From 9cca5b56512e76c910c830de1b5dc1b0904912f2 Mon Sep 17 00:00:00 2001
From: Andrew Stoltz <1578013+astoltz@users.noreply.github.com>
Date: Sun, 21 Jun 2026 02:30:05 -0500
Subject: [PATCH] Apply SEC-7 baseline to Apple MDM

---
 apps-gx10/fc-apple-mdm/fc-apple-mdm.yaml | 56 ++++++++++++++++++++++++
 1 file changed, 56 insertions(+)

diff --git a/apps-gx10/fc-apple-mdm/fc-apple-mdm.yaml b/apps-gx10/fc-apple-mdm/fc-apple-mdm.yaml
index 494ea9a..35a4a20 100644
--- a/apps-gx10/fc-apple-mdm/fc-apple-mdm.yaml
+++ b/apps-gx10/fc-apple-mdm/fc-apple-mdm.yaml
@@ -8,6 +8,12 @@ metadata:
   name: fc-apple-mdm
   labels:
     app.kubernetes.io/part-of: flowercore
+    pod-security.kubernetes.io/enforce: restricted
+    pod-security.kubernetes.io/enforce-version: latest
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/audit-version: latest
+    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/warn-version: latest
 ---
 apiVersion: v1
 kind: ConfigMap
@@ -85,6 +91,8 @@ spec:
         runAsGroup: 1654
         fsGroup: 1654
         fsGroupChangePolicy: OnRootMismatch
+        seccompProfile:
+          type: RuntimeDefault
       containers:
         - name: nanohub
           image: localhost/fc-apple-mdm-nanohub:v0.2.0-20260617
@@ -270,6 +278,17 @@ spec:
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
+metadata:
+  name: fc-apple-mdm-default-deny
+  namespace: fc-apple-mdm
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
 metadata:
   name: fc-apple-mdm-netpol
   namespace: fc-apple-mdm
@@ -320,3 +339,40 @@ spec:
           protocol: TCP
         - port: 8080
           protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: fc-apple-mdm-acme-http-solver-allow
+  namespace: fc-apple-mdm
+spec:
+  podSelector:
+    matchLabels:
+      acme.cert-manager.io/http01-solver: "true"
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: traefik-system
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/name: traefik
+      ports:
+        - port: 8089
+          protocol: TCP
+  egress:
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+          podSelector:
+            matchLabels:
+              k8s-app: kube-dns
+      ports:
+        - port: 53
+          protocol: UDP
+        - port: 53
+          protocol: TCP