Skip to content

Pr 2439#2472

Open
dapperdivers wants to merge 2 commits intomainfrom
pr-2439
Open

Pr 2439#2472
dapperdivers wants to merge 2 commits intomainfrom
pr-2439

Conversation

@dapperdivers
Copy link
Owner

@dapperdivers dapperdivers commented Feb 27, 2026

No description provided.

@dapperdivers
feat: add CiliumNetworkPolicy bundle for namespace isolation
3618b0e 
Addresses the #1 finding from the 2026-02-19 security audit:
zero NetworkPolicies across 19 namespaces (flat network).

This PR adds 29 Cilium network policies:
- 6 default-deny ingress policies (database, security, home-automation,
  selfhosted, ai, roundtable)
- 5 cluster-wide policies (DNS, ingress controllers, Prometheus scraping)
- 18 app-specific allow policies mapping actual traffic flows

Architecture:
- Default deny on high-value namespaces (databases, secrets, AI)
- Explicit allow rules based on actual dependency mapping
- CiliumClusterwideNetworkPolicy for cross-cutting concerns
- Namespace-scoped CiliumNetworkPolicy for app-specific rules
- Separate Flux Kustomization (cilium-network-policies) with Cilium dependency

Namespaces covered: database, security, home-automation, selfhosted, ai, roundtable
Not yet covered (lower risk): media, observability, kube-system, cert-manager

⚠️ DEPLOY NOTE: Review policies before merging. Default-deny policies
will break traffic that isn't explicitly allowed. Recommend deploying
one namespace at a time and monitoring with Hubble.
@dapperdivers
feat: complete namespace coverage — add media + observability policies
a760388 
Added:
- default-deny-media: isolate *arr apps, Plex, Sabnzbd
- default-deny-observability: isolate Grafana, Loki, Prometheus
- allow-media-apps: autobrr→postgres, media apps→external (indexers/usenet)
- allow-observability-apps: grafana→postgres/loki/prometheus,
  alertmanager→external (notifications), gatus→health checks

Now covers ALL application namespaces:
  ai, database, home-automation, media, observability,
  roundtable, security, selfhosted (8/8)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area/kubernetes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dapperdivers