tony/bzzz
1
0
Fork 0
Code Issues 6 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7c00e53a7f0d1908a5656dc6ed60992b99455093
bzzz/infrastructure/security/network-policy.yaml
anthonyrawlins 065dddf8d5 Prepare for v2 development: Add MCP integration and future development planning 
- Add FUTURE_DEVELOPMENT.md with comprehensive v2 protocol specification
- Add MCP integration design and implementation foundation
- Add infrastructure and deployment configurations
- Update system architecture for v2 evolution

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-08-07 14:38:22 +10:00

335 lines
5.8 KiB
YAML
Raw Blame History

# Kubernetes Network Policy for BZZZ v2 (if migrating to K8s later)
# Currently using Docker Swarm, but this provides a template for K8s migration
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: bzzz-v2-network-policy
namespace: bzzz-v2
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
# Default deny all ingress and egress
ingress: []
egress: []
---
# Allow internal cluster communication
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: bzzz-internal-communication
namespace: bzzz-v2
spec:
podSelector:
matchLabels:
app: bzzz-agent
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: bzzz-v2
ports:
- protocol: TCP
port: 9000
- protocol: UDP
port: 9000
egress:
- to:
- namespaceSelector:
matchLabels:
name: bzzz-v2
ports:
- protocol: TCP
port: 9000
- protocol: UDP
port: 9000
---
# DHT Bootstrap Network Policy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: dht-bootstrap-policy
namespace: bzzz-v2
spec:
podSelector:
matchLabels:
app: dht-bootstrap
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: bzzz-v2
ports:
- protocol: TCP
port: 9101
- protocol: TCP
port: 9102
- protocol: TCP
port: 9103
egress:
- to:
- namespaceSelector:
matchLabels:
name: bzzz-v2
ports:
- protocol: TCP
port: 9101
- protocol: TCP
port: 9102
- protocol: TCP
port: 9103
---
# MCP Server Network Policy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: mcp-server-policy
namespace: bzzz-v2
spec:
podSelector:
matchLabels:
app: mcp-server
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: traefik
ports:
- protocol: TCP
port: 3001
- from:
- podSelector:
matchLabels:
app: bzzz-agent
ports:
- protocol: TCP
port: 3001
egress:
- to:
- podSelector:
matchLabels:
app: bzzz-agent
ports:
- protocol: TCP
port: 9000
---
# OpenAI Proxy Network Policy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: openai-proxy-policy
namespace: bzzz-v2
spec:
podSelector:
matchLabels:
app: openai-proxy
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: traefik
ports:
- protocol: TCP
port: 3002
- from:
- podSelector:
matchLabels:
app: bzzz-agent
ports:
- protocol: TCP
port: 3002
egress:
# Allow outbound to OpenAI API
- to: []
ports:
- protocol: TCP
port: 443
# Allow access to Redis and PostgreSQL
- to:
- podSelector:
matchLabels:
app: redis
ports:
- protocol: TCP
port: 6379
- to:
- podSelector:
matchLabels:
app: postgres
ports:
- protocol: TCP
port: 5432
---
# Content Resolver Network Policy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: content-resolver-policy
namespace: bzzz-v2
spec:
podSelector:
matchLabels:
app: content-resolver
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: traefik
ports:
- protocol: TCP
port: 3003
- from:
- podSelector:
matchLabels:
app: bzzz-agent
ports:
- protocol: TCP
port: 3003
egress:
- to:
- podSelector:
matchLabels:
app: dht-bootstrap
ports:
- protocol: TCP
port: 9101
- protocol: TCP
port: 9102
- protocol: TCP
port: 9103
---
# Database Network Policy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: postgres-policy
namespace: bzzz-v2
spec:
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: bzzz-agent
- podSelector:
matchLabels:
app: openai-proxy
- podSelector:
matchLabels:
app: conversation-manager
- podSelector:
matchLabels:
app: openai-cost-monitor
ports:
- protocol: TCP
port: 5432
---
# Redis Network Policy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: redis-policy
namespace: bzzz-v2
spec:
podSelector:
matchLabels:
app: redis
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: bzzz-agent
- podSelector:
matchLabels:
app: openai-proxy
ports:
- protocol: TCP
port: 6379
---
# Monitoring Network Policy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: monitoring-policy
namespace: bzzz-v2
spec:
podSelector:
matchLabels:
monitoring: "true"
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: monitoring
- namespaceSelector:
matchLabels:
name: traefik
ports:
- protocol: TCP
port: 9090
- protocol: TCP
port: 3000
- protocol: TCP
port: 9093
egress:
# Allow monitoring to scrape all services
- to:
- namespaceSelector:
matchLabels:
name: bzzz-v2
ports:
- protocol: TCP
port: 9000
- protocol: TCP
port: 3001
- protocol: TCP
port: 3002
- protocol: TCP
port: 3003
- protocol: TCP
port: 9100
- protocol: TCP
port: 8080
- protocol: TCP
port: 9200
- protocol: TCP
port: 9201
- protocol: TCP
port: 9202
- protocol: TCP
port: 9203
Reference in New Issue View Git Blame Copy Permalink