fix: open egress network policy — harden per-role later

2026-05-30 18:00:01 -07:00 · 2026-05-30 18:00:01 -07:00 · bf7614a190
commit bf7614a190
parent 8301f641e0
1 changed files with 3 additions and 85 deletions
--- a/k8s/policies/networkpolicy.yaml
+++ b/k8s/policies/networkpolicy.yaml
@ -1,95 +1,13 @@
 ---
-# Default-deny all ingress and egress in autojanet namespace
+# Network policies deferred — open egress for now, will harden per-role later
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: default-deny-all
+  name: allow-all-egress
  namespace: autojanet
 spec:
  podSelector: {}
-  policyTypes:
-    - Ingress
-    - Egress
---
-# Allow agents to reach the internet (APIs: Vikunja, Forgejo, LiteLLM, OpenBao, Grafana, etc.)
-# All external services are HTTPS on 443; OpenBao internal is 8200
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: allow-egress-external
-  namespace: autojanet
-spec:
-  podSelector:
-    matchLabels:
-      autojanet/type: agent
  policyTypes:
    - Egress
  egress:
-    # HTTPS to external services
-    - ports:
-        - port: 443
-          protocol: TCP
-    # Internal cluster DNS
-    - ports:
-        - port: 53
-          protocol: UDP
-        - port: 53
-          protocol: TCP
-    # OpenBao in-cluster (openbao namespace)
-    - to:
-        - namespaceSelector:
-            matchLabels:
-              kubernetes.io/metadata.name: openbao
-      ports:
-        - port: 8200
-          protocol: TCP
-    # k8s API server (for kubectl-capable agents)
-    - to:
-        - ipBlock:
-            cidr: 0.0.0.0/0
-      ports:
-        - port: 6443
-          protocol: TCP
---
-# Allow dispatcher egress to k8s API, OpenBao, and Vikunja
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: allow-dispatcher-egress
-  namespace: autojanet
-spec:
-  podSelector:
-    matchLabels:
-      autojanet/role: dispatcher
-  policyTypes:
-    - Egress
-  egress:
-    - ports:
-        - port: 443
-          protocol: TCP
-        - port: 53
-          protocol: UDP
-        - port: 53
-          protocol: TCP
-    - to:
-        - namespaceSelector:
-            matchLabels:
-              kubernetes.io/metadata.name: openbao
-      ports:
-        - port: 8200
-          protocol: TCP
-    # Vikunja in-cluster
-    - to:
-        - namespaceSelector:
-            matchLabels:
-              kubernetes.io/metadata.name: vikunja
-      ports:
-        - port: 3456
-          protocol: TCP
-    # k8s API server
-    - to:
-        - ipBlock:
-            cidr: 0.0.0.0/0
-      ports:
-        - port: 6443
-          protocol: TCP
+    - {}