From 11c5f6e6cc07f0966995a3054906e7f8ddd9d5c2 Mon Sep 17 00:00:00 2001 From: Codex Date: Thu, 7 May 2026 10:30:59 -0500 Subject: [PATCH] fix(selenium): GitOps-capture selenium-netpol (was unmanaged anywhere) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Captured during 2026-05-07 regroup audit. selenium-netpol was applied via raw `kubectl apply` to the cluster on 2026-03-15 with no source-of-truth file anywhere — neither in bluejay-infra nor in any FC service repo. A cluster rebuild from bluejay-infra would have lost it entirely (including the Selenium Grid → Traefik VIP allow rule that gates AAT runs against *.iamworkin.lan services). Captured byte-for-byte from `kubectl get netpol -n selenium selenium-netpol -o yaml`. ServerSideApply via ArgoCD will adopt the existing resource without recreation. The Selenium Grid Deployment + Services themselves are still managed outside ArgoCD (deployed via raw kubectl from the original bring-up). Migrating those into bluejay-infra is a separate lane — this commit only restores GitOps repeatability for the NetworkPolicy. See feedback_networkpolicies_belong_in_bluejay_infra.md for the canonical pattern. Co-Authored-By: Claude Opus 4.7 (1M context) --- apps/selenium/network-policy.yaml | 210 ++++++++++++++++++++++++++++++ 1 file changed, 210 insertions(+) create mode 100644 apps/selenium/network-policy.yaml diff --git a/apps/selenium/network-policy.yaml b/apps/selenium/network-policy.yaml new file mode 100644 index 0000000..76e0110 --- /dev/null +++ b/apps/selenium/network-policy.yaml @@ -0,0 +1,210 @@ +# Selenium Grid NetworkPolicy. +# +# Captured into bluejay-infra 2026-05-07 during the regroup audit. This +# NetworkPolicy was previously applied via `kubectl apply` directly to +# the cluster with no source-of-truth anywhere — a fresh cluster rebuild +# would have lost all of it (including the Selenium Grid → Traefik VIP +# allow rule for AAT runs against `*.iamworkin.lan` services). +# +# The Selenium Grid Deployment + Services themselves are still managed +# outside ArgoCD (deployed via raw kubectl from the original Selenium +# Grid bring-up). Migrating those into bluejay-infra is a separate lane — +# this commit only restores GitOps repeatability for the NetworkPolicy. +# +# Rules captured from the live cluster's `kubectl get netpol -n selenium +# selenium-netpol -o yaml` on 2026-05-07. Originally applied 2026-03-15 +# (from `metadata.creationTimestamp` before the field was stripped). +# +# Allows: +# - Egress: CoreDNS, intra-namespace pod-to-pod (4442/4443/4444/5555), +# Traefik VIP for `*.iamworkin.lan` AAT runs, all FC namespaces on +# standard FC service ports (5100/5200/5300/5400/8080), pod CIDR +# (10.42.0.0/16) + service CIDR (10.43.0.0/16) for the same ports, +# LAN gateway range (10.0.56.0/24) for HTTPS, edge2 CUPS print +# (10.0.57.16:5200), public internet 80/443 (excluding RFC1918), and +# fc-signage:5190 for the signage AAT lane. +# - Ingress: Traefik (4444 + 8089 ACME-solver-style), intra-pod, +# telephony / gitea / fc-system / fc-signage namespaces on 4444. +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: selenium-netpol + namespace: selenium + labels: + app.kubernetes.io/part-of: selenium + app.kubernetes.io/component: isolation +spec: + egress: + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + - ports: + - port: 4442 + protocol: TCP + - port: 4443 + protocol: TCP + - port: 4444 + protocol: TCP + - port: 5555 + protocol: TCP + to: + - podSelector: {} + - ports: + - port: 443 + protocol: TCP + - port: 80 + protocol: TCP + to: + - ipBlock: + cidr: 10.0.56.200/32 + - ports: + - port: 443 + protocol: TCP + - port: 80 + protocol: TCP + - port: 5200 + protocol: TCP + - port: 5300 + protocol: TCP + - port: 5400 + protocol: TCP + - port: 5100 + protocol: TCP + - port: 8080 + protocol: TCP + to: + - namespaceSelector: {} + - ports: + - port: 443 + protocol: TCP + - port: 80 + protocol: TCP + - port: 8443 + protocol: TCP + - port: 8080 + protocol: TCP + - port: 5200 + protocol: TCP + - port: 5300 + protocol: TCP + - port: 5400 + protocol: TCP + - port: 5100 + protocol: TCP + to: + - ipBlock: + cidr: 10.43.0.0/16 + - ports: + - port: 443 + protocol: TCP + - port: 80 + protocol: TCP + - port: 8443 + protocol: TCP + - port: 8080 + protocol: TCP + - port: 5200 + protocol: TCP + - port: 5300 + protocol: TCP + - port: 5400 + protocol: TCP + - port: 5100 + protocol: TCP + to: + - ipBlock: + cidr: 10.42.0.0/16 + - ports: + - port: 443 + protocol: TCP + - port: 80 + protocol: TCP + - port: 8443 + protocol: TCP + to: + - ipBlock: + cidr: 10.0.56.0/24 + - ports: + - port: 5200 + protocol: TCP + to: + - ipBlock: + cidr: 10.0.57.16/32 + - ports: + - port: 80 + protocol: TCP + - port: 443 + protocol: TCP + to: + - ipBlock: + cidr: 0.0.0.0/0 + except: + - 172.16.0.0/12 + - 192.168.0.0/16 + - ports: + - port: 5190 + protocol: TCP + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: fc-signage + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: traefik-system + ports: + - port: 4444 + protocol: TCP + - port: 8089 + protocol: TCP + - from: + - podSelector: {} + ports: + - port: 4442 + protocol: TCP + - port: 4443 + protocol: TCP + - port: 4444 + protocol: TCP + - port: 5555 + protocol: TCP + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: telephony + ports: + - port: 4444 + protocol: TCP + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: gitea + ports: + - port: 4444 + protocol: TCP + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: fc-system + ports: + - port: 4444 + protocol: TCP + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: fc-signage + ports: + - port: 4444 + protocol: TCP + podSelector: {} + policyTypes: + - Ingress + - Egress +