manifests/infrastructure/postgresql/network-policy.yaml.example

# Example PostgreSQL Network Policies (not applied by default)
# Uncomment and customize these if you want to implement network security for PostgreSQL

# ---
# apiVersion: "cilium.io/v2"
# kind: CiliumNetworkPolicy
# metadata:
#   name: "postgresql-ingress"
#   namespace: postgresql-system
# spec:
#   description: "Allow ingress traffic to PostgreSQL pods"
#   endpointSelector:
#     matchLabels:
#       postgresql: postgresql-shared
#   ingress:
#   # Allow CloudNativePG operator status checks
#   - fromEndpoints:
#     - matchLabels:
#         app.kubernetes.io/name: cloudnative-pg
#     toPorts:
#     - ports:
#       - port: "8000"  # Status port
#         protocol: "TCP"
#   
#   # Allow PostgreSQL connections from applications
#   - fromEntities:
#     - cluster  # Allow any pod in cluster to connect
#     toPorts:
#     - ports:
#       - port: "5432"  # PostgreSQL port
#         protocol: "TCP"
#   
#   # Allow PostgreSQL replication between instances
#   - fromEndpoints:
#     - matchLabels:
#         postgresql: postgresql-shared  # Allow PostgreSQL pods to talk to each other
#     toPorts:
#     - ports:
#       - port: "5432"
#         protocol: "TCP"
#   
#   # Allow metrics scraping (for OpenObserve)
#   - fromEndpoints:
#     - matchLabels:
#         app: openobserve-collector
#     toPorts:
#     - ports:
#       - port: "9187"  # Metrics port
#         protocol: "TCP"

# ---
# apiVersion: "cilium.io/v2"
# kind: CiliumNetworkPolicy  
# metadata:
#   name: "postgresql-egress"
#   namespace: postgresql-system
# spec:
#   description: "Allow egress traffic from PostgreSQL pods"
#   endpointSelector:
#     matchLabels:
#       postgresql: postgresql-shared
#   egress:
#   # Allow DNS resolution
#   - toEndpoints:
#     - matchLabels:
#         k8s-app: kube-dns
#     toPorts:
#     - ports:
#       - port: "53"
#         protocol: "UDP"
#       - port: "53"
#         protocol: "TCP"
#   
#   # Allow PostgreSQL replication
#   - toEndpoints:
#     - matchLabels:
#         postgresql: postgresql-shared
#     toPorts:
#     - ports:
#       - port: "5432"
#         protocol: "TCP"
redaction (#1) Add the redacted source file for demo purposes Reviewed-on: https://source.michaeldileo.org/michael_dileo/Keybard-Vagabond-Demo/pulls/1 Co-authored-by: Michael DiLeo <michael_dileo@proton.me> Co-committed-by: Michael DiLeo <michael_dileo@proton.me> 2025-12-24 13:40:47 +00:00			`# Example PostgreSQL Network Policies (not applied by default)`
			`# Uncomment and customize these if you want to implement network security for PostgreSQL`

			`# ---`
			`# apiVersion: "cilium.io/v2"`
			`# kind: CiliumNetworkPolicy`
			`# metadata:`
			`# name: "postgresql-ingress"`
			`# namespace: postgresql-system`
			`# spec:`
			`# description: "Allow ingress traffic to PostgreSQL pods"`
			`# endpointSelector:`
			`# matchLabels:`
			`# postgresql: postgresql-shared`
			`# ingress:`
			`# # Allow CloudNativePG operator status checks`
			`# - fromEndpoints:`
			`# - matchLabels:`
			`# app.kubernetes.io/name: cloudnative-pg`
			`# toPorts:`
			`# - ports:`
			`# - port: "8000" # Status port`
			`# protocol: "TCP"`
			`#`
			`# # Allow PostgreSQL connections from applications`
			`# - fromEntities:`
			`# - cluster # Allow any pod in cluster to connect`
			`# toPorts:`
			`# - ports:`
			`# - port: "5432" # PostgreSQL port`
			`# protocol: "TCP"`
			`#`
			`# # Allow PostgreSQL replication between instances`
			`# - fromEndpoints:`
			`# - matchLabels:`
			`# postgresql: postgresql-shared # Allow PostgreSQL pods to talk to each other`
			`# toPorts:`
			`# - ports:`
			`# - port: "5432"`
			`# protocol: "TCP"`
			`#`
			`# # Allow metrics scraping (for OpenObserve)`
			`# - fromEndpoints:`
			`# - matchLabels:`
			`# app: openobserve-collector`
			`# toPorts:`
			`# - ports:`
			`# - port: "9187" # Metrics port`
			`# protocol: "TCP"`

			`# ---`
			`# apiVersion: "cilium.io/v2"`
			`# kind: CiliumNetworkPolicy`
			`# metadata:`
			`# name: "postgresql-egress"`
			`# namespace: postgresql-system`
			`# spec:`
			`# description: "Allow egress traffic from PostgreSQL pods"`
			`# endpointSelector:`
			`# matchLabels:`
			`# postgresql: postgresql-shared`
			`# egress:`
			`# # Allow DNS resolution`
			`# - toEndpoints:`
			`# - matchLabels:`
			`# k8s-app: kube-dns`
			`# toPorts:`
			`# - ports:`
			`# - port: "53"`
			`# protocol: "UDP"`
			`# - port: "53"`
			`# protocol: "TCP"`
			`#`
			`# # Allow PostgreSQL replication`
			`# - toEndpoints:`
			`# - matchLabels:`
			`# postgresql: postgresql-shared`
			`# toPorts:`
			`# - ports:`
			`# - port: "5432"`
			`# protocol: "TCP"`