Network policy for the qtodo#126
Merged
Merged
Conversation
added 14 commits
April 9, 2026 19:04
…s and default deny network policy
… later broken DNS
…t into network-policy
… and Keycloak port
…ft.io/ingress: triggers OVN-K's special ACL handling for host-network traffic
…snwers on both an internal hostname (for back-channel) and an external hostname (for browser redirects)
mlorenzofr
approved these changes
Apr 23, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Three NetworkPolicy objects for the
qtodonamespace.Together they implement a least-privilege, zero-trust network posture, which also satisfies the ACS custom network SecurityPolicy compliance checks for both ingress and egress.
Policy 1:
qtodo-network-policyPolicy 2:
qtodo-db-network-policyPolicy 3:
default-deny-network-policySummary of Design Principles Applied
| Least-privilege ingress | qtodo: router only; qtodo-db: qtodo pod only |
| Least-privilege egress | Each pod allows only the specific ports and destinations it actually uses |
| Explicit policyTypes | Both
IngressandEgressdeclared on every policy — no implicit inference || Default-deny as safety net | Namespace-wide deny-all catches any pod not covered by a specific allow policy |
| Correct OVN-K label for router |
policy-group.network.openshift.io/ingress: ""notnetwork.openshift.io/policy-group: ingress|| Correct DNS port | Port 5353 (CoreDNS pod port post-DNAT), not 53 (service port pre-DNAT) |
| Tight namespace selectors | Vault and DNS use
namespaceSelector; Keycloak uses port-only|Side note:
This PR includes the update from #125 in the charts/ztvp-certificates/values.yaml
If this PR is merged first, then #125 can be closed.