apunkt/gomcp
1
0
Fork 0
mirror of https://github.com/syntrex-lab/gomcp.git synced 2026-04-26 12:56:21 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
gomcp/deploy/k8s-network-policy.yaml

197 lines
3.7 KiB
YAML
Raw Normal View History

Release prep: 54 engines, self-hosted signatures, i18n, dashboard updates
2026-03-23 16:45:40 +10:00
# SEC-011: K8s NetworkPolicy для изоляции SOC pods
# Применяется: kubectl apply -f k8s-network-policy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: soc-ingest-policy
namespace: sentinel
labels:
app: sentinel-soc
component: ingest
security: sec-011
spec:
podSelector:
matchLabels:
app: sentinel-soc
component: ingest
policyTypes:
- Ingress
- Egress
ingress:
# Accept from external (sensors, dashboard)
- from:
- namespaceSelector:
matchLabels:
name: sentinel
- podSelector:
matchLabels:
app: sentinel-sensor
ports:
- protocol: TCP
port: 9750
egress:
# Only to correlate (IPC)
- to:
- podSelector:
matchLabels:
component: correlate
ports:
- protocol: TCP
port: 19751
# DNS resolution
- to:
- namespaceSelector: {}
ports:
- protocol: UDP
port: 53
- protocol: TCP
port: 53
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: soc-correlate-policy
namespace: sentinel
labels:
app: sentinel-soc
component: correlate
security: sec-011
spec:
podSelector:
matchLabels:
app: sentinel-soc
component: correlate
policyTypes:
- Ingress
- Egress
ingress:
# Only from ingest
- from:
- podSelector:
matchLabels:
component: ingest
ports:
- protocol: TCP
port: 19751
egress:
# Only to respond (IPC)
- to:
- podSelector:
matchLabels:
component: respond
ports:
- protocol: TCP
port: 19752
# DNS
- to:
- namespaceSelector: {}
ports:
- protocol: UDP
port: 53
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: soc-respond-policy
namespace: sentinel
labels:
app: sentinel-soc
component: respond
security: sec-011
spec:
podSelector:
matchLabels:
app: sentinel-soc
component: respond
policyTypes:
- Ingress
- Egress
ingress:
# Only from correlate
- from:
- podSelector:
matchLabels:
component: correlate
ports:
- protocol: TCP
port: 19752
egress:
# HTTPS outbound for webhooks
- to: []
ports:
- protocol: TCP
port: 443
# DNS
- to:
- namespaceSelector: {}
ports:
- protocol: UDP
port: 53
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: soc-immune-policy
namespace: sentinel
labels:
app: sentinel-soc
component: immune
security: sec-011
spec:
podSelector:
matchLabels:
app: sentinel-soc
component: immune
policyTypes:
- Ingress
- Egress
ingress:
# Health checks from watchdog mesh
- from:
- podSelector:
matchLabels:
app: sentinel-soc
ports:
- protocol: TCP
port: 9760
egress:
# Watchdog mesh heartbeats to peers
- to:
- podSelector:
matchLabels:
app: sentinel-soc
ports:
- protocol: TCP
port: 9760
- protocol: TCP
port: 9770
# DNS
- to:
- namespaceSelector: {}
ports:
- protocol: UDP
port: 53
---
# Default deny all in sentinel namespace
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: sentinel
labels:
security: sec-011
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
Reference in a new issue Copy permalink