bluejay/bluejay-infra
1
0
Fork 0
Code Issues Pull Requests 15 Actions Packages Projects Releases Wiki Activity

Apply SEC-7 baseline to Knowledge

Browse Source
This commit is contained in:
Andrew Stoltz
2026-06-21 03:18:55 -05:00
parent 11122b5139
commit e41c9f4ae7
4 changed files with 175 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
apps-gx10/knowledge/deployment-knowledge-web.json
View File

@@ -236,7 +236,10 @@
"securityContext": { "securityContext": {
"fsGroup": 1654, "fsGroup": 1654,
"fsGroupChangePolicy": "OnRootMismatch", "fsGroupChangePolicy": "OnRootMismatch",
"runAsNonRoot": true "runAsNonRoot": true,
"seccompProfile": {
"type": "RuntimeDefault"
}
}, },
"terminationGracePeriodSeconds": 30, "terminationGracePeriodSeconds": 30,
"volumes": [ "volumes": [

20
apps-gx10/knowledge/namespace-knowledge.json Normal file
View File

@@ -0,0 +1,20 @@
{
"apiVersion": "v1",
"kind": "Namespace",
"metadata": {
"labels": {
"app.kubernetes.io/managed-by": "argocd",
"app.kubernetes.io/name": "knowledge",
"app.kubernetes.io/part-of": "flowercore",
"flowercore.io/created-by": "bluejay-infra",
"flowercore.io/tenant-id": "system",
"pod-security.kubernetes.io/enforce": "restricted",
"pod-security.kubernetes.io/enforce-version": "latest",
"pod-security.kubernetes.io/audit": "restricted",
"pod-security.kubernetes.io/audit-version": "latest",
"pod-security.kubernetes.io/warn": "restricted",
"pod-security.kubernetes.io/warn-version": "latest"
},
"name": "knowledge"
}
}

15
apps-gx10/knowledge/networkpolicy-knowledge-default-deny.json Normal file
View File

@@ -0,0 +1,15 @@
{
"apiVersion": "networking.k8s.io/v1",
"kind": "NetworkPolicy",
"metadata": {
"name": "knowledge-default-deny",
"namespace": "knowledge"
},
"spec": {
"podSelector": {},
"policyTypes": [
"Ingress",
"Egress"
]
}
}

132
apps-gx10/knowledge/networkpolicy-knowledge-web.json Normal file
View File

@@ -0,0 +1,132 @@
{
"apiVersion": "networking.k8s.io/v1",
"kind": "NetworkPolicy",
"metadata": {
"name": "knowledge-web",
"namespace": "knowledge"
},
"spec": {
"podSelector": {
"matchLabels": {
"app": "knowledge-web"
}
},
"policyTypes": [
"Ingress",
"Egress"
],
"ingress": [
{
"from": [
{
"namespaceSelector": {
"matchLabels": {
"kubernetes.io/metadata.name": "traefik-system"
}
}
}
],
"ports": [
{
"port": 8080,
"protocol": "TCP"
}
]
},
{
"from": [
{
"namespaceSelector": {
"matchLabels": {
"kubernetes.io/metadata.name": "monitoring"
}
}
}
],
"ports": [
{
"port": 8080,
"protocol": "TCP"
}
]
},
{
"from": [
{
"namespaceSelector": {
"matchLabels": {
"kubernetes.io/metadata.name": "fc-gateway"
}
}
},
{
"namespaceSelector": {
"matchLabels": {
"kubernetes.io/metadata.name": "intranet"
}
}
}
],
"ports": [
{
"port": 8080,
"protocol": "TCP"
}
]
}
],
"egress": [
{
"to": [
{
"namespaceSelector": {
"matchLabels": {
"kubernetes.io/metadata.name": "kube-system"
}
}
}
],
"ports": [
{
"port": 53,
"protocol": "UDP"
},
{
"port": 53,
"protocol": "TCP"
}
]
},
{
"to": [
{
"ipBlock": {
"cidr": "0.0.0.0/0"
}
}
],
"ports": [
{
"port": 11434,
"protocol": "TCP"
}
]
},
{
"to": [
{
"ipBlock": {
"cidr": "0.0.0.0/0"
}
}
],
"ports": [
{
"port": 443,
"protocol": "TCP"
}
]
}
]
}
}