From 5e56dcb59cfdf15f7081399a79c015a629dcf962 Mon Sep 17 00:00:00 2001 From: Andrew Stoltz <1578013+astoltz@users.noreply.github.com> Date: Sun, 21 Jun 2026 03:32:12 -0500 Subject: [PATCH] Harden GX10 Intranet pod boundary --- .../intranet/deployment-intranet-web.json | 5 +- apps-gx10/intranet/namespace-intranet.json | 12 +++ .../networkpolicy-intranet-default-deny.json | 15 +++ .../intranet/networkpolicy-intranet-web.json | 91 +++++++++++++++++++ 4 files changed, 122 insertions(+), 1 deletion(-) create mode 100644 apps-gx10/intranet/namespace-intranet.json create mode 100644 apps-gx10/intranet/networkpolicy-intranet-default-deny.json create mode 100644 apps-gx10/intranet/networkpolicy-intranet-web.json diff --git a/apps-gx10/intranet/deployment-intranet-web.json b/apps-gx10/intranet/deployment-intranet-web.json index 187fbd8..38d4776 100644 --- a/apps-gx10/intranet/deployment-intranet-web.json +++ b/apps-gx10/intranet/deployment-intranet-web.json @@ -166,7 +166,10 @@ "fsGroupChangePolicy": "OnRootMismatch", "runAsGroup": 1654, "runAsNonRoot": true, - "runAsUser": 1654 + "runAsUser": 1654, + "seccompProfile": { + "type": "RuntimeDefault" + } }, "terminationGracePeriodSeconds": 30, "volumes": [ diff --git a/apps-gx10/intranet/namespace-intranet.json b/apps-gx10/intranet/namespace-intranet.json new file mode 100644 index 0000000..47ffabc --- /dev/null +++ b/apps-gx10/intranet/namespace-intranet.json @@ -0,0 +1,12 @@ +{ + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "labels": { + "pod-security.kubernetes.io/audit": "restricted", + "pod-security.kubernetes.io/enforce": "restricted", + "pod-security.kubernetes.io/warn": "restricted" + }, + "name": "intranet" + } +} diff --git a/apps-gx10/intranet/networkpolicy-intranet-default-deny.json b/apps-gx10/intranet/networkpolicy-intranet-default-deny.json new file mode 100644 index 0000000..ec5c86d --- /dev/null +++ b/apps-gx10/intranet/networkpolicy-intranet-default-deny.json @@ -0,0 +1,15 @@ +{ + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "name": "intranet-default-deny", + "namespace": "intranet" + }, + "spec": { + "podSelector": {}, + "policyTypes": [ + "Ingress", + "Egress" + ] + } +} diff --git a/apps-gx10/intranet/networkpolicy-intranet-web.json b/apps-gx10/intranet/networkpolicy-intranet-web.json new file mode 100644 index 0000000..4b2052d --- /dev/null +++ b/apps-gx10/intranet/networkpolicy-intranet-web.json @@ -0,0 +1,91 @@ +{ + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "name": "intranet-web", + "namespace": "intranet" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 53, + "protocol": "UDP" + }, + { + "port": 53, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "kube-system" + } + } + } + ] + }, + { + "ports": [ + { + "port": 443, + "protocol": "TCP" + } + ], + "to": [ + { + "ipBlock": { + "cidr": "10.0.56.200/32" + } + } + ] + }, + { + "ports": [ + { + "port": 11434, + "protocol": "TCP" + } + ], + "to": [ + { + "ipBlock": { + "cidr": "0.0.0.0/0" + } + } + ] + } + ], + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "traefik-system" + } + } + } + ], + "ports": [ + { + "port": 5300, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app": "intranet-web" + } + }, + "policyTypes": [ + "Ingress", + "Egress" + ] + } +}