Skip to content

Add NetworkPolicy for the Keycloak namespace #135

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
p-rog wants to merge 22 commits into
base: main
Choose a base branch
from
+155 −0
Open

Add NetworkPolicy for the Keycloak namespace #135

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
139b81f
Fixing db network policy bug, adding new qtodo egress network policie…
Apr 9, 2026
0e270ec
cleaning all changes
Apr 10, 2026
e3d7b40
db network policy file change
Apr 10, 2026
e460c98
feat: add qtodo egress NetworkPolicy (port-restricted, no default-deny)
Apr 10, 2026
eb893da
fixing the namespace name
Apr 10, 2026
df49c66
changing the ingress policy, to allow qtodo correct network communica…
Apr 10, 2026
41b8407
NP tweaks
Apr 10, 2026
95968d2
removing egress qtodo network policies due to problems with OVN-K and…
Apr 10, 2026
ddf1f4f
Merge branch 'main' of github.com:validatedpatterns/layered-zero-trus…
Apr 21, 2026
6e845a9
sync with PR#125
Apr 22, 2026
53cfef9
Pushing correct, fully covered network polices, with correct DNS port…
Apr 22, 2026
edc5e46
openshift-ingress labels update, because policy-group.network.openshi…
Apr 22, 2026
a545391
changing the namespaceSelector: for Keycloak, because here Keycloak a…
Apr 22, 2026
bed618b
Adding default deny policy
Apr 22, 2026
b495244
Merge branch 'validatedpatterns:main' into network-policy
p-rog Apr 29, 2026
8706879
Testing Vault ingress/egress network policies
Apr 30, 2026
ad649cf
Testing Vault network policies
Apr 30, 2026
33d9f5b
adding Vault network policies
p-rog May 7, 2026
d05932d
Merge branch 'validatedpatterns:main' into network-policy
p-rog May 12, 2026
054629a
Enabling keyclok network policies
p-rog May 13, 2026
c842e9b
Merge branch 'validatedpatterns:main' into network-policy
p-rog May 15, 2026
d673207
adding realmImport NP
p-rog May 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
153 changes: 153 additions & 0 deletions overrides/values-keycloak-network-policy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,153 @@
defaultDenyNetworkPolicy:
enabled: true

networkPolicy:
keycloak:
enabled: true
egress:
# DNS resolution via CoreDNS — OCP uses port 5353
- ports:
- protocol: UDP
port: 5353
- protocol: TCP
port: 5353
to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: openshift-dns
# PostgreSQL backend database
- ports:
- protocol: TCP
port: 5432
to:
- podSelector:
matchLabels:
app: postgresql-db
# JGroups cluster discovery and failure detection (multi-instance clustering)
- ports:
- protocol: TCP
port: 7800
- protocol: TCP
port: 57800
to:
- podSelector:
matchLabels:
app: keycloak
app.kubernetes.io/instance: keycloak
app.kubernetes.io/managed-by: keycloak-operator
# Kubernetes API server — JDBC_PING discovery reads endpoints
# Endpoints are node IPs after DNAT, port-only rule required
- ports:
- protocol: TCP
port: 6443
# SPIRE OIDC discovery provider — Keycloak fetches JWKS for federated
# client auth (spiffe feature). Traffic goes via the OCP router external
# IP, port-only rule required
- ports:
- protocol: TCP
port: 443

realmImport:
enabled: true
podSelector:
app: keycloak-realm-import
egress:
# DNS resolution via CoreDNS
- ports:
- protocol: UDP
port: 5353
- protocol: TCP
port: 5353
to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: openshift-dns
# PostgreSQL — realm import writes realm data to the database
- ports:
- protocol: TCP
port: 5432
to:
- podSelector:
matchLabels:
app: postgresql-db
# Kubernetes API server — reads secrets referenced in KeycloakRealmImport CR
- ports:
- protocol: TCP
port: 6443
# Keycloak HTTPS API — admin API calls during realm import
- ports:
- protocol: TCP
port: 8443
to:
- podSelector:
matchLabels:
app: keycloak
app.kubernetes.io/instance: keycloak
app.kubernetes.io/managed-by: keycloak-operator

postgresql:
enabled: true
ingress:
# Accept connections from Keycloak pods and realm import jobs
- ports:
- protocol: TCP
port: 5432
from:
- podSelector:
matchLabels:
app: keycloak
app.kubernetes.io/instance: keycloak
app.kubernetes.io/managed-by: keycloak-operator
- podSelector:
matchLabels:
app: keycloak-realm-import
egress:
# DNS resolution via CoreDNS
- ports:
- protocol: UDP
port: 5353
- protocol: TCP
port: 5353
to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: openshift-dns

operator:
enabled: true
# No ingress rules — operator only initiates outbound connections
egress:
# DNS resolution via CoreDNS
- ports:
- protocol: UDP
port: 5353
- protocol: TCP
port: 5353
to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: openshift-dns
# Kubernetes API server — operator watches CRs and manages resources
- ports:
- protocol: TCP
port: 6443
# Keycloak management endpoint — health checks and reconciliation
- ports:
- protocol: TCP
port: 9000
to:
- podSelector:
matchLabels:
app: keycloak
app.kubernetes.io/instance: keycloak
app.kubernetes.io/managed-by: keycloak-operator
# Keycloak HTTPS API — admin API calls during realm/client reconciliation
- ports:
- protocol: TCP
port: 8443
to:
- podSelector:
matchLabels:
app: keycloak
app.kubernetes.io/instance: keycloak
app.kubernetes.io/managed-by: keycloak-operator
2 changes: 2 additions & 0 deletions values-hub.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -491,6 +491,8 @@ clusterGroup:
project: hub
chart: rhbk
chartVersion: 0.0.*
extraValueFiles:
- /overrides/values-keycloak-network-policy.yaml
annotations:
argocd.argoproj.io/sync-wave: "35"
# SPIFFE Identity Provider is enabled by default in the chart.
Expand Down
Loading