# Network policies for sandbox isolation # Sandboxes can only communicate with specific services, not with each other # or with the Kubernetes API --- # Default deny all ingress and egress in sandbox namespace apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-all namespace: sandbox spec: podSelector: {} policyTypes: - Ingress - Egress --- # Allow sandboxes to receive connections from gateway (MCP) apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-gateway-ingress namespace: sandbox spec: podSelector: matchLabels: dexorder.io/component: sandbox policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app: gateway ports: - protocol: TCP port: 3000 # MCP server port - protocol: TCP port: 5555 # ZeroMQ control channel --- # Allow sandboxes to connect to required services apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-sandbox-egress namespace: sandbox spec: podSelector: matchLabels: dexorder.io/component: sandbox policyTypes: - Egress egress: # DNS resolution (required) - to: - namespaceSelector: {} podSelector: matchLabels: k8s-app: kube-dns ports: - protocol: UDP port: 53 - protocol: TCP port: 53 # Gateway (for callbacks) - to: - podSelector: matchLabels: app: gateway ports: - protocol: TCP port: 3000 - protocol: TCP port: 5571 # External HTTPS (for exchange APIs, LLM APIs) - to: - ipBlock: cidr: 0.0.0.0/0 except: # Block access to k8s API server (common ranges) - 10.0.0.0/8 - 172.16.0.0/12 - 192.168.0.0/16 ports: - protocol: TCP port: 443 --- # Allow ingress from sandboxes to gateway (no explicit namespace = context default) # In dev: applies to 'default' namespace. In prod: applies to 'ai' namespace. apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-sandbox-callbacks spec: podSelector: matchLabels: app: gateway policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: dexorder.io/type: sandboxes ports: - protocol: TCP port: 3000 - protocol: TCP port: 5571