M2: Implement CiliumNetworkPolicies for namespace isolation

## Goal
Apply CiliumNetworkPolicies to enforce default-deny ingress and cross-namespace isolation.

## Policies to implement
| File | Policy |
|---|---|
| `default-deny-ingress.yaml` | Deny all ingress to pods in `prod` and `staging` by default |
| `deny-cross-namespace.yaml` | Deny cross-namespace traffic except from `monitoring` and `argus-system` |

## Tasks
- [ ] Implement `security/cilium/default-deny-ingress.yaml`
- [ ] Implement `security/cilium/deny-cross-namespace.yaml`
- [ ] Apply both policies and verify with `hubble observe`
- [ ] Confirm Prometheus scraping from `monitoring` namespace still works
- [ ] Confirm `argus-system` agent can reach pods in `prod`/`staging`

## Acceptance criteria
- Cross-namespace traffic blocked by default (visible in Hubble as dropped flows)
- Explicit allow rules work correctly
- Prometheus scrape targets remain reachable

## Depends on
#4

File	Policy
`default-deny-ingress.yaml`	Deny all ingress to pods in `prod` and `staging` by default
`deny-cross-namespace.yaml`	Deny cross-namespace traffic except from `monitoring` and `argus-system`

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

M2: Implement CiliumNetworkPolicies for namespace isolation #8

Goal

Policies to implement

Tasks

Acceptance criteria

Depends on

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

M2: Implement CiliumNetworkPolicies for namespace isolation #8

Description

Goal

Policies to implement

Tasks

Acceptance criteria

Depends on

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions