68c68eaf7a
New platform/network-policies/ Blueprint scaffold per design doc §3.9 row 8. Ships the cluster-wide zero-trust primitives that EPIC-5 (#1100) activates as part of the networking roll-out. What ships: - platform/network-policies/blueprint.yaml — bp-network-policies 1.0.0 - platform/network-policies/chart/Chart.yaml — Helm chart, no upstream sub-chart - platform/network-policies/chart/values.yaml — gate (enabled: false default) - platform/network-policies/chart/templates/default-deny.yaml — CCNP that denies all ingress + egress at endpointSelector: {} (full-cluster scope) - platform/network-policies/chart/templates/allow-system-namespaces.yaml — CCNP allowing full traffic for kube-system, flux-system, cilium, cert-manager, catalyst, openova-system, monitoring, ingress (set is parametric via .Values.allowSystemNamespaces — operator extends per Sovereign for gitea/harbor/loki etc.) - platform/network-policies/chart/templates/allow-egress-dns.yaml — CCNP permitting UDP/TCP/53 to CoreDNS from every Pod (without this the cluster is unbootable under default-deny — first DNS lookup fails) Why a separate Blueprint, not bp-cilium: - bp-cilium is foundational, installed on every cluster on day 0. Default-deny breaks every workload that hasn't been allowlisted, so it cannot ship in bp-cilium without operator opt-in semantics. - Separate Blueprint with enabled: false default preserves the safety boundary. EPIC-5 wires the activation when the rest of the zero-trust story is ready. Per-namespace intra-namespace allow is intentionally NOT in this slice: - Cilium CCNPs cannot express "same namespace as the source Pod" without listing every namespace, which contradicts dynamic Org provisioning. - That allow rule is rendered as a per-namespace CiliumNetworkPolicy (CNP, namespace-scoped) by organization-controller (slice C1 of #1095) at Organization creation time. README + values.yaml note this for downstream Implementers. Per docs/INVIOLABLE-PRINCIPLES.md #4, every policy parameter (allowSystemNamespaces list, dnsNamespace, dnsServiceName) is in values.yaml, not hardcoded. Validated: - helm template with default values: 0 resources rendered (gate works) - helm template with enabled=true: exactly 3 CCNPs rendered (default-deny, allow-system-namespaces, allow-egress-dns), all parse cleanly through python yaml.safe_load_all - CCNP CRD validation will happen on Sovereigns where bp-cilium is installed; local k3s here uses flannel so server-side dry-run is unavailable Refs: #1094, #1095, #1100, docs/EPICS-1-6-unified-design.md §3.9 row 8 + §8 (EPIC-5), ADR-0001 §2 (zero-trust). Co-authored-by: hatiyildiz <hatiyildiz@noreply.openova.io> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
31 lines
1.1 KiB
YAML
31 lines
1.1 KiB
YAML
# Master gate. Default off — installing this Blueprint is a no-op until
|
|
# flipped. EPIC-5 (#1100) flips it as part of the zero-trust roll-out.
|
|
enabled: false
|
|
|
|
# Catalyst control-plane namespaces that need full ingress/egress so the
|
|
# platform itself stays up after default-deny is applied. Operators can
|
|
# extend per-Sovereign (e.g. add `gitea`, `harbor`, `loki` if those run
|
|
# in their own namespaces).
|
|
allowSystemNamespaces:
|
|
- kube-system
|
|
- flux-system
|
|
- cilium
|
|
- cert-manager
|
|
- catalyst
|
|
- openova-system
|
|
- monitoring
|
|
- ingress
|
|
|
|
# NOTE: Pod-to-Pod within the SAME namespace is NOT handled here. Cilium
|
|
# CCNPs can't express "same namespace as the source Pod" without listing
|
|
# every namespace explicitly — that's a per-tenant concern that the
|
|
# organization-controller (slice C1 of #1095) renders as a per-namespace
|
|
# CiliumNetworkPolicy (CNP, not CCNP) at Organization creation time. This
|
|
# Blueprint handles only the cluster-wide policies.
|
|
|
|
# Allow egress to CoreDNS from every namespace (without this, Pods break
|
|
# on first DNS lookup).
|
|
allowEgressDNS: true
|
|
dnsNamespace: kube-system
|
|
dnsServiceName: kube-dns
|