manifests/infrastructure/postgresql/cilium-cnpg-policies.yaml

---
# Comprehensive CloudNativePG network policy for single-operator deployment
# This allows the Helm-deployed operator in postgresql-system to manage the cluster
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: cnpg-comprehensive-access
  namespace: postgresql-system
spec:
  description: "Allow CloudNativePG operator and cluster communication"
  endpointSelector:
    matchLabels:
      cnpg.io/cluster: postgres-shared  # Apply to postgres-shared cluster pods
  ingress:
    # Allow operator in same namespace to manage cluster
    - fromEndpoints:
        - matchLabels:
            app.kubernetes.io/name: cloudnative-pg  # Helm-deployed operator
      toPorts:
        - ports:
            - port: "5432"
              protocol: TCP  # PostgreSQL database
            - port: "8000"
              protocol: TCP  # CloudNativePG health endpoint
            - port: "9187" 
              protocol: TCP  # PostgreSQL metrics
    # Allow cluster-wide access for applications and monitoring
    - fromEntities:
        - cluster
        - host
        - remote-node
        - kube-apiserver  # Explicitly allow API server (used for service port-forward)
      toPorts:
        - ports:
            - port: "5432"
              protocol: TCP  # PostgreSQL database access
            - port: "9187"
              protocol: TCP  # Metrics collection
    # Allow pod-to-pod communication within cluster (replication)
    - fromEndpoints:
        - matchLabels:
            cnpg.io/cluster: postgres-shared
      toPorts:
        - ports:
            - port: "5432"
              protocol: TCP  # PostgreSQL replication
            - port: "8000"
              protocol: TCP  # Health checks between replicas
---
# Allow CloudNativePG operator to reach webhook endpoints
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: cnpg-operator-webhook-access
  namespace: postgresql-system
spec:
  description: "Allow CloudNativePG operator webhook communication"
  endpointSelector:
    matchLabels:
      app.kubernetes.io/name: cloudnative-pg  # Helm-deployed operator
  ingress:
    # Allow Kubernetes API server to reach webhook
    - fromEntities:
        - host
        - cluster
      toPorts:
        - ports:
            - port: "9443"
              protocol: TCP  # CloudNativePG webhook port
  egress:
    # Allow operator to reach PostgreSQL pods for management
    - toEndpoints:
        - matchLabels:
            cnpg.io/cluster: postgres-shared
      toPorts:
        - ports:
            - port: "5432"
              protocol: TCP
            - port: "8000"
              protocol: TCP
    # Allow operator to reach Kubernetes API
    - toEntities:
        - cluster
        - host
        - remote-node
redaction (#1) Add the redacted source file for demo purposes Reviewed-on: https://source.michaeldileo.org/michael_dileo/Keybard-Vagabond-Demo/pulls/1 Co-authored-by: Michael DiLeo <michael_dileo@proton.me> Co-committed-by: Michael DiLeo <michael_dileo@proton.me> 2025-12-24 13:40:47 +00:00			`---`
			`# Comprehensive CloudNativePG network policy for single-operator deployment`
			`# This allows the Helm-deployed operator in postgresql-system to manage the cluster`
			`apiVersion: cilium.io/v2`
			`kind: CiliumNetworkPolicy`
			`metadata:`
			`name: cnpg-comprehensive-access`
			`namespace: postgresql-system`
			`spec:`
			`description: "Allow CloudNativePG operator and cluster communication"`
			`endpointSelector:`
			`matchLabels:`
			`cnpg.io/cluster: postgres-shared # Apply to postgres-shared cluster pods`
			`ingress:`
			`# Allow operator in same namespace to manage cluster`
			`- fromEndpoints:`
			`- matchLabels:`
			`app.kubernetes.io/name: cloudnative-pg # Helm-deployed operator`
			`toPorts:`
			`- ports:`
			`- port: "5432"`
			`protocol: TCP # PostgreSQL database`
			`- port: "8000"`
			`protocol: TCP # CloudNativePG health endpoint`
			`- port: "9187"`
			`protocol: TCP # PostgreSQL metrics`
			`# Allow cluster-wide access for applications and monitoring`
			`- fromEntities:`
			`- cluster`
			`- host`
			`- remote-node`
			`- kube-apiserver # Explicitly allow API server (used for service port-forward)`
			`toPorts:`
			`- ports:`
			`- port: "5432"`
			`protocol: TCP # PostgreSQL database access`
			`- port: "9187"`
			`protocol: TCP # Metrics collection`
			`# Allow pod-to-pod communication within cluster (replication)`
			`- fromEndpoints:`
			`- matchLabels:`
			`cnpg.io/cluster: postgres-shared`
			`toPorts:`
			`- ports:`
			`- port: "5432"`
			`protocol: TCP # PostgreSQL replication`
			`- port: "8000"`
			`protocol: TCP # Health checks between replicas`
			`---`
			`# Allow CloudNativePG operator to reach webhook endpoints`
			`apiVersion: cilium.io/v2`
			`kind: CiliumNetworkPolicy`
			`metadata:`
			`name: cnpg-operator-webhook-access`
			`namespace: postgresql-system`
			`spec:`
			`description: "Allow CloudNativePG operator webhook communication"`
			`endpointSelector:`
			`matchLabels:`
			`app.kubernetes.io/name: cloudnative-pg # Helm-deployed operator`
			`ingress:`
			`# Allow Kubernetes API server to reach webhook`
			`- fromEntities:`
			`- host`
			`- cluster`
			`toPorts:`
			`- ports:`
			`- port: "9443"`
			`protocol: TCP # CloudNativePG webhook port`
			`egress:`
			`# Allow operator to reach PostgreSQL pods for management`
			`- toEndpoints:`
			`- matchLabels:`
			`cnpg.io/cluster: postgres-shared`
			`toPorts:`
			`- ports:`
			`- port: "5432"`
			`protocol: TCP`
			`- port: "8000"`
			`protocol: TCP`
			`# Allow operator to reach Kubernetes API`
			`- toEntities:`
			`- cluster`
			`- host`
			`- remote-node`