Skip to content

Add NetworkPolicy for the ZTWIM namespace#145

Merged
p-rog merged 25 commits into
validatedpatterns:mainfrom
p-rog:network-policy
Jun 15, 2026
Merged

Add NetworkPolicy for the ZTWIM namespace#145
p-rog merged 25 commits into
validatedpatterns:mainfrom
p-rog:network-policy

Conversation

@p-rog

@p-rog p-rog commented Jun 12, 2026

Copy link
Copy Markdown
Collaborator

Summary

Adds network isolation for the zero-trust-workload-identity-manager namespace using the default-deny + per-pod allow pattern.

Depends on ztwim-chart PR #5 which adds the NetworkPolicy templates to the wrapper chart. Until that PR merges, the values in this PR are silently ignored by Helm (no NetworkPolicies created).

Changes

  • Add overrides/values-ztwim-network-policy.yaml with per-pod rules for spire-server, OIDC discovery provider, SPIFFE CSI driver, and ZTWIM operator
  • Enable via extraValueFiles in values-hub.yaml for the ZTWIM application

Per-pod rules

Component Ingress Egress
spire-server 8081 gRPC (port-only — agents use hostNetwork), 8443 federation (router), 9443 webhook (port-only), 9402 metrics DNS (5353), K8s API (6443)
OIDC discovery provider 8443 HTTPS (router — serves JWKS for Vault and Keycloak) DNS (5353)
SPIFFE CSI driver DNS (5353)
ZTWIM operator 8443 metrics DNS (5353), K8s API (6443)

Not covered (by design): spire-agent uses hostNetwork: true + hostPID: true — Kubernetes NetworkPolicies do not apply to hostNetwork pods.

Test plan

  • Dry-run on OCP 4.21 — all policies applied directly via oc apply
  • Agent attestation (6/6 agents re-attested after restart)
  • OIDC discovery route (HTTP 200, JWKS keys returned)
  • Vault JWT auth (depends on SPIRE OIDC)
  • Keycloak SPIFFE IdP (depends on SPIRE OIDC)
  • qtodo full SPIFFE auth chain
  • Operator reconciliation (allReady=true)
  • Full end-to-end after ztwim-chart PR merges

🤖 Generated with Claude Code

Przemyslaw Roguski and others added 25 commits April 9, 2026 19:04
Fixing db network policy bug, adding new qtodo egress network policie…
139b81f 
…s and default deny network policy
cleaning all changes
0e270ec
db network policy file change
e3d7b40
feat: add qtodo egress NetworkPolicy (port-restricted, no default-deny)
e460c98
fixing the namespace name
eb893da
changing the ingress policy, to allow qtodo correct network communica…
df49c66 
…tion
NP tweaks
41b8407
removing egress qtodo network policies due to problems with OVN-K and…
95968d2 
… later broken DNS
Merge branch 'main' of github.com:validatedpatterns/layered-zero-trus…
ddf1f4f 
…t into network-policy
sync with PR#125
6e845a9
Pushing correct, fully covered network polices, with correct DNS port…
53cfef9 
… and Keycloak port
openshift-ingress labels update, because policy-group.network.openshi…
edc5e46 
…ft.io/ingress: triggers OVN-K's special ACL handling for host-network traffic
changing the namespaceSelector: for Keycloak, because here Keycloak a…
a545391 
…snwers on both an internal hostname (for back-channel) and an external hostname (for browser redirects)
Adding default deny policy
bed618b
@p-rog
Merge branch 'validatedpatterns:main' into network-policy
b495244
Testing Vault ingress/egress network policies
8706879
Testing Vault network policies
ad649cf
@p-rog
adding Vault network policies
33d9f5b
@p-rog
Merge branch 'validatedpatterns:main' into network-policy
d05932d
@p-rog
Enabling keyclok network policies
054629a
@p-rog
Merge branch 'validatedpatterns:main' into network-policy
c842e9b
@p-rog
adding realmImport NP
d673207
@p-rog
Merge branch 'validatedpatterns:main' into network-policy
3017777
@p-rog
Merge branch 'validatedpatterns:main' into network-policy
d8e60d9
@p-rog @claude
Add NetworkPolicy for the ZTWIM namespace
df45821 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@p-rog p-rog requested review from minmzzhang, mlorenzofr and sabre1041 and removed request for minmzzhang June 12, 2026 15:48
@sabre1041 sabre1041 mentioned this pull request Jun 15, 2026
Merged
sabre1041
sabre1041 approved these changes Jun 15, 2026
View reviewed changes

@sabre1041 sabre1041 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM pending integration of validatedpatterns/ztwim-chart#5

@minmzzhang

minmzzhang commented Jun 15, 2026

Copy link
Copy Markdown
Collaborator

LGTM! validatedpatterns/ztwim-chart#5 is merged.

@p-rog

p-rog commented Jun 15, 2026

Copy link
Copy Markdown
Collaborator Author

Since validatedpatterns/ztwim-chart#5 is merged and this update is also approved, I'm gonna go ahead and merge.

@p-rog p-rog merged commit e457810 into validatedpatterns:main Jun 15, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sabre1041 sabre1041 sabre1041 approved these changes

@minmzzhang minmzzhang minmzzhang approved these changes

@mlorenzofr mlorenzofr Awaiting requested review from mlorenzofr

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@p-rog @minmzzhang @sabre1041