fix: open egress network policy — harden per-role later

k8s/policies/networkpolicy.yaml

@@ -1,95 +1,13 @@
 ---
-# Default-deny all ingress and egress in autojanet namespace
+# Network policies deferred — open egress for now, will harden per-role later
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: default-deny-all
+  name: allow-all-egress
   namespace: autojanet
 spec:
   podSelector: {}
-  policyTypes:
-    - Ingress
-    - Egress
----
-# Allow agents to reach the internet (APIs: Vikunja, Forgejo, LiteLLM, OpenBao, Grafana, etc.)
-# All external services are HTTPS on 443; OpenBao internal is 8200
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: allow-egress-external
-  namespace: autojanet
-spec:
-  podSelector:
-    matchLabels:
-      autojanet/type: agent
   policyTypes:
     - Egress
   egress:
-    # HTTPS to external services
+    - {}
-    - ports:
-        - port: 443
-          protocol: TCP
-    # Internal cluster DNS
-    - ports:
-        - port: 53
-          protocol: UDP
-        - port: 53
-          protocol: TCP
-    # OpenBao in-cluster (openbao namespace)
-    - to:
-        - namespaceSelector:
-            matchLabels:
-              kubernetes.io/metadata.name: openbao
-      ports:
-        - port: 8200
-          protocol: TCP
-    # k8s API server (for kubectl-capable agents)
-    - to:
-        - ipBlock:
-            cidr: 0.0.0.0/0
-      ports:
-        - port: 6443
-          protocol: TCP
----
-# Allow dispatcher egress to k8s API, OpenBao, and Vikunja
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: allow-dispatcher-egress
-  namespace: autojanet
-spec:
-  podSelector:
-    matchLabels:
-      autojanet/role: dispatcher
-  policyTypes:
-    - Egress
-  egress:
-    - ports:
-        - port: 443
-          protocol: TCP
-        - port: 53
-          protocol: UDP
-        - port: 53
-          protocol: TCP
-    - to:
-        - namespaceSelector:
-            matchLabels:
-              kubernetes.io/metadata.name: openbao
-      ports:
-        - port: 8200
-          protocol: TCP
-    # Vikunja in-cluster
-    - to:
-        - namespaceSelector:
-            matchLabels:
-              kubernetes.io/metadata.name: vikunja
-      ports:
-        - port: 3456
-          protocol: TCP
-    # k8s API server
-    - to:
-        - ipBlock:
-            cidr: 0.0.0.0/0
-      ports:
-        - port: 6443
-          protocol: TCP