From 11122b5139633b90faf825a65d2f38901d049897 Mon Sep 17 00:00:00 2001 From: Andrew Stoltz <1578013+astoltz@users.noreply.github.com> Date: Sun, 21 Jun 2026 02:57:57 -0500 Subject: [PATCH] Apply SEC-7 baseline to WorldBuilder --- .../deployment-worldbuilder-web.json | 11 ++- .../namespace-fc-worldbuilder.json | 8 +- ...rkpolicy-fc-worldbuilder-default-deny.json | 15 +++ .../networkpolicy-worldbuilder-web.json | 93 +++++++++++++++++++ 4 files changed, 122 insertions(+), 5 deletions(-) create mode 100644 apps-gx10/fc-worldbuilder/networkpolicy-fc-worldbuilder-default-deny.json create mode 100644 apps-gx10/fc-worldbuilder/networkpolicy-worldbuilder-web.json diff --git a/apps-gx10/fc-worldbuilder/deployment-worldbuilder-web.json b/apps-gx10/fc-worldbuilder/deployment-worldbuilder-web.json index 3932bed..39af77c 100644 --- a/apps-gx10/fc-worldbuilder/deployment-worldbuilder-web.json +++ b/apps-gx10/fc-worldbuilder/deployment-worldbuilder-web.json @@ -187,10 +187,13 @@ "dnsPolicy": "ClusterFirst", "restartPolicy": "Always", "schedulerName": "default-scheduler", - "securityContext": { - "fsGroup": 1654, - "fsGroupChangePolicy": "OnRootMismatch" - }, + "securityContext": { + "fsGroup": 1654, + "fsGroupChangePolicy": "OnRootMismatch", + "seccompProfile": { + "type": "RuntimeDefault" + } + }, "terminationGracePeriodSeconds": 30, "volumes": [ { diff --git a/apps-gx10/fc-worldbuilder/namespace-fc-worldbuilder.json b/apps-gx10/fc-worldbuilder/namespace-fc-worldbuilder.json index c61e462..1542374 100644 --- a/apps-gx10/fc-worldbuilder/namespace-fc-worldbuilder.json +++ b/apps-gx10/fc-worldbuilder/namespace-fc-worldbuilder.json @@ -7,7 +7,13 @@ "app.kubernetes.io/name": "fc-worldbuilder", "app.kubernetes.io/part-of": "flowercore", "flowercore.io/created-by": "bluejay-infra", - "flowercore.io/tenant-id": "system" + "flowercore.io/tenant-id": "system", + "pod-security.kubernetes.io/enforce": "restricted", + "pod-security.kubernetes.io/enforce-version": "latest", + "pod-security.kubernetes.io/audit": "restricted", + "pod-security.kubernetes.io/audit-version": "latest", + "pod-security.kubernetes.io/warn": "restricted", + "pod-security.kubernetes.io/warn-version": "latest" }, "name": "fc-worldbuilder" } diff --git a/apps-gx10/fc-worldbuilder/networkpolicy-fc-worldbuilder-default-deny.json b/apps-gx10/fc-worldbuilder/networkpolicy-fc-worldbuilder-default-deny.json new file mode 100644 index 0000000..b067e27 --- /dev/null +++ b/apps-gx10/fc-worldbuilder/networkpolicy-fc-worldbuilder-default-deny.json @@ -0,0 +1,15 @@ +{ + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "name": "fc-worldbuilder-default-deny", + "namespace": "fc-worldbuilder" + }, + "spec": { + "podSelector": {}, + "policyTypes": [ + "Ingress", + "Egress" + ] + } +} diff --git a/apps-gx10/fc-worldbuilder/networkpolicy-worldbuilder-web.json b/apps-gx10/fc-worldbuilder/networkpolicy-worldbuilder-web.json new file mode 100644 index 0000000..416ecbb --- /dev/null +++ b/apps-gx10/fc-worldbuilder/networkpolicy-worldbuilder-web.json @@ -0,0 +1,93 @@ +{ + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "name": "worldbuilder-web", + "namespace": "fc-worldbuilder" + }, + "spec": { + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "worldbuilder-web" + } + }, + "policyTypes": [ + "Ingress", + "Egress" + ], + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "traefik-system" + } + } + } + ], + "ports": [ + { + "port": 8080, + "protocol": "TCP" + } + ] + }, + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + } + ], + "ports": [ + { + "port": 8080, + "protocol": "TCP" + } + ] + } + ], + "egress": [ + { + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "kube-system" + } + } + } + ], + "ports": [ + { + "port": 53, + "protocol": "UDP" + }, + { + "port": 53, + "protocol": "TCP" + } + ] + }, + { + "to": [ + { + "ipBlock": { + "cidr": "10.0.56.20/32" + } + } + ], + "ports": [ + { + "port": 8188, + "protocol": "TCP" + } + ] + } + ] + } +}