security(wave1): W1.7 analysis snapshot — observation data → allowlist plan

First analysis pass over Calico GNP wave1-egress-observe-tier34 data captured in Loki since 2026-05-19. Pulled ~10000 flow log lines covering 36 source namespaces (of 82 selected by tier 3+4). Analysis script outputs preserved on the dev host at /tmp/{analyze_flows2,build_allowlist}.py. ## Findings **Universal baseline (every observed ns):** - DNS to kube-system/kube-dns UDP/53 - Often mysql.dbaas TCP/3306 or pg.dbaas TCP/5432 - Often redis.redis TCP/6379 **Rollout tiering by egress fan-out:** - Tier A (recruiter-responder only): 2 destinations, ideal pilot - Tier B (29 namespaces): ≤3 external IPs, ≤5 internal — batch rollout - Tier C (4 namespaces: f1-stream/openclaw/woodpecker/status-page): needs per-IP investigation - Tier D (servarr): 130+ external IPs (BitTorrent P2P) — keep Log+Allow permanently or move to dedicated egress proxy ## Caveats blocking immediate enforce - Observation horizon too short: ~6h dense data, ~24h total. Need ≥7 days to catch weekly CronJobs, Vault token rotations, Keel pulls. - External IPs are dynamic (Cloudflare/AWS rotate). Static IP allowlists will break — need DNS-based selectors or CIDR ranges. - Some intra-namespace traffic bypasses the Calico filter chain. ## Recommended next steps 1. Continue observation through 2026-05-29 (full week). Compare destination set day-over-day; if stable, allowlist is ready. 2. First enforce: recruiter-responder (allowlist = kube-dns + telegram CIDR + vault/ESO service IPs). 3. Tier B phased rollout at 3-5 ns/day after pilot proves out. Full analysis: docs/architecture/wave1-egress-observation-2026-05-22.md Tracked under beads code-8ywc. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-22 15:22:25 +00:00 · 2026-05-22 15:22:25 +00:00 · 3962513036
commit 3962513036
parent 2d35d72a53
2 changed files with 142 additions and 1 deletions
--- a/docs/architecture/security.md
+++ b/docs/architecture/security.md
@ -181,7 +181,7 @@ Beads epic: `code-8ywc`. **Status: partially live as of 2026-05-18.**
 | W1.4 Kyverno security policies → Enforce | **LIVE** — 3 policies in Enforce mode with 35-namespace exclude list. |
 | W1.5 Kyverno trusted-registries → Enforce | **LIVE** — explicit allowlist (15 registries + 6 DockerHub library bare names + 56 DockerHub user repos). Verified by admission dry-run: `evilcorp.example/malware:v1` BLOCKED, `alpine:3.20` and `docker.io/library/alpine:3.20` ALLOWED. |
 | W1.6 Calico observe-phase (pilot: recruiter-responder) | **LIVE** (2026-05-19) — GlobalNetworkPolicy `wave1-egress-observe-recruiter-responder` with rules `[action:Log, action:Allow]`. FelixConfiguration.flowLogsFileEnabled approach abandoned (Calico Enterprise-only field, rejected by OSS v3.26). Log action emits iptables LOG with prefix `calico-packet: ` → kernel → journald → Alloy → Loki. Verified: `{job="node-journal"} \|~ "calico-packet"` returns real packet metadata (SRC/DST/PROTO). Expand to more namespaces by adding to `namespaceSelector`. |
-| W1.7 NetworkPolicy phased enforce | **PENDING** — needs ~1 week of W1.6 observation, then build empirical allowlist from Loki queries, flip GNP rules from `[Log, Allow]` to `[Allow specific dests, Deny rest]`. |
+| W1.7 NetworkPolicy phased enforce | **PARTIAL ANALYSIS** — first observation snapshot at `docs/architecture/wave1-egress-observation-2026-05-22.md` (36 source namespaces seen so far, 29 thin-profile candidates). Recommend continuing observation through 2026-05-29 (full week) before any enforce flip. Pilot enforce target: `recruiter-responder` (2 destinations only). `servarr` stays in Log+Allow indefinitely (BitTorrent P2P incompatible with static enforce). |

 The block below documents the locked design.