Skip to content

Commit 88c5ed4

Browse files
NotYuShengclaude
andcommitted
security: Convert Redis NetworkPolicy from same-namespace to zero-trust
- Replace fromSameNamespace: true with specific allowedCallers - Only allow pdf-processor-service, pdf-extraction-service, metadata-service, cleaner - Implements zero-trust security pattern consistent with other services - Prevents unauthorized Redis access from any service in namespace - Matches service communication matrix in README 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
1 parent 720b2a6 commit 88c5ed4

1 file changed

Lines changed: 19 additions & 2 deletions

File tree

helm/redis/values.yaml

Lines changed: 19 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -171,8 +171,25 @@ networkPolicy:
171171
enabled: false
172172
ingress:
173173
enabled: true
174-
fromSameNamespace: true
175-
fromIngressController: false
174+
# ZERO-TRUST: Only specific services can connect to Redis
175+
allowedCallers:
176+
# PDF processor orchestrates workflows and manages sessions
177+
- podSelector:
178+
matchLabels:
179+
app.kubernetes.io/name: pdf-processor-service
180+
# PDF extraction manages document file lists
181+
- podSelector:
182+
matchLabels:
183+
app.kubernetes.io/name: pdf-extraction-service
184+
# Metadata service manages document file lists
185+
- podSelector:
186+
matchLabels:
187+
app.kubernetes.io/name: metadata-service
188+
# Cleaner accesses Redis for cleanup notifications
189+
- podSelector:
190+
matchLabels:
191+
app.kubernetes.io/name: cleaner
192+
# Custom ingress rules for special cases
176193
customRules: []
177194
egress:
178195
enabled: false

0 commit comments

Comments
 (0)