## ## Stonks Oracle — Network Policies ## ## Default-deny ingress for the namespace, then allow only the ## traffic patterns each component actually needs. ## ## Requirements: 8.2 (trading isolation), 12.1 (observability) ## # ── Default deny all ingress in the namespace ────────────────────────── apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-ingress namespace: stonks-oracle spec: podSelector: {} policyTypes: - Ingress --- # ── Query API: accept from Traefik ingress only ─────────────────────── apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-query-api-ingress namespace: stonks-oracle spec: podSelector: matchLabels: app: query-api policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: kube-system ports: - protocol: TCP port: 8000 --- # ── Symbol Registry API: accept from Traefik ingress only ───────────── apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-symbol-registry-ingress namespace: stonks-oracle spec: podSelector: matchLabels: app: symbol-registry-api policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: kube-system ports: - protocol: TCP port: 8000 --- # ── Risk Engine: accept from broker-adapter only ─────────────────────── apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-risk-engine-ingress namespace: stonks-oracle spec: podSelector: matchLabels: app: risk-engine policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app: broker-adapter - podSelector: matchLabels: app: query-api ports: - protocol: TCP port: 8000 --- # ── Superset: accept from Traefik ingress only ──────────────────────── apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-superset-ingress namespace: stonks-oracle spec: podSelector: matchLabels: app: superset policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: kube-system ports: - protocol: TCP port: 8088 --- # ── Trino: accept from Superset and query-api ───────────────────────── apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-trino-ingress namespace: stonks-oracle spec: podSelector: matchLabels: app: trino policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app: superset - podSelector: matchLabels: app: query-api - namespaceSelector: matchLabels: kubernetes.io/metadata.name: kube-system ports: - protocol: TCP port: 8080 --- # ── Hive Metastore: accept from Trino and lake-publisher ────────────── apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-hive-metastore-ingress namespace: stonks-oracle spec: podSelector: matchLabels: app: hive-metastore policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app: trino - podSelector: matchLabels: app: lake-publisher ports: - protocol: TCP port: 9083 --- # ── Broker adapter: isolated — no inbound from other pods ────────────── # The broker-adapter only makes outbound calls to the broker API # and reads from Redis queues. No pod needs to call into it. apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-broker-adapter-ingress namespace: stonks-oracle spec: podSelector: matchLabels: app: broker-adapter policyTypes: - Ingress ingress: []