From 833e0b0e1709d9032e36137bbab5b41fda2b52a7 Mon Sep 17 00:00:00 2001 From: liberty-rising Date: Wed, 10 Jan 2024 17:52:49 +0100 Subject: [PATCH] create a network policy restricting access to backend, specify cors origin for backend --- backend/main.py | 15 +++++++++++ k8s/backend-network-policy.yaml | 44 +++++++++++++++++++++++++++++++++ 2 files changed, 59 insertions(+) create mode 100644 k8s/backend-network-policy.yaml diff --git a/backend/main.py b/backend/main.py index 95451b3..f49165d 100644 --- a/backend/main.py +++ b/backend/main.py @@ -1,4 +1,5 @@ from fastapi import FastAPI +from fastapi.middleware.cors import CORSMiddleware from database.database_manager import DatabaseManager from models.base import Base @@ -11,6 +12,7 @@ from routes.organization_routes import organization_router from routes.table_routes import table_router from routes.user_routes import user_router +from settings import APP_ENV from startup import run_startup_routines from utils.utils import get_app_logger @@ -20,6 +22,19 @@ app = FastAPI() +if APP_ENV == "prod": + origins = ["https://docshow.ai"] +else: + origins = ["https://127.0.0.1"] + +app.add_middleware( + CORSMiddleware, + allow_origins=origins, + allow_credentials=True, + allow_methods=["*"], + allow_headers=["*"], +) + async def startup_event(): run_startup_routines() diff --git a/k8s/backend-network-policy.yaml b/k8s/backend-network-policy.yaml new file mode 100644 index 0000000..bfb4a4f --- /dev/null +++ b/k8s/backend-network-policy.yaml @@ -0,0 +1,44 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: backend-network-policy +spec: + podSelector: + matchLabels: + app: backend + policyTypes: + - Ingress + - Egress + ingress: + - from: + # Allow traffic from the Ingress controller namespace + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: ingress-nginx + # # Also allow traffic from frontend pods (if needed) + # - podSelector: + # matchLabels: + # app: frontend + - ports: + - protocol: TCP + port: 8000 + egress: + - to: + # Allow access to DNS service + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + ports: + - protocol: UDP + port: 53 + - protocol: TCP + port: 53 + - to: + # Allow specific egress to PostgreSQL database (consider specifying a specific CIDR if possible) + - ipBlock: + cidr: 0.0.0.0/0 # Update this if a more specific CIDR block can be used + ports: + - protocol: TCP + port: 80 # For outbound web traffic + - protocol: TCP + port: 25060 # For PostgreSQL database