From 84bdd0e23b184417e6677f3d64ddac02ced2822a Mon Sep 17 00:00:00 2001
From: Andrew Stoltz <1578013+astoltz@users.noreply.github.com>
Date: Sun, 21 Jun 2026 02:39:09 -0500
Subject: [PATCH] Apply SEC-7 baseline to MCP gateway

---
 apps-gx10/fc-gateway/fc-gateway.yaml | 56 ++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)

diff --git a/apps-gx10/fc-gateway/fc-gateway.yaml b/apps-gx10/fc-gateway/fc-gateway.yaml
index 1e4ac97..bd7c469 100644
--- a/apps-gx10/fc-gateway/fc-gateway.yaml
+++ b/apps-gx10/fc-gateway/fc-gateway.yaml
@@ -8,6 +8,12 @@ metadata:
   name: fc-gateway
   labels:
     app.kubernetes.io/part-of: flowercore
+    pod-security.kubernetes.io/enforce: restricted
+    pod-security.kubernetes.io/enforce-version: latest
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/audit-version: latest
+    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/warn-version: latest
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -43,6 +49,8 @@ spec:
         runAsGroup: 1654
         fsGroup: 1654
         fsGroupChangePolicy: OnRootMismatch
+        seccompProfile:
+          type: RuntimeDefault
       containers:
         - name: web
           image: localhost/fc-gateway:v20260619-sec3-429e6cf
@@ -203,6 +211,17 @@ spec:
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
+metadata:
+  name: fc-gateway-default-deny
+  namespace: fc-gateway
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
 metadata:
   name: fc-gateway-netpol
   namespace: fc-gateway
@@ -300,3 +319,40 @@ spec:
           protocol: TCP
         - port: 8080
           protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: fc-gateway-acme-http-solver-allow
+  namespace: fc-gateway
+spec:
+  podSelector:
+    matchLabels:
+      acme.cert-manager.io/http01-solver: "true"
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: traefik-system
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/name: traefik
+      ports:
+        - port: 8089
+          protocol: TCP
+  egress:
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+          podSelector:
+            matchLabels:
+              k8s-app: kube-dns
+      ports:
+        - port: 53
+          protocol: UDP
+        - port: 53
+          protocol: TCP