# FlowerCore Apple MDM network isolation. # # Public/LAN device traffic enters through Traefik. NanoHUB API access is kept # cluster-internal for MDM-N1 and is reachable by the DeviceManagement bridge. # Egress 443 is required for Apple APNs/ADE/VPP endpoints once APNs and Apple # enrollment material are configured in later lanes. apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: fc-apple-mdm-isolation namespace: fc-apple-mdm labels: app.kubernetes.io/name: fc-apple-mdm app.kubernetes.io/component: mdm app.kubernetes.io/part-of: flowercore app.kubernetes.io/managed-by: argocd flowercore.io/tenant-id: system flowercore.io/created-by: bluejay-infra spec: podSelector: matchLabels: app: fc-apple-mdm policyTypes: - Ingress - Egress ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: traefik-system podSelector: matchLabels: app.kubernetes.io/name: traefik ports: - port: 9004 protocol: TCP - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: fc-devicemgmt ports: - port: 9004 protocol: TCP egress: # CoreDNS. - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: kube-system podSelector: matchLabels: k8s-app: kube-dns ports: - port: 53 protocol: UDP - port: 53 protocol: TCP # Apple APNs/ADE/VPP endpoints and upstream certificate checks. - to: - ipBlock: cidr: 0.0.0.0/0 ports: - port: 443 protocol: TCP # Traefik VIP / in-cluster Traefik for public URL self-checks. Include # post-DNAT backend ports 8443 + 8080. - to: - ipBlock: cidr: 10.0.56.200/32 - namespaceSelector: matchLabels: kubernetes.io/metadata.name: traefik-system podSelector: matchLabels: app.kubernetes.io/name: traefik ports: - port: 80 protocol: TCP - port: 443 protocol: TCP - port: 8080 protocol: TCP - port: 8443 protocol: TCP # DeviceManagement bridge webhook/API target. - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: fc-devicemgmt ports: - port: 80 protocol: TCP - port: 8080 protocol: TCP