mirror of
https://github.com/syntrex-lab/gomcp.git
synced 2026-04-25 04:16:22 +02:00
196 lines
3.7 KiB
YAML
196 lines
3.7 KiB
YAML
# SEC-011: K8s NetworkPolicy для изоляции SOC pods
|
|
# Применяется: kubectl apply -f k8s-network-policy.yaml
|
|
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: soc-ingest-policy
|
|
namespace: sentinel
|
|
labels:
|
|
app: sentinel-soc
|
|
component: ingest
|
|
security: sec-011
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
app: sentinel-soc
|
|
component: ingest
|
|
policyTypes:
|
|
- Ingress
|
|
- Egress
|
|
ingress:
|
|
# Accept from external (sensors, dashboard)
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
name: sentinel
|
|
- podSelector:
|
|
matchLabels:
|
|
app: sentinel-sensor
|
|
ports:
|
|
- protocol: TCP
|
|
port: 9750
|
|
egress:
|
|
# Only to correlate (IPC)
|
|
- to:
|
|
- podSelector:
|
|
matchLabels:
|
|
component: correlate
|
|
ports:
|
|
- protocol: TCP
|
|
port: 19751
|
|
# DNS resolution
|
|
- to:
|
|
- namespaceSelector: {}
|
|
ports:
|
|
- protocol: UDP
|
|
port: 53
|
|
- protocol: TCP
|
|
port: 53
|
|
|
|
---
|
|
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: soc-correlate-policy
|
|
namespace: sentinel
|
|
labels:
|
|
app: sentinel-soc
|
|
component: correlate
|
|
security: sec-011
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
app: sentinel-soc
|
|
component: correlate
|
|
policyTypes:
|
|
- Ingress
|
|
- Egress
|
|
ingress:
|
|
# Only from ingest
|
|
- from:
|
|
- podSelector:
|
|
matchLabels:
|
|
component: ingest
|
|
ports:
|
|
- protocol: TCP
|
|
port: 19751
|
|
egress:
|
|
# Only to respond (IPC)
|
|
- to:
|
|
- podSelector:
|
|
matchLabels:
|
|
component: respond
|
|
ports:
|
|
- protocol: TCP
|
|
port: 19752
|
|
# DNS
|
|
- to:
|
|
- namespaceSelector: {}
|
|
ports:
|
|
- protocol: UDP
|
|
port: 53
|
|
|
|
---
|
|
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: soc-respond-policy
|
|
namespace: sentinel
|
|
labels:
|
|
app: sentinel-soc
|
|
component: respond
|
|
security: sec-011
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
app: sentinel-soc
|
|
component: respond
|
|
policyTypes:
|
|
- Ingress
|
|
- Egress
|
|
ingress:
|
|
# Only from correlate
|
|
- from:
|
|
- podSelector:
|
|
matchLabels:
|
|
component: correlate
|
|
ports:
|
|
- protocol: TCP
|
|
port: 19752
|
|
egress:
|
|
# HTTPS outbound for webhooks
|
|
- to: []
|
|
ports:
|
|
- protocol: TCP
|
|
port: 443
|
|
# DNS
|
|
- to:
|
|
- namespaceSelector: {}
|
|
ports:
|
|
- protocol: UDP
|
|
port: 53
|
|
|
|
---
|
|
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: soc-immune-policy
|
|
namespace: sentinel
|
|
labels:
|
|
app: sentinel-soc
|
|
component: immune
|
|
security: sec-011
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
app: sentinel-soc
|
|
component: immune
|
|
policyTypes:
|
|
- Ingress
|
|
- Egress
|
|
ingress:
|
|
# Health checks from watchdog mesh
|
|
- from:
|
|
- podSelector:
|
|
matchLabels:
|
|
app: sentinel-soc
|
|
ports:
|
|
- protocol: TCP
|
|
port: 9760
|
|
egress:
|
|
# Watchdog mesh heartbeats to peers
|
|
- to:
|
|
- podSelector:
|
|
matchLabels:
|
|
app: sentinel-soc
|
|
ports:
|
|
- protocol: TCP
|
|
port: 9760
|
|
- protocol: TCP
|
|
port: 9770
|
|
# DNS
|
|
- to:
|
|
- namespaceSelector: {}
|
|
ports:
|
|
- protocol: UDP
|
|
port: 53
|
|
|
|
---
|
|
|
|
# Default deny all in sentinel namespace
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: default-deny-all
|
|
namespace: sentinel
|
|
labels:
|
|
security: sec-011
|
|
spec:
|
|
podSelector: {}
|
|
policyTypes:
|
|
- Ingress
|
|
- Egress
|