Apply SEC-7 baseline to WorldBuilder

apps-gx10/fc-worldbuilder/deployment-worldbuilder-web.json

@@ -189,7 +189,10 @@
         "schedulerName": "default-scheduler",
         "securityContext": {
           "fsGroup": 1654,
-          "fsGroupChangePolicy": "OnRootMismatch"
+          "fsGroupChangePolicy": "OnRootMismatch",
+          "seccompProfile": {
+            "type": "RuntimeDefault"
+          }
         },
         "terminationGracePeriodSeconds": 30,
         "volumes": [

apps-gx10/fc-worldbuilder/namespace-fc-worldbuilder.json

@@ -7,7 +7,13 @@
       "app.kubernetes.io/name": "fc-worldbuilder",
       "app.kubernetes.io/part-of": "flowercore",
       "flowercore.io/created-by": "bluejay-infra",
-      "flowercore.io/tenant-id": "system"
+      "flowercore.io/tenant-id": "system",
+      "pod-security.kubernetes.io/enforce": "restricted",
+      "pod-security.kubernetes.io/enforce-version": "latest",
+      "pod-security.kubernetes.io/audit": "restricted",
+      "pod-security.kubernetes.io/audit-version": "latest",
+      "pod-security.kubernetes.io/warn": "restricted",
+      "pod-security.kubernetes.io/warn-version": "latest"
     },
     "name": "fc-worldbuilder"
   }

apps-gx10/fc-worldbuilder/networkpolicy-fc-worldbuilder-default-deny.json

@@ -0,0 +1,15 @@
+{
+  "apiVersion": "networking.k8s.io/v1",
+  "kind": "NetworkPolicy",
+  "metadata": {
+    "name": "fc-worldbuilder-default-deny",
+    "namespace": "fc-worldbuilder"
+  },
+  "spec": {
+    "podSelector": {},
+    "policyTypes": [
+      "Ingress",
+      "Egress"
+    ]
+  }
+}

apps-gx10/fc-worldbuilder/networkpolicy-worldbuilder-web.json

@@ -0,0 +1,93 @@
+{
+  "apiVersion": "networking.k8s.io/v1",
+  "kind": "NetworkPolicy",
+  "metadata": {
+    "name": "worldbuilder-web",
+    "namespace": "fc-worldbuilder"
+  },
+  "spec": {
+    "podSelector": {
+      "matchLabels": {
+        "app.kubernetes.io/name": "worldbuilder-web"
+      }
+    },
+    "policyTypes": [
+      "Ingress",
+      "Egress"
+    ],
+    "ingress": [
+      {
+        "from": [
+          {
+            "namespaceSelector": {
+              "matchLabels": {
+                "kubernetes.io/metadata.name": "traefik-system"
+              }
+            }
+          }
+        ],
+        "ports": [
+          {
+            "port": 8080,
+            "protocol": "TCP"
+          }
+        ]
+      },
+      {
+        "from": [
+          {
+            "namespaceSelector": {
+              "matchLabels": {
+                "kubernetes.io/metadata.name": "monitoring"
+              }
+            }
+          }
+        ],
+        "ports": [
+          {
+            "port": 8080,
+            "protocol": "TCP"
+          }
+        ]
+      }
+    ],
+    "egress": [
+      {
+        "to": [
+          {
+            "namespaceSelector": {
+              "matchLabels": {
+                "kubernetes.io/metadata.name": "kube-system"
+              }
+            }
+          }
+        ],
+        "ports": [
+          {
+            "port": 53,
+            "protocol": "UDP"
+          },
+          {
+            "port": 53,
+            "protocol": "TCP"
+          }
+        ]
+      },
+      {
+        "to": [
+          {
+            "ipBlock": {
+              "cidr": "10.0.56.20/32"
+            }
+          }
+        ],
+        "ports": [
+          {
+            "port": 8188,
+            "protocol": "TCP"
+          }
+        ]
+      }
+    ]
+  }
+}