firefly-iii: Add network policy

This network policy blocks all outbound communication except to the
designated internal services.  This will help prevent any data
exfiltration in the unlikely event the Firefly were to be compromised.

firefly-iii/kustomization.yaml

@@ -16,6 +16,7 @@ resources:
 - importer.yaml
 - importer-ingress.yaml
 - ../dch-root-ca
+- network-policy.yaml
 
 configMapGenerator:
 - name: firefly-iii

firefly-iii/network-policy.yaml

@@ -0,0 +1,61 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: firefly-iii
+  labels:
+    app.kubernetes.io/name: firefly-iii
+    app.kubernetes.io/component: firefly-iii
+spec:
+  egress:
+  # Allow access to other components of the Firefly III ecosystem
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: firefly-iii
+  # Allow access Kubernetes cluster DNS
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: kube-system
+      podSelector:
+        matchLabels:
+          k8s-app: kube-dns
+    ports:
+    - port: 53
+      protocol: UDP
+    - port: 53
+      protocol: TCP
+  # Allow access to the PostgreSQL database server
+  - to:
+    - ipBlock:
+        cidr: 172.30.0.0/26
+    ports:
+    - port: 5432
+      protocol: TCP
+  # Allow access to SMTP on mail.pyrocufflink.blue
+  - to:
+    - ipBlock:
+        cidr: 172.30.0.12/32
+    ports:
+    - port: 25
+  # Allow access dch-webhooks
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: default
+      podSelector:
+        matchLabels:
+          app.kubernetes.io/name: dch-webhooks
+  # Allow access ntfy
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: ntfy
+      podSelector:
+        matchLabels:
+          app.kubernetes.io/name: ntfy
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: firefly-iii
+  policyTypes:
+  - Egress