feat(network-policies): cross-namespace ingress isolation (Cilium + Kyverno)#402
Merged
Merged
Conversation
Shion1305
force-pushed
the
feat/cilium-cross-ns-network-policies
branch
from
2a1a35a to
4e3fed5
Compare
…yverno) Cluster-wide cross-namespace isolation: ingress is default-denied per namespace (same-namespace allowed), egress left open. A pod accepts a cross-namespace connection only when an allow exists. - network-policies/cross-ns-isolation-generator.yaml: Kyverno ClusterPolicy that generates a default-deny-ingress NetworkPolicy into every non-system namespace, including ones created later (new apps). generateExisting backfills existing namespaces; synchronize keeps them aligned and removes them on rollback. A standard networking.k8s.io NetworkPolicy is generated so Kyverno needs no extra RBAC; Cilium merges it additively with the Cilium allows. - network-policies/allow-from-infra.yaml: universal ingress allows (host/remote-node/kube-apiserver/health, Envoy Gateway, grafana monitoring). - East-west (app-to-app) allows live in each receiving app's directory as a CiliumNetworkPolicy: vault, postgres-shared, atc (postgres-mcp), grafana, cloudflare-exporter. Excludes kube-system/kube-node-lease/kube-public/kyverno. Allow set derived from Hubble flow capture cross-checked with repo manifests and live Services; gap checks and server-side dry-run pass.
Shion1305
changed the title
Shion1305
force-pushed
the
feat/cilium-cross-ns-network-policies
branch
from
ab2fb8c to
b94b8ad
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Cluster-wide cross-namespace ingress isolation using Cilium + Kyverno. Ingress
is default-denied per namespace (same-namespace allowed); egress is left open, so
internet / DNS / API-server access is unaffected.
How
network-policies/cross-ns-isolation-generator.yaml— a KyvernoClusterPolicygenerates a default-deny-ingress
NetworkPolicyinto every non-system namespace,including ones created later (new apps).
generateExistingbackfills existingnamespaces;
synchronizekeeps them aligned and removes them on rollback. Astandard
networking.k8s.ioNetworkPolicy is generated (no extra Kyverno RBAC);Cilium merges it additively with the Cilium allows.
network-policies/allow-from-infra.yaml— universal ingress allows:host/remote-node(kubelet probes),kube-apiserver(webhooks),health,envoy-gateway-system(ingress proxy),grafana(Prometheus scrape + operator).CiliumNetworkPolicy:postgres-shared/networkpolicy.yamlpostgres-shared/networkpolicy.yamlvault/networkpolicy.yamlapp=postgres-mcp)atc/network-policy-openwebui-to-mcp.yamlgrafana/networkpolicy.yamlapp=cloudflare-grafana)cloudflare-exporter/networkpolicy.yamlExcludes
kube-system/kube-node-lease/kube-public/kyverno.Derivation & validation
Allow set derived from a Hubble flow capture across all nodes, cross-checked against
repo manifests, live Services and existing per-app NetworkPolicies (the
grafana←monitoring:9090 datasource edge was found by static analysis — it only fires
on dashboard render). Validated: kustomize build,
kubeconform --strict(9/9),server-side dry-run (Cilium + Kyverno admission), and a live test confirming a new
namespace receives the generated policy in ~1-2s.
root-appauto-syncsapps/, so merging default-denies ingress across allnon-excluded namespaces at once (
generateExisting). To stage, scope the generatorto a pilot namespace, watch
hubble observe --verdict DROPPED, then widen.Rollback: delete the
cross-ns-isolationClusterPolicy —synchronizeremovesevery generated policy and namespaces revert to default-allow. See
network-policies/README.md.Supersedes #139.