feat: add NetworkPolicy for cert-manager and ingress-nginx

Default-deny + selective allow policies:
- cert-manager: DNS, K8s API, ACME HTTPS, webhook ingress, Prometheus scrape
- ingress-nginx: DNS, K8s API, external HTTP/HTTPS, backend forwarding

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

apps/infra-network-policies/cert-manager.yaml

@@ -0,0 +1,114 @@
+# cert-manager NetworkPolicies
+# Default deny + selective allow for cert-manager namespace
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-all
+  namespace: cert-manager
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
+---
+# Allow DNS egress (all cert-manager pods need DNS)
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-dns-egress
+  namespace: cert-manager
+spec:
+  podSelector: {}
+  policyTypes:
+    - Egress
+  egress:
+    - ports:
+        - port: 53
+          protocol: UDP
+        - port: 53
+          protocol: TCP
+---
+# cert-manager controller: needs K8s API + ACME (Let's Encrypt) HTTPS
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-cert-manager-controller
+  namespace: cert-manager
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: cert-manager
+  policyTypes:
+    - Egress
+  egress:
+    # K8s API server
+    - ports:
+        - port: 6443
+          protocol: TCP
+    # ACME HTTP-01 / Let's Encrypt API (HTTPS)
+    - ports:
+        - port: 443
+          protocol: TCP
+---
+# cert-manager webhook: receives admission requests from K8s API
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-cert-manager-webhook
+  namespace: cert-manager
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: webhook
+      app.kubernetes.io/instance: cert-manager
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    # K8s API server calls webhook on port 443
+    - ports:
+        - port: 10250
+          protocol: TCP
+        - port: 443
+          protocol: TCP
+  egress:
+    # K8s API server
+    - ports:
+        - port: 6443
+          protocol: TCP
+---
+# cert-manager cainjector: needs K8s API only
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-cert-manager-cainjector
+  namespace: cert-manager
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: cainjector
+      app.kubernetes.io/instance: cert-manager
+  policyTypes:
+    - Egress
+  egress:
+    # K8s API server
+    - ports:
+        - port: 6443
+          protocol: TCP
+---
+# Allow Prometheus scraping (port 9402)
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-prometheus-scrape
+  namespace: cert-manager
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+  ingress:
+    - ports:
+        - port: 9402
+          protocol: TCP

apps/infra-network-policies/ingress-nginx.yaml

@@ -0,0 +1,75 @@
+# ingress-nginx NetworkPolicies
+# Default deny + selective allow for ingress-nginx namespace
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-all
+  namespace: ingress-nginx
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
+---
+# Allow DNS egress
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-dns-egress
+  namespace: ingress-nginx
+spec:
+  podSelector: {}
+  policyTypes:
+    - Egress
+  egress:
+    - ports:
+        - port: 53
+          protocol: UDP
+        - port: 53
+          protocol: TCP
+---
+# ingress-nginx controller: accepts external HTTP/HTTPS, forwards to backend pods
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-ingress-controller
+  namespace: ingress-nginx
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: nginx-ingress
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    # External traffic via NodePort (HTTP/HTTPS)
+    - ports:
+        - port: 80
+          protocol: TCP
+        - port: 443
+          protocol: TCP
+    # Admission webhook from K8s API
+    - ports:
+        - port: 8443
+          protocol: TCP
+  egress:
+    # Forward to backend pods in any namespace (HTTP/HTTPS)
+    - ports:
+        - port: 80
+          protocol: TCP
+        - port: 443
+          protocol: TCP
+        - port: 8080
+          protocol: TCP
+        - port: 8443
+          protocol: TCP
+    # K8s API server (for Ingress resource watching)
+    - ports:
+        - port: 6443
+          protocol: TCP
+    # OCSP / cert validation
+    - ports:
+        - port: 80
+          protocol: TCP

argocd-apps/infra-network-policies.yaml

@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: infra-network-policies
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: http://10.10.10.1:3000/claude/k8s-apps.git
+    targetRevision: main
+    path: apps/infra-network-policies
+  destination:
+    server: https://kubernetes.default.svc
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=false