From 63ff6c4f00cd46a2b39f281f0d480f7f66b16ec6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Untersch=C3=BCtz?= <sebastian@unterschutz.de>
Date: Sun, 25 Jan 2026 14:23:18 +0100
Subject: [PATCH] add Cilium network policies for enhanced traffic control
 between services and include in deployment workflow

---
 .github/workflows/deploy.yaml |   1 +
 k8s/cilium-netpol.yaml        | 133 ++++++++++++++++++++++++++++++++++
 pkg/physics/physics.go        |   3 +-
 3 files changed, 135 insertions(+), 2 deletions(-)
 create mode 100644 k8s/cilium-netpol.yaml

diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
index 60c3f41..b91c0c7 100644
--- a/.github/workflows/deploy.yaml
+++ b/.github/workflows/deploy.yaml
@@ -107,6 +107,7 @@ jobs:
           kubectl apply -f k8s/nats.yaml -n ${{ env.TARGET_NS }}
           kubectl apply -f k8s/redis.yaml -n ${{ env.TARGET_NS }}
           kubectl apply -f k8s/app.yaml -n ${{ env.TARGET_NS }}
+          kubectl apply -f k8s/cilium-netpol.yaml -n ${{ env.TARGET_NS }}
           kubectl apply -f k8s/ingress.yaml -n ${{ env.TARGET_NS }}
           
           # HPA (Autoscaling) nur für Main/Master Branch aktivieren
diff --git a/k8s/cilium-netpol.yaml b/k8s/cilium-netpol.yaml
new file mode 100644
index 0000000..379ccea
--- /dev/null
+++ b/k8s/cilium-netpol.yaml
@@ -0,0 +1,133 @@
+# Default Deny Policy - blocks all traffic unless explicitly allowed
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: default-deny-all
+  namespace: default
+spec:
+  endpointSelector: {}
+  ingress:
+  - {}
+  egress:
+  - {}
+---
+# Escape Game App Network Policy
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: escape-game-netpol
+  namespace: default
+spec:
+  endpointSelector:
+    matchLabels:
+      app: escape-game
+  ingress:
+  # Allow HTTP traffic from anywhere (for user access)
+  - fromEndpoints:
+    - {}
+    toPorts:
+    - ports:
+      - port: "8080"
+        protocol: TCP
+  egress:
+  # Allow DNS
+  - toEndpoints:
+    - matchLabels:
+        k8s:io.kubernetes.pod.namespace: kube-system
+        k8s-app: kube-dns
+    toPorts:
+    - ports:
+      - port: "53"
+        protocol: UDP
+  # Allow connection to Redis
+  - toEndpoints:
+    - matchLabels:
+        app: redis
+    toPorts:
+    - ports:
+      - port: "6379"
+        protocol: TCP
+  # Allow connection to NATS
+  - toEndpoints:
+    - matchLabels:
+        app: nats
+    toPorts:
+    - ports:
+      - port: "4222"
+        protocol: TCP
+---
+# Redis Network Policy
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: redis-netpol
+  namespace: default
+spec:
+  endpointSelector:
+    matchLabels:
+      app: redis
+  ingress:
+  # Only allow connections from escape-game app
+  - fromEndpoints:
+    - matchLabels:
+        app: escape-game
+    toPorts:
+    - ports:
+      - port: "6379"
+        protocol: TCP
+  egress:
+  # Allow DNS
+  - toEndpoints:
+    - matchLabels:
+        k8s:io.kubernetes.pod.namespace: kube-system
+        k8s-app: kube-dns
+    toPorts:
+    - ports:
+      - port: "53"
+        protocol: UDP
+---
+# NATS Network Policy
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: nats-netpol
+  namespace: default
+spec:
+  endpointSelector:
+    matchLabels:
+      app: nats
+  ingress:
+  # Allow client connections from escape-game app
+  - fromEndpoints:
+    - matchLabels:
+        app: escape-game
+    toPorts:
+    - ports:
+      - port: "4222"
+        protocol: TCP
+  # Allow cluster traffic between NATS pods
+  - fromEndpoints:
+    - matchLabels:
+        app: nats
+    toPorts:
+    - ports:
+      - port: "6222"
+        protocol: TCP
+  egress:
+  # Allow DNS
+  - toEndpoints:
+    - matchLabels:
+        k8s:io.kubernetes.pod.namespace: kube-system
+        k8s-app: kube-dns
+    toPorts:
+    - ports:
+      - port: "53"
+        protocol: UDP
+  # Allow cluster communication to other NATS pods
+  - toEndpoints:
+    - matchLabels:
+        app: nats
+    toPorts:
+    - ports:
+      - port: "6222"
+        protocol: TCP
diff --git a/pkg/physics/physics.go b/pkg/physics/physics.go
index 9579de0..1c3a08e 100644
--- a/pkg/physics/physics.go
+++ b/pkg/physics/physics.go
@@ -51,8 +51,7 @@ func DefaultPlayerConstants() PlayerConstants {
 	}
 }
 
-// ApplyPhysics wendet einen Physik-Tick auf den Spieler an
-// Diese Funktion wird 1:1 von Server und Client verwendet
+// ApplyPhysics wendet einen Physik-Tick
 func ApplyPhysics(
 	state *PlayerPhysicsState,
 	input PhysicsInput,