diff --git a/apps-gx10/fc-worldbuilder/deployment-worldbuilder-web.json b/apps-gx10/fc-worldbuilder/deployment-worldbuilder-web.json index 3932bed..39af77c 100644 --- a/apps-gx10/fc-worldbuilder/deployment-worldbuilder-web.json +++ b/apps-gx10/fc-worldbuilder/deployment-worldbuilder-web.json @@ -187,10 +187,13 @@ "dnsPolicy": "ClusterFirst", "restartPolicy": "Always", "schedulerName": "default-scheduler", - "securityContext": { - "fsGroup": 1654, - "fsGroupChangePolicy": "OnRootMismatch" - }, + "securityContext": { + "fsGroup": 1654, + "fsGroupChangePolicy": "OnRootMismatch", + "seccompProfile": { + "type": "RuntimeDefault" + } + }, "terminationGracePeriodSeconds": 30, "volumes": [ { diff --git a/apps-gx10/fc-worldbuilder/namespace-fc-worldbuilder.json b/apps-gx10/fc-worldbuilder/namespace-fc-worldbuilder.json index c61e462..1542374 100644 --- a/apps-gx10/fc-worldbuilder/namespace-fc-worldbuilder.json +++ b/apps-gx10/fc-worldbuilder/namespace-fc-worldbuilder.json @@ -7,7 +7,13 @@ "app.kubernetes.io/name": "fc-worldbuilder", "app.kubernetes.io/part-of": "flowercore", "flowercore.io/created-by": "bluejay-infra", - "flowercore.io/tenant-id": "system" + "flowercore.io/tenant-id": "system", + "pod-security.kubernetes.io/enforce": "restricted", + "pod-security.kubernetes.io/enforce-version": "latest", + "pod-security.kubernetes.io/audit": "restricted", + "pod-security.kubernetes.io/audit-version": "latest", + "pod-security.kubernetes.io/warn": "restricted", + "pod-security.kubernetes.io/warn-version": "latest" }, "name": "fc-worldbuilder" } diff --git a/apps-gx10/fc-worldbuilder/networkpolicy-fc-worldbuilder-default-deny.json b/apps-gx10/fc-worldbuilder/networkpolicy-fc-worldbuilder-default-deny.json new file mode 100644 index 0000000..b067e27 --- /dev/null +++ b/apps-gx10/fc-worldbuilder/networkpolicy-fc-worldbuilder-default-deny.json @@ -0,0 +1,15 @@ +{ + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "name": "fc-worldbuilder-default-deny", + "namespace": "fc-worldbuilder" + }, + "spec": { + "podSelector": {}, + "policyTypes": [ + "Ingress", + "Egress" + ] + } +} diff --git a/apps-gx10/fc-worldbuilder/networkpolicy-worldbuilder-web.json b/apps-gx10/fc-worldbuilder/networkpolicy-worldbuilder-web.json new file mode 100644 index 0000000..416ecbb --- /dev/null +++ b/apps-gx10/fc-worldbuilder/networkpolicy-worldbuilder-web.json @@ -0,0 +1,93 @@ +{ + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "name": "worldbuilder-web", + "namespace": "fc-worldbuilder" + }, + "spec": { + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "worldbuilder-web" + } + }, + "policyTypes": [ + "Ingress", + "Egress" + ], + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "traefik-system" + } + } + } + ], + "ports": [ + { + "port": 8080, + "protocol": "TCP" + } + ] + }, + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + } + ], + "ports": [ + { + "port": 8080, + "protocol": "TCP" + } + ] + } + ], + "egress": [ + { + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "kube-system" + } + } + } + ], + "ports": [ + { + "port": 53, + "protocol": "UDP" + }, + { + "port": 53, + "protocol": "TCP" + } + ] + }, + { + "to": [ + { + "ipBlock": { + "cidr": "10.0.56.20/32" + } + } + ], + "ports": [ + { + "port": 8188, + "protocol": "TCP" + } + ] + } + ] + } +}