mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 13:15:16 +03:00
1.9 KiB
1.9 KiB
Network Policy Design Template
Application Traffic Flow Matrix
| Source | Destination | Port | Protocol | Justification |
|---|---|---|---|---|
| frontend | backend-api | 8080 | TCP | REST API calls |
| backend-api | postgres-db | 5432 | TCP | Database queries |
| backend-api | redis-cache | 6379 | TCP | Session caching |
| all pods | kube-dns | 53 | UDP/TCP | DNS resolution |
| ingress-nginx | frontend | 80 | TCP | External traffic |
| prometheus | all pods | 9090 | TCP | Metrics scraping |
Namespace Policy Checklist
Per Namespace
- Default deny ingress applied
- Default deny egress applied
- DNS egress allowed
- Required ingress rules created per traffic flow
- Required egress rules created per traffic flow
- Cross-namespace policies documented
- Policies tested with connectivity checks
Cluster-Wide (GlobalNetworkPolicy)
- Block external access to non-ingress namespaces
- Allow monitoring namespace to scrape metrics
- Allow kube-system health checks
- Emergency isolation policy prepared
Policy Naming Convention
{action}-{source}-to-{destination}-{port}
Examples:
allow-frontend-to-backend-8080deny-external-to-database-5432allow-monitoring-to-all-9090
Emergency Isolation Policy
# Apply this to immediately isolate a compromised namespace
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: emergency-isolate-NAMESPACE
spec:
order: 1
selector: "projectcalico.org/namespace == 'NAMESPACE'"
types:
- Ingress
- Egress
ingress:
- action: Deny
egress:
- action: Deny
Review Schedule
| Review Type | Frequency | Owner |
|---|---|---|
| Policy audit | Monthly | Security Team |
| Traffic flow validation | After each deployment | DevOps |
| Compliance check | Quarterly | GRC Team |
| Emergency drill | Semi-annually | Security + SRE |