11c5f6e6cc
Captured during 2026-05-07 regroup audit. selenium-netpol was applied via raw `kubectl apply` to the cluster on 2026-03-15 with no source-of-truth file anywhere — neither in bluejay-infra nor in any FC service repo. A cluster rebuild from bluejay-infra would have lost it entirely (including the Selenium Grid → Traefik VIP allow rule that gates AAT runs against *.iamworkin.lan services). Captured byte-for-byte from `kubectl get netpol -n selenium selenium-netpol -o yaml`. ServerSideApply via ArgoCD will adopt the existing resource without recreation. The Selenium Grid Deployment + Services themselves are still managed outside ArgoCD (deployed via raw kubectl from the original bring-up). Migrating those into bluejay-infra is a separate lane — this commit only restores GitOps repeatability for the NetworkPolicy. See feedback_networkpolicies_belong_in_bluejay_infra.md for the canonical pattern. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
211 lines
4.8 KiB
YAML
211 lines
4.8 KiB
YAML
# Selenium Grid NetworkPolicy.
|
|
#
|
|
# Captured into bluejay-infra 2026-05-07 during the regroup audit. This
|
|
# NetworkPolicy was previously applied via `kubectl apply` directly to
|
|
# the cluster with no source-of-truth anywhere — a fresh cluster rebuild
|
|
# would have lost all of it (including the Selenium Grid → Traefik VIP
|
|
# allow rule for AAT runs against `*.iamworkin.lan` services).
|
|
#
|
|
# The Selenium Grid Deployment + Services themselves are still managed
|
|
# outside ArgoCD (deployed via raw kubectl from the original Selenium
|
|
# Grid bring-up). Migrating those into bluejay-infra is a separate lane —
|
|
# this commit only restores GitOps repeatability for the NetworkPolicy.
|
|
#
|
|
# Rules captured from the live cluster's `kubectl get netpol -n selenium
|
|
# selenium-netpol -o yaml` on 2026-05-07. Originally applied 2026-03-15
|
|
# (from `metadata.creationTimestamp` before the field was stripped).
|
|
#
|
|
# Allows:
|
|
# - Egress: CoreDNS, intra-namespace pod-to-pod (4442/4443/4444/5555),
|
|
# Traefik VIP for `*.iamworkin.lan` AAT runs, all FC namespaces on
|
|
# standard FC service ports (5100/5200/5300/5400/8080), pod CIDR
|
|
# (10.42.0.0/16) + service CIDR (10.43.0.0/16) for the same ports,
|
|
# LAN gateway range (10.0.56.0/24) for HTTPS, edge2 CUPS print
|
|
# (10.0.57.16:5200), public internet 80/443 (excluding RFC1918), and
|
|
# fc-signage:5190 for the signage AAT lane.
|
|
# - Ingress: Traefik (4444 + 8089 ACME-solver-style), intra-pod,
|
|
# telephony / gitea / fc-system / fc-signage namespaces on 4444.
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: selenium-netpol
|
|
namespace: selenium
|
|
labels:
|
|
app.kubernetes.io/part-of: selenium
|
|
app.kubernetes.io/component: isolation
|
|
spec:
|
|
egress:
|
|
- ports:
|
|
- port: 53
|
|
protocol: UDP
|
|
- port: 53
|
|
protocol: TCP
|
|
to:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: kube-system
|
|
- ports:
|
|
- port: 4442
|
|
protocol: TCP
|
|
- port: 4443
|
|
protocol: TCP
|
|
- port: 4444
|
|
protocol: TCP
|
|
- port: 5555
|
|
protocol: TCP
|
|
to:
|
|
- podSelector: {}
|
|
- ports:
|
|
- port: 443
|
|
protocol: TCP
|
|
- port: 80
|
|
protocol: TCP
|
|
to:
|
|
- ipBlock:
|
|
cidr: 10.0.56.200/32
|
|
- ports:
|
|
- port: 443
|
|
protocol: TCP
|
|
- port: 80
|
|
protocol: TCP
|
|
- port: 5200
|
|
protocol: TCP
|
|
- port: 5300
|
|
protocol: TCP
|
|
- port: 5400
|
|
protocol: TCP
|
|
- port: 5100
|
|
protocol: TCP
|
|
- port: 8080
|
|
protocol: TCP
|
|
to:
|
|
- namespaceSelector: {}
|
|
- ports:
|
|
- port: 443
|
|
protocol: TCP
|
|
- port: 80
|
|
protocol: TCP
|
|
- port: 8443
|
|
protocol: TCP
|
|
- port: 8080
|
|
protocol: TCP
|
|
- port: 5200
|
|
protocol: TCP
|
|
- port: 5300
|
|
protocol: TCP
|
|
- port: 5400
|
|
protocol: TCP
|
|
- port: 5100
|
|
protocol: TCP
|
|
to:
|
|
- ipBlock:
|
|
cidr: 10.43.0.0/16
|
|
- ports:
|
|
- port: 443
|
|
protocol: TCP
|
|
- port: 80
|
|
protocol: TCP
|
|
- port: 8443
|
|
protocol: TCP
|
|
- port: 8080
|
|
protocol: TCP
|
|
- port: 5200
|
|
protocol: TCP
|
|
- port: 5300
|
|
protocol: TCP
|
|
- port: 5400
|
|
protocol: TCP
|
|
- port: 5100
|
|
protocol: TCP
|
|
to:
|
|
- ipBlock:
|
|
cidr: 10.42.0.0/16
|
|
- ports:
|
|
- port: 443
|
|
protocol: TCP
|
|
- port: 80
|
|
protocol: TCP
|
|
- port: 8443
|
|
protocol: TCP
|
|
to:
|
|
- ipBlock:
|
|
cidr: 10.0.56.0/24
|
|
- ports:
|
|
- port: 5200
|
|
protocol: TCP
|
|
to:
|
|
- ipBlock:
|
|
cidr: 10.0.57.16/32
|
|
- ports:
|
|
- port: 80
|
|
protocol: TCP
|
|
- port: 443
|
|
protocol: TCP
|
|
to:
|
|
- ipBlock:
|
|
cidr: 0.0.0.0/0
|
|
except:
|
|
- 172.16.0.0/12
|
|
- 192.168.0.0/16
|
|
- ports:
|
|
- port: 5190
|
|
protocol: TCP
|
|
to:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: fc-signage
|
|
ingress:
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: traefik-system
|
|
ports:
|
|
- port: 4444
|
|
protocol: TCP
|
|
- port: 8089
|
|
protocol: TCP
|
|
- from:
|
|
- podSelector: {}
|
|
ports:
|
|
- port: 4442
|
|
protocol: TCP
|
|
- port: 4443
|
|
protocol: TCP
|
|
- port: 4444
|
|
protocol: TCP
|
|
- port: 5555
|
|
protocol: TCP
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: telephony
|
|
ports:
|
|
- port: 4444
|
|
protocol: TCP
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: gitea
|
|
ports:
|
|
- port: 4444
|
|
protocol: TCP
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: fc-system
|
|
ports:
|
|
- port: 4444
|
|
protocol: TCP
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: fc-signage
|
|
ports:
|
|
- port: 4444
|
|
protocol: TCP
|
|
podSelector: {}
|
|
policyTypes:
|
|
- Ingress
|
|
- Egress
|
|
|