admin/stonks-oracle
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
stonks-oracle/infra/k8s/network-policies.yaml
T

174 lines
4.3 KiB
YAML
Raw Permalink Blame History

##
## Stonks Oracle — Network Policies
##
## Default-deny ingress for the namespace, then allow only the
## traffic patterns each component actually needs.
##
## Requirements: 8.2 (trading isolation), 12.1 (observability)
##
# ── Default deny all ingress in the namespace ──────────────────────────
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
namespace: stonks-oracle
spec:
podSelector: {}
policyTypes:
- Ingress
---
# ── Query API: accept from Traefik ingress only ───────────────────────
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-query-api-ingress
namespace: stonks-oracle
spec:
podSelector:
matchLabels:
app: query-api
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
ports:
- protocol: TCP
port: 8000
---
# ── Symbol Registry API: accept from Traefik ingress only ─────────────
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-symbol-registry-ingress
namespace: stonks-oracle
spec:
podSelector:
matchLabels:
app: symbol-registry-api
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
ports:
- protocol: TCP
port: 8000
---
# ── Risk Engine: accept from broker-adapter only ───────────────────────
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-risk-engine-ingress
namespace: stonks-oracle
spec:
podSelector:
matchLabels:
app: risk-engine
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: broker-adapter
- podSelector:
matchLabels:
app: query-api
ports:
- protocol: TCP
port: 8000
---
# ── Superset: accept from Traefik ingress only ────────────────────────
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-superset-ingress
namespace: stonks-oracle
spec:
podSelector:
matchLabels:
app: superset
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
ports:
- protocol: TCP
port: 8088
---
# ── Trino: accept from Superset and query-api ─────────────────────────
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-trino-ingress
namespace: stonks-oracle
spec:
podSelector:
matchLabels:
app: trino
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: superset
- podSelector:
matchLabels:
app: query-api
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
ports:
- protocol: TCP
port: 8080
---
# ── Hive Metastore: accept from Trino and lake-publisher ──────────────
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-hive-metastore-ingress
namespace: stonks-oracle
spec:
podSelector:
matchLabels:
app: hive-metastore
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: trino
- podSelector:
matchLabels:
app: lake-publisher
ports:
- protocol: TCP
port: 9083
---
# ── Broker adapter: isolated — no inbound from other pods ──────────────
# The broker-adapter only makes outbound calls to the broker API
# and reads from Redis queues. No pod needs to call into it.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-broker-adapter-ingress
namespace: stonks-oracle
spec:
podSelector:
matchLabels:
app: broker-adapter
policyTypes:
- Ingress
ingress: []
Reference in New Issue View Git Blame Copy Permalink