fix(config): harden kubernetes workload defaults (#248)

- Add default-deny NetworkPolicies for traefik, registry, and operator
  namespaces with scoped allow rules; remove broad HTTP/HTTPS egress from
  runtime namespace policies and add scoped sentinel + registry egress
- Fix PSS labels: registry and mcp-sentinel namespaces use baseline enforce
  to accommodate hostPath/root-init exceptions; mcp-runtime uses restricted
- Harden Traefik with non-root unprivileged ports (8000/8443), read-only
  rootfs, seccomp RuntimeDefault, forwardedHeaders.insecure=false, and probes
- Harden registry deployment with seccomp, readOnlyRootFilesystem, drop ALL,
  and /tmp emptyDir volume
- Add resource defaults and TCP probes to desiredDeployment; ensure
  same-namespace ingress is always allowed in platform NetworkPolicies
- Disable trustForwardHeader on registry and sentinel forwardAuth middlewares

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: Agent-Hellboy

config/ingress/base/kustomization.yaml

@@ -3,3 +3,4 @@ kind: Kustomization
 resources:
   - traefik.yaml
   - dynamic-config.yaml
+  - networkpolicy.yaml

config/ingress/base/networkpolicy.yaml

@@ -0,0 +1,89 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: traefik-default-deny
+  namespace: traefik
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: traefik-allow-ingress
+  namespace: traefik
+spec:
+  podSelector:
+    matchLabels:
+      app: traefik
+  policyTypes:
+    - Ingress
+  ingress:
+    - ports:
+        - protocol: TCP
+          port: 8000
+        - protocol: TCP
+          port: 8443
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: traefik-allow-egress
+  namespace: traefik
+spec:
+  podSelector:
+    matchLabels:
+      app: traefik
+  policyTypes:
+    - Egress
+  egress:
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+          podSelector:
+            matchLabels:
+              k8s-app: kube-dns
+      ports:
+        - protocol: UDP
+          port: 53
+        - protocol: TCP
+          port: 53
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: registry
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: mcp-sentinel
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: mcp-servers
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: mcp-servers-org
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: mcp-servers-public
+        - namespaceSelector:
+            matchLabels:
+              platform.mcpruntime.org/managed: "true"
+      ports:
+        - protocol: TCP
+          port: 80
+        - protocol: TCP
+          port: 3000
+        - protocol: TCP
+          port: 5000
+        - protocol: TCP
+          port: 8080
+        - protocol: TCP
+          port: 8081
+        - protocol: TCP
+          port: 8082
+    # Traefik watches Ingress and TLS Secret objects through the Kubernetes API.
+    - ports:
+        - protocol: TCP
+          port: 443

config/ingress/base/traefik.yaml

@@ -2,16 +2,30 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: traefik
+  labels:
+    pod-security.kubernetes.io/enforce: restricted
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/warn: restricted
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
   name: registry
+  labels:
+    # hostpath overlays use a root chown initContainer; keep that exception
+    # visible while enforcing the strongest compatible default.
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/warn: restricted
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
   name: mcp-sentinel
+  labels:
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/warn: restricted
 ---
 apiVersion: v1
 kind: Namespace
@@ -214,11 +228,11 @@ spec:
   ports:
     - name: web
       port: 80
-      targetPort: 80
+      targetPort: 8000
       protocol: TCP
     - name: websecure
       port: 443
-      targetPort: 443
+      targetPort: 8443
       protocol: TCP
   selector:
     app: traefik
@@ -239,34 +253,40 @@ spec:
         app: traefik
     spec:
       serviceAccountName: traefik
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - name: traefik
         image: traefik:v2.10
         securityContext:
           allowPrivilegeEscalation: false
-          readOnlyRootFilesystem: false
+          readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: 65534
           capabilities:
             drop:
               - ALL
-            add:
-              - NET_BIND_SERVICE
         args:
           - --providers.kubernetesingress=true
           - --providers.kubernetesingress.namespaces=registry,mcp-sentinel,mcp-servers,mcp-servers-org,mcp-servers-public
-          - --entrypoints.web.address=:80
+          - --entrypoints.web.address=:8000
+          - --entrypoints.web.forwardedHeaders.insecure=false
           - --entrypoints.web.http.redirections.entryPoint.to=websecure
           - --entrypoints.web.http.redirections.entryPoint.scheme=https
-          - --entrypoints.websecure.address=:443
+          - --entrypoints.websecure.address=:8443
+          - --entrypoints.websecure.forwardedHeaders.insecure=false
           - --entrypoints.websecure.http.tls=true
+          - --entrypoints.traefik.address=:8080
+          - --ping=true
+          - --ping.entryPoint=traefik
           - --providers.file.filename=/etc/traefik/dynamic/dynamic.yml
           - --providers.file.watch=true
         ports:
           - name: web
-            containerPort: 80
+            containerPort: 8000
           - name: websecure
-            containerPort: 443
+            containerPort: 8443
           - name: admin
             containerPort: 8080
         volumeMounts:
@@ -280,6 +300,18 @@ spec:
           limits:
             cpu: 500m
             memory: 256Mi
+        readinessProbe:
+          httpGet:
+            path: /ping
+            port: admin
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        livenessProbe:
+          httpGet:
+            path: /ping
+            port: admin
+          initialDelaySeconds: 15
+          periodSeconds: 20
       volumes:
         - name: traefik-dynamic
           configMap:

config/ingress/overlays/http/deployment-args.patch.yaml

@@ -4,7 +4,12 @@
     - --providers.kubernetesingress=true
     - --providers.kubernetesingress.namespaces=registry,mcp-sentinel,mcp-servers,mcp-servers-org,mcp-servers-public
     - --entrypoints.web.address=:8000
+    - --entrypoints.web.forwardedHeaders.insecure=false
     - --entrypoints.websecure.address=:8443
+    - --entrypoints.websecure.forwardedHeaders.insecure=false
+    - --entrypoints.traefik.address=:8080
+    - --ping=true
+    - --ping.entryPoint=traefik
     - --providers.file.filename=/etc/traefik/dynamic/dynamic.yml
     - --providers.file.watch=true
 - op: replace

config/ingress/overlays/prod/traefik-no-redirect.yaml

@@ -1,5 +1,5 @@
-# Traefik base enables HTTP to HTTPS on :80, which breaks HTTP-01 ACME challenges
-# (Let's Encrypt). Use plain HTTP on :80; HTTPS on :443 remains.
+# Traefik base enables HTTP to HTTPS, which breaks HTTP-01 ACME challenges
+# (Let's Encrypt). Use plain HTTP; HTTPS remains on the secure entrypoint.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -13,8 +13,9 @@ spec:
           args:
             - --providers.kubernetesingress=true
             - --providers.kubernetesingress.namespaces=registry,mcp-sentinel,mcp-servers,mcp-servers-org,mcp-servers-public
-            - --entrypoints.web.address=:80
-            - --entrypoints.websecure.address=:443
+            - --entrypoints.web.address=:8000
+            - --entrypoints.websecure.address=:8443
             - --entrypoints.websecure.http.tls=true
+            - --ping=true
             - --providers.file.filename=/etc/traefik/dynamic/dynamic.yml
             - --providers.file.watch=true

config/manager/kustomization.yaml

@@ -1,3 +1,4 @@
 resources:
   - manager.yaml
+  - networkpolicy.yaml
   - pdb.yaml

config/manager/manager.yaml

@@ -2,6 +2,10 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: mcp-runtime
+  labels:
+    pod-security.kubernetes.io/enforce: restricted
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/warn: restricted
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -19,6 +23,7 @@ spec:
         control-plane: controller-manager
     spec:
       serviceAccountName: mcp-runtime-operator-controller-manager
+      automountServiceAccountToken: true
       securityContext:
         runAsNonRoot: true
         seccompProfile:

config/manager/networkpolicy.yaml

@@ -0,0 +1,46 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: mcp-runtime-default-deny
+  namespace: mcp-runtime
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: mcp-runtime-allow-egress
+  namespace: mcp-runtime
+spec:
+  podSelector:
+    matchLabels:
+      control-plane: controller-manager
+  policyTypes:
+    - Egress
+  egress:
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+          podSelector:
+            matchLabels:
+              k8s-app: kube-dns
+      ports:
+        - protocol: UDP
+          port: 53
+        - protocol: TCP
+          port: 53
+    # The operator reconciles cluster resources through the Kubernetes API.
+    - ports:
+        - protocol: TCP
+          port: 443
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: registry
+      ports:
+        - protocol: TCP
+          port: 5000

config/registry/base/deployment.yaml

@@ -20,6 +20,8 @@ spec:
         runAsUser: 1000
         runAsGroup: 1000
         fsGroup: 1000
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - name: registry
         image: registry:2.8.3
@@ -30,7 +32,10 @@ spec:
         securityContext:
           allowPrivilegeEscalation: false
           runAsNonRoot: true
-          readOnlyRootFilesystem: false
+          readOnlyRootFilesystem: true
+          capabilities:
+            drop:
+            - ALL
         env:
         - name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY
           value: /var/lib/registry
@@ -39,6 +44,8 @@ spec:
         volumeMounts:
         - name: registry-storage
           mountPath: /var/lib/registry
+        - name: tmp
+          mountPath: /tmp
         resources:
           requests:
             cpu: 100m
@@ -62,3 +69,5 @@ spec:
       - name: registry-storage
         persistentVolumeClaim:
           claimName: registry-storage
+      - name: tmp
+        emptyDir: {}

config/registry/base/kustomization.yaml

@@ -6,4 +6,5 @@ resources:
 - deployment.yaml
 - service.yaml
 - ingress.yaml
+- networkpolicy.yaml
 - pdb.yaml