From e41c9f4ae71ecacbc6f1be3d8a3c266a73e7a7ab Mon Sep 17 00:00:00 2001 From: Andrew Stoltz <1578013+astoltz@users.noreply.github.com> Date: Sun, 21 Jun 2026 03:18:55 -0500 Subject: [PATCH] Apply SEC-7 baseline to Knowledge --- .../knowledge/deployment-knowledge-web.json | 13 +- apps-gx10/knowledge/namespace-knowledge.json | 20 +++ .../networkpolicy-knowledge-default-deny.json | 15 ++ .../networkpolicy-knowledge-web.json | 132 ++++++++++++++++++ 4 files changed, 175 insertions(+), 5 deletions(-) create mode 100644 apps-gx10/knowledge/namespace-knowledge.json create mode 100644 apps-gx10/knowledge/networkpolicy-knowledge-default-deny.json create mode 100644 apps-gx10/knowledge/networkpolicy-knowledge-web.json diff --git a/apps-gx10/knowledge/deployment-knowledge-web.json b/apps-gx10/knowledge/deployment-knowledge-web.json index 31f20e0..2e9f455 100644 --- a/apps-gx10/knowledge/deployment-knowledge-web.json +++ b/apps-gx10/knowledge/deployment-knowledge-web.json @@ -233,11 +233,14 @@ "dnsPolicy": "ClusterFirst", "restartPolicy": "Always", "schedulerName": "default-scheduler", - "securityContext": { - "fsGroup": 1654, - "fsGroupChangePolicy": "OnRootMismatch", - "runAsNonRoot": true - }, + "securityContext": { + "fsGroup": 1654, + "fsGroupChangePolicy": "OnRootMismatch", + "runAsNonRoot": true, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, "terminationGracePeriodSeconds": 30, "volumes": [ { diff --git a/apps-gx10/knowledge/namespace-knowledge.json b/apps-gx10/knowledge/namespace-knowledge.json new file mode 100644 index 0000000..62c5bf6 --- /dev/null +++ b/apps-gx10/knowledge/namespace-knowledge.json @@ -0,0 +1,20 @@ +{ + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "labels": { + "app.kubernetes.io/managed-by": "argocd", + "app.kubernetes.io/name": "knowledge", + "app.kubernetes.io/part-of": "flowercore", + "flowercore.io/created-by": "bluejay-infra", + "flowercore.io/tenant-id": "system", + "pod-security.kubernetes.io/enforce": "restricted", + "pod-security.kubernetes.io/enforce-version": "latest", + "pod-security.kubernetes.io/audit": "restricted", + "pod-security.kubernetes.io/audit-version": "latest", + "pod-security.kubernetes.io/warn": "restricted", + "pod-security.kubernetes.io/warn-version": "latest" + }, + "name": "knowledge" + } +} diff --git a/apps-gx10/knowledge/networkpolicy-knowledge-default-deny.json b/apps-gx10/knowledge/networkpolicy-knowledge-default-deny.json new file mode 100644 index 0000000..692025c --- /dev/null +++ b/apps-gx10/knowledge/networkpolicy-knowledge-default-deny.json @@ -0,0 +1,15 @@ +{ + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "name": "knowledge-default-deny", + "namespace": "knowledge" + }, + "spec": { + "podSelector": {}, + "policyTypes": [ + "Ingress", + "Egress" + ] + } +} diff --git a/apps-gx10/knowledge/networkpolicy-knowledge-web.json b/apps-gx10/knowledge/networkpolicy-knowledge-web.json new file mode 100644 index 0000000..c3baa46 --- /dev/null +++ b/apps-gx10/knowledge/networkpolicy-knowledge-web.json @@ -0,0 +1,132 @@ +{ + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "name": "knowledge-web", + "namespace": "knowledge" + }, + "spec": { + "podSelector": { + "matchLabels": { + "app": "knowledge-web" + } + }, + "policyTypes": [ + "Ingress", + "Egress" + ], + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "traefik-system" + } + } + } + ], + "ports": [ + { + "port": 8080, + "protocol": "TCP" + } + ] + }, + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + } + ], + "ports": [ + { + "port": 8080, + "protocol": "TCP" + } + ] + }, + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "fc-gateway" + } + } + }, + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "intranet" + } + } + } + ], + "ports": [ + { + "port": 8080, + "protocol": "TCP" + } + ] + } + ], + "egress": [ + { + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "kube-system" + } + } + } + ], + "ports": [ + { + "port": 53, + "protocol": "UDP" + }, + { + "port": 53, + "protocol": "TCP" + } + ] + }, + { + "to": [ + { + "ipBlock": { + "cidr": "0.0.0.0/0" + } + } + ], + "ports": [ + { + "port": 11434, + "protocol": "TCP" + } + ] + }, + { + "to": [ + { + "ipBlock": { + "cidr": "0.0.0.0/0" + } + } + ], + "ports": [ + { + "port": 443, + "protocol": "TCP" + } + ] + } + ] + } +}