Update/add-workspace-policy-for-opal

[m1p1h]

Enable workspaces to access Opal.

[Copilot]

Pull request overview

This PR updates the per-project CiliumNetworkPolicy template used to isolate project/workspace namespaces, expanding allowed traffic so project pods can communicate with the namespace hosting Opal-related services.

Changes:

• Allow ingress from the datashield namespace into project namespaces.
• Allow egress from project namespaces to the datashield namespace.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The new ingress rule allows any pod in the datashield namespace to initiate connections into every project namespace. If the goal is only to let workspace pods access Opal/Datashield services, this ingress allowance is likely unnecessary and materially widens lateral-movement risk; consider removing this ingress entry (or narrowing it to the specific Datashield/Opal components that truly need inbound access).

Suggested change

	# Allow from datashield namespace
	- fromEndpoints:
	- matchLabels:
	k8s:io.kubernetes.pod.namespace: datashield

[Copilot]

This egress rule permits project pods to connect to any endpoint in the entire datashield namespace on any port. If the intent is specifically “access Opal”, consider restricting the rule to the relevant destination labels (e.g., Opal/Postgres pods) and required ports to avoid over-broad access to other Datashield workloads.

Suggested change

	# Allow to datashield namespace
	- toEndpoints:
	- matchLabels:
	k8s:io.kubernetes.pod.namespace: datashield
	# Allow to datashield namespace (restricted to HTTPS)
	- toEndpoints:
	- matchLabels:
	k8s:io.kubernetes.pod.namespace: datashield
	toPorts:
	- ports:
	- port: "443"
	protocol: TCP

[vvcb]

@m1p1h these network policies are too permissive. They need to be applied on a per-project basis rather than global.

And DataSHIELD does not need access to all project workspaces and vice versa.

[m1p1h]

@m1p1h these network policies are too permissive. They need to be applied on a per-project basis rather than global.

And DataSHIELD does not need access to all project workspaces and vice versa.

@vvcb agreed - this was a quick fix to get the workspace Ive set up for Roberto/Olly working - I patched it locally so this isnt needed anymore.

But there's a bigger piece of work required here to review and amend all cilium policies across the board. e.g. the other default cilium policies the operator defines allows projects to access all pods within a services namespace at the moment.