From 2c538a1cf94d89178ececa3aa4ca82657e8c3c82 Mon Sep 17 00:00:00 2001
From: ION606 <orenni@rpi.edu>
Date: Sat, 13 Sep 2025 21:15:35 -0400
Subject: [PATCH] why

---
 manifests/policy/allow-common-egress.yaml | 26 +++++++++++++++++++++++
 manifests/policy/allow-https-egress.yaml  | 20 +++++++++++++++++
 manifests/policy/kustomization.yaml       |  3 ++-
 3 files changed, 48 insertions(+), 1 deletion(-)
 create mode 100644 manifests/policy/allow-common-egress.yaml
 create mode 100644 manifests/policy/allow-https-egress.yaml

diff --git a/manifests/policy/allow-common-egress.yaml b/manifests/policy/allow-common-egress.yaml
new file mode 100644
index 0000000..6f27bd2
--- /dev/null
+++ b/manifests/policy/allow-common-egress.yaml
@@ -0,0 +1,26 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+    name: allow-common-egress
+    namespace: ai
+spec:
+    podSelector: {}
+    policyTypes: ["Egress"]
+    egress:
+        # Allow DNS to kube-dns/CoreDNS in kube-system
+        - to:
+              - namespaceSelector:
+                    matchLabels:
+                        kubernetes.io/metadata.name: kube-system
+          ports:
+              - { protocol: UDP, port: 53 }
+              - { protocol: TCP, port: 53 }
+
+        # Allow PostgreSQL to services/pods in namespace ai on 5432
+        - to:
+              - namespaceSelector:
+                    matchLabels:
+                        kubernetes.io/metadata.name: ai
+          ports:
+              - { protocol: TCP, port: 5432 }
+
diff --git a/manifests/policy/allow-https-egress.yaml b/manifests/policy/allow-https-egress.yaml
new file mode 100644
index 0000000..db12dd6
--- /dev/null
+++ b/manifests/policy/allow-https-egress.yaml
@@ -0,0 +1,20 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+    name: allow-https-egress
+    namespace: ai
+spec:
+    podSelector: {}
+    policyTypes: ["Egress"]
+    egress:
+        - to:
+              - ipBlock:
+                    cidr: 0.0.0.0/0
+                    # exclude RFC1918/private ranges so this only permits Internet egress
+                    except:
+                        - 10.0.0.0/8
+                        - 172.16.0.0/12
+                        - 192.168.0.0/16
+          ports:
+              - { protocol: TCP, port: 443 }
+              - { protocol: TCP, port: 80 }
diff --git a/manifests/policy/kustomization.yaml b/manifests/policy/kustomization.yaml
index fda5983..8488249 100644
--- a/manifests/policy/kustomization.yaml
+++ b/manifests/policy/kustomization.yaml
@@ -5,4 +5,5 @@ resources:
     - default-deny.yaml
     - allow-openwebui-ingress.yaml
     - allow-browser-ingress.yaml
-
+    - allow-common-egress.yaml
+    - allow-https-egress.yaml