network-policies/chart/templates/allow-egress-dns.yaml — CCNP
permitting UDP/TCP/53 to CoreDNS from every Pod (without this the cluster
is unbootable under default-deny — first DNS lookup fails)
Why a separate Blueprint, not bp-cilium:
- bp-cilium is foundational, installed on every cluster on day 0.
Default-deny breaks every workload that hasn't been allowlisted, so it
cannot ship in bp-cilium without operator opt-in semantics.
- Separate Blueprint with enabled: false default preserves the safety
boundary. EPIC-5 wires the activation when the rest of the zero-trust
story is ready.
Per-namespace intra-namespace allow is intentionally NOT in this slice:
- Cilium CCNPs cannot express "same namespace as the source Pod" without
listing every namespace, which contradicts dynamic Org provisioning.
- That allow rule is rendered as a per-namespace CiliumNetworkPolicy (CNP,
namespace-scoped) by organization-controller (slice C1 of #1095) at
Organization creation time. README + values.yaml note this for
downstream Implementers.
Per docs/INVIOLABLE-PRINCIPLES.md #4, every policy parameter
(allowSystemNamespaces list, dnsNamespace, dnsServiceName) is in
values.yaml, not hardcoded.
Validated:
- helm template with default values: 0 resources rendered (gate works)
- helm template with enabled=true: exactly 3 CCNPs rendered (default-deny,
allow-system-namespaces, allow-egress-dns), all parse cleanly through
python yaml.safe_load_all
- CCNP CRD validation will happen on Sovereigns where bp-cilium is
installed; local k3s here uses flannel so server-side dry-run is
unavailable
Refs: #1094, #1095, #1100, docs/EPICS-1-6-unified-design.md §3.9 row 8 +
§8 (EPIC-5), ADR-0001 §2 (zero-trust).
Co-authored-by: hatiyildiz <hatiyildiz@noreply.openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
68c68eaf7a