- Opzet cluster werkt

- Opstart redis en minio werkt - Bezig om eigenlijke apps op te starten ... werkt nog niet.
2025-08-19 18:08:59 +02:00
parent 84a9334c80
commit d6a2635e50
15 changed files with 574 additions and 602 deletions
--- a/k8s/dev/network-policies.yaml
+++ b/k8s/dev/network-policies.yaml
@@ -0,0 +1,147 @@
+# Network Policies for EveAI Dev Environment
+# File: network-policies.yaml
+# Provides proper isolation and security for Kubernetes services
+---
+# Default deny all ingress traffic (security first approach)
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-ingress
+  namespace: eveai-dev
+  labels:
+    app: eveai
+    environment: dev
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+
+---
+# Allow ingress controller to reach app services
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-ingress-to-apps
+  namespace: eveai-dev
+  labels:
+    app: eveai
+    environment: dev
+spec:
+  podSelector:
+    matchLabels:
+      tier: frontend
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          name: ingress-nginx
+    ports:
+    - protocol: TCP
+      port: 5001  # eveai-app
+    - protocol: TCP
+      port: 5003  # eveai-api
+    - protocol: TCP
+      port: 5004  # eveai-chat-client
+
+---
+# Allow app services to communicate with backend services
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-apps-to-backend
+  namespace: eveai-dev
+  labels:
+    app: eveai
+    environment: dev
+spec:
+  podSelector:
+    matchLabels:
+      tier: backend
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          tier: frontend
+    ports:
+    - protocol: TCP
+      port: 6379  # Redis
+    - protocol: TCP
+      port: 9000  # MinIO S3 API
+    - protocol: TCP
+      port: 9001  # MinIO Console
+    - protocol: TCP
+      port: 5432  # PostgreSQL
+
+---
+# Allow internal service communication within eveai-dev namespace
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-internal-communication
+  namespace: eveai-dev
+  labels:
+    app: eveai
+    environment: dev
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          name: eveai-dev
+
+---
+# Allow monitoring services to scrape metrics
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-monitoring-scraping
+  namespace: eveai-dev
+  labels:
+    app: eveai
+    environment: dev
+spec:
+  podSelector:
+    matchLabels:
+      tier: monitoring
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app: prometheus
+    ports:
+    - protocol: TCP
+      port: 9090  # Prometheus
+    - protocol: TCP
+      port: 9091  # Pushgateway
+    - protocol: TCP
+      port: 5555  # Flower
+    - protocol: TCP
+      port: 3000  # Grafana
+
+---
+# Allow external access to monitoring services (NodePort)
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-external-monitoring
+  namespace: eveai-dev
+  labels:
+    app: eveai
+    environment: dev
+spec:
+  podSelector:
+    matchLabels:
+      tier: monitoring
+  policyTypes:
+  - Ingress
+  ingress:
+  - {} # Allow all external traffic to monitoring services