From 33ee59cb90ca6202563ec1acd384d3077e758480 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sun, 19 Oct 2025 15:46:49 -0500
Subject: [PATCH] firefly-iii: Add network policy

This network policy blocks all outbound communication except to the
designated internal services.  This will help prevent any data
exfiltration in the unlikely event the Firefly were to be compromised.
---
 firefly-iii/kustomization.yaml  |  1 +
 firefly-iii/network-policy.yaml | 61 +++++++++++++++++++++++++++++++++
 2 files changed, 62 insertions(+)
 create mode 100644 firefly-iii/network-policy.yaml

diff --git a/firefly-iii/kustomization.yaml b/firefly-iii/kustomization.yaml
index 969c80b..17c6868 100644
--- a/firefly-iii/kustomization.yaml
+++ b/firefly-iii/kustomization.yaml
@@ -16,6 +16,7 @@ resources:
 - importer.yaml
 - importer-ingress.yaml
 - ../dch-root-ca
+- network-policy.yaml
 
 configMapGenerator:
 - name: firefly-iii
diff --git a/firefly-iii/network-policy.yaml b/firefly-iii/network-policy.yaml
new file mode 100644
index 0000000..172a65d
--- /dev/null
+++ b/firefly-iii/network-policy.yaml
@@ -0,0 +1,61 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: firefly-iii
+  labels:
+    app.kubernetes.io/name: firefly-iii
+    app.kubernetes.io/component: firefly-iii
+spec:
+  egress:
+  # Allow access to other components of the Firefly III ecosystem
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: firefly-iii
+  # Allow access Kubernetes cluster DNS
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: kube-system
+      podSelector:
+        matchLabels:
+          k8s-app: kube-dns
+    ports:
+    - port: 53
+      protocol: UDP
+    - port: 53
+      protocol: TCP
+  # Allow access to the PostgreSQL database server
+  - to:
+    - ipBlock:
+        cidr: 172.30.0.0/26
+    ports:
+    - port: 5432
+      protocol: TCP
+  # Allow access to SMTP on mail.pyrocufflink.blue
+  - to:
+    - ipBlock:
+        cidr: 172.30.0.12/32
+    ports:
+    - port: 25
+  # Allow access dch-webhooks
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: default
+      podSelector:
+        matchLabels:
+          app.kubernetes.io/name: dch-webhooks
+  # Allow access ntfy
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: ntfy
+      podSelector:
+        matchLabels:
+          app.kubernetes.io/name: ntfy
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: firefly-iii
+  policyTypes:
+  - Egress