container lifecycle management

2026-03-12 15:13:38 -04:00
parent e99ef5d2dd
commit b9cc397e05
61 changed files with 6880 additions and 31 deletions
--- a/deploy/k8s/base/network-policies.yaml
+++ b/deploy/k8s/base/network-policies.yaml
@@ -0,0 +1,121 @@
+# Network policies for agent isolation
+# Agents can only communicate with specific services, not with each other
+# or with the Kubernetes API
+---
+# Default deny all ingress and egress in agents namespace
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-all
+  namespace: dexorder-agents
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
+---
+# Allow agents to receive connections from gateway (MCP)
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-gateway-ingress
+  namespace: dexorder-agents
+spec:
+  podSelector:
+    matchLabels:
+      dexorder.io/component: agent
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              dexorder.io/type: system
+          podSelector:
+            matchLabels:
+              app: gateway
+      ports:
+        - protocol: TCP
+          port: 3000  # MCP server port
+        - protocol: TCP
+          port: 5555  # ZeroMQ control channel
+---
+# Allow agents to connect to required services
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-agent-egress
+  namespace: dexorder-agents
+spec:
+  podSelector:
+    matchLabels:
+      dexorder.io/component: agent
+  policyTypes:
+    - Egress
+  egress:
+    # DNS resolution (required)
+    - to:
+        - namespaceSelector: {}
+          podSelector:
+            matchLabels:
+              k8s-app: kube-dns
+      ports:
+        - protocol: UDP
+          port: 53
+        - protocol: TCP
+          port: 53
+    # Gateway in system namespace (for callbacks)
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              dexorder.io/type: system
+          podSelector:
+            matchLabels:
+              app: gateway
+      ports:
+        - protocol: TCP
+          port: 8080
+    # Kafka/Redpanda for data subscriptions
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              dexorder.io/type: system
+          podSelector:
+            matchLabels:
+              app: redpanda
+      ports:
+        - protocol: TCP
+          port: 9092
+    # External HTTPS (for exchange APIs, LLM APIs)
+    - to:
+        - ipBlock:
+            cidr: 0.0.0.0/0
+            except:
+              # Block access to k8s API server (common ranges)
+              - 10.0.0.0/8
+              - 172.16.0.0/12
+              - 192.168.0.0/16
+      ports:
+        - protocol: TCP
+          port: 443
+---
+# System namespace: allow ingress from agents
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-agent-callbacks
+  namespace: dexorder-system
+spec:
+  podSelector:
+    matchLabels:
+      app: gateway
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              dexorder.io/type: agents
+      ports:
+        - protocol: TCP
+          port: 8080