84 lines
1.5 KiB
YAML
84 lines
1.5 KiB
YAML
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: llm-gateway
|
|
namespace: llm-gateway
|
|
labels:
|
|
app: llm-gateway
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
app: llm-gateway
|
|
|
|
policyTypes:
|
|
- Ingress
|
|
- Egress
|
|
|
|
ingress:
|
|
# Allow traffic from ingress controller
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
name: ingress-nginx
|
|
ports:
|
|
- protocol: TCP
|
|
port: 8080
|
|
|
|
# Allow traffic from within the namespace (for debugging/testing)
|
|
- from:
|
|
- podSelector: {}
|
|
ports:
|
|
- protocol: TCP
|
|
port: 8080
|
|
|
|
# Allow Prometheus scraping
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
name: observability
|
|
podSelector:
|
|
matchLabels:
|
|
app: prometheus
|
|
ports:
|
|
- protocol: TCP
|
|
port: 8080
|
|
|
|
egress:
|
|
# Allow DNS
|
|
- to:
|
|
- namespaceSelector: {}
|
|
podSelector:
|
|
matchLabels:
|
|
k8s-app: kube-dns
|
|
ports:
|
|
- protocol: UDP
|
|
port: 53
|
|
|
|
# Allow Redis access
|
|
- to:
|
|
- podSelector:
|
|
matchLabels:
|
|
app: redis
|
|
ports:
|
|
- protocol: TCP
|
|
port: 6379
|
|
|
|
# Allow external provider API access (OpenAI, Anthropic, Google)
|
|
- to:
|
|
- namespaceSelector: {}
|
|
ports:
|
|
- protocol: TCP
|
|
port: 443
|
|
|
|
# Allow OTLP tracing export
|
|
- to:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
name: observability
|
|
podSelector:
|
|
matchLabels:
|
|
app: tempo
|
|
ports:
|
|
- protocol: TCP
|
|
port: 4317
|