Skip to content

Feat/153 network policy expansion accross namespaces#230

Open
benie-joy-possi wants to merge 18 commits intomainfrom
feat/153-network-policy-expansion-accross-namespaces
Open

Feat/153 network policy expansion accross namespaces#230
benie-joy-possi wants to merge 18 commits intomainfrom
feat/153-network-policy-expansion-accross-namespaces

Conversation

@benie-joy-possi
Copy link
Copy Markdown
Collaborator

@benie-joy-possi benie-joy-possi commented Apr 17, 2026

Expand namespace isolation with explicit network policy coverage.

benie-joy-possi and others added 18 commits April 14, 2026 13:23
@benie-joy-possi
feat: helm chartto Expand NetworkPolicies across application namespaces
beb6a1d
@benie-joy-possi
refactor: consolidate network policies and fix production selector mi…
b100f0d 
…smatches
@benie-joy-possi
feat: Add ArgoCD application for network-policies Helm chart
f352c7c
@benie-joy-possi
feat(network-policies): close critical gaps for auth flow and monitor…
4d4de53 
…ing access
@benie-joy-possi
feat: add network-policy library chart for reusable templates
eb9f32e
@benie-joy-possi
fix: update network-policies chart with corrected traffic flows
697b38a
@benie-joy-possi
feat: add NetworkPolicy for core-gateway components
6acbdca
@benie-joy-possi
refactor: integrate models-proxy NetworkPolicy with hybrid architecture
ffd8c13
@benie-joy-possi
feat: add NetworkPolicy for MCP services
b76d23e
@benie-joy-possi
feat: add NetworkPolicy for librechart components
f17b278
@benie-joy-possi
fix: ensure minBackends comparison uses integer types
94b2919
@benie-joy-possi
feat: add network-policy library dependency to ai-models chart
1f3a270
@benie-joy-possi
Merge branch 'main' into network-policy-chart
4e1b0e6
@github-actions @stephane-segning
Library missing multi-policy support; charts duplicate code
201afea 
Co-authored-by: stephane-segning <stephane-segning@users.noreply.github.com>
@benie-joy-possi
refactor: consolidate Network Policy configs into different charts
ae683b9
@benie-joy-possi
refactor: consolidate Network Policy configs into different charts
1a94638
@benie-joy-possi
Merge branch 'network-policy-chart' of https://github.com/ADORSYS-GIS…
f532418 
…/ai-helm into network-policy-chart
@github-actions @benie-joy-possi
Refactor duplicate policy templates.
7a6e577 
Co-authored-by: benie-joy-possi <benie-joy-possi@users.noreply.github.com>
@benie-joy-possi benie-joy-possi self-assigned this Apr 17, 2026
@benie-joy-possi benie-joy-possi linked an issue Apr 17, 2026 that may be closed by this pull request
[Ticket] Expand NetworkPolicies across application namespaces #153
Open
4 tasks
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 17, 2026

The pull request Feat/153 network policy expansion accross namespaces introduces extensive NetworkPolicy coverage across multiple namespaces in the Helm charts.

Key Observations:

  • Purpose: Enforces stronger network isolation by implementing default-deny-like structures and explicit allowed ingress/egress rules across various components (cert, core-gateway, librechart, mcps).
  • Structure: The implementation uses Helm if blocks to conditionally enable these policies based on .Values.networkPolicy.enabled or specific keys in .Values.policies. This allows for flexible adoption.
  • Granularity: Policies are well-defined with specific namespaceSelector and podSelector criteria, adhering to principles of least privilege.
  • Egress Control: Egress is strictly controlled, generally allowing DNS (kube-system), intra-namespace traffic, and specific dependencies (like API servers or other services).
  • Changes:
    • Adds several new networkpolicy.yaml templates across charts.
    • Updates values.yaml files to support these new configurations.
    • Refactors models-proxy by removing an existing policy template and integrating it into the new structure via values.yaml updates.

Potential Considerations:

  1. Default Deny: Ensure that enabling these policies does not break existing traffic flows if not all required communication paths are accounted for in the ingress/egress rules.
  2. Naming Consistency: The naming conventions for network policies seem consistent across the added files.
  3. Complexity: The core-gateway/templates/networkpolicy.yaml file is quite large (500+ lines) due to containing multiple policy definitions. While functional, it might be beneficial to consider splitting these into smaller, modular files if maintenance becomes difficult.

Overall, this is a significant enhancement to the security posture of the infrastructure. The implementation appears systematic and follows Kubernetes best practices for network isolation.

New%20session%20-%202026-04-17T18%3A20%3A55.858Z
opencode session  |  github run

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stephane-segning stephane-segning Awaiting requested review from stephane-segning

@Koufan-De-King Koufan-De-King Awaiting requested review from Koufan-De-King

Assignees

@benie-joy-possi benie-joy-possi

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Ticket] Expand NetworkPolicies across application namespaces

1 participant

@benie-joy-possi