add Cilium network policies for enhanced traffic control between services and include in deployment workflow

.github/workflows/deploy.yaml

@@ -107,6 +107,7 @@ jobs:
           kubectl apply -f k8s/nats.yaml -n ${{ env.TARGET_NS }}
           kubectl apply -f k8s/redis.yaml -n ${{ env.TARGET_NS }}
           kubectl apply -f k8s/app.yaml -n ${{ env.TARGET_NS }}
+          kubectl apply -f k8s/cilium-netpol.yaml -n ${{ env.TARGET_NS }}
           kubectl apply -f k8s/ingress.yaml -n ${{ env.TARGET_NS }}
           
           # HPA (Autoscaling) nur für Main/Master Branch aktivieren

k8s/cilium-netpol.yaml

@@ -0,0 +1,133 @@
+# Default Deny Policy - blocks all traffic unless explicitly allowed
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: default-deny-all
+  namespace: default
+spec:
+  endpointSelector: {}
+  ingress:
+  - {}
+  egress:
+  - {}
+---
+# Escape Game App Network Policy
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: escape-game-netpol
+  namespace: default
+spec:
+  endpointSelector:
+    matchLabels:
+      app: escape-game
+  ingress:
+  # Allow HTTP traffic from anywhere (for user access)
+  - fromEndpoints:
+    - {}
+    toPorts:
+    - ports:
+      - port: "8080"
+        protocol: TCP
+  egress:
+  # Allow DNS
+  - toEndpoints:
+    - matchLabels:
+        k8s:io.kubernetes.pod.namespace: kube-system
+        k8s-app: kube-dns
+    toPorts:
+    - ports:
+      - port: "53"
+        protocol: UDP
+  # Allow connection to Redis
+  - toEndpoints:
+    - matchLabels:
+        app: redis
+    toPorts:
+    - ports:
+      - port: "6379"
+        protocol: TCP
+  # Allow connection to NATS
+  - toEndpoints:
+    - matchLabels:
+        app: nats
+    toPorts:
+    - ports:
+      - port: "4222"
+        protocol: TCP
+---
+# Redis Network Policy
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: redis-netpol
+  namespace: default
+spec:
+  endpointSelector:
+    matchLabels:
+      app: redis
+  ingress:
+  # Only allow connections from escape-game app
+  - fromEndpoints:
+    - matchLabels:
+        app: escape-game
+    toPorts:
+    - ports:
+      - port: "6379"
+        protocol: TCP
+  egress:
+  # Allow DNS
+  - toEndpoints:
+    - matchLabels:
+        k8s:io.kubernetes.pod.namespace: kube-system
+        k8s-app: kube-dns
+    toPorts:
+    - ports:
+      - port: "53"
+        protocol: UDP
+---
+# NATS Network Policy
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: nats-netpol
+  namespace: default
+spec:
+  endpointSelector:
+    matchLabels:
+      app: nats
+  ingress:
+  # Allow client connections from escape-game app
+  - fromEndpoints:
+    - matchLabels:
+        app: escape-game
+    toPorts:
+    - ports:
+      - port: "4222"
+        protocol: TCP
+  # Allow cluster traffic between NATS pods
+  - fromEndpoints:
+    - matchLabels:
+        app: nats
+    toPorts:
+    - ports:
+      - port: "6222"
+        protocol: TCP
+  egress:
+  # Allow DNS
+  - toEndpoints:
+    - matchLabels:
+        k8s:io.kubernetes.pod.namespace: kube-system
+        k8s-app: kube-dns
+    toPorts:
+    - ports:
+      - port: "53"
+        protocol: UDP
+  # Allow cluster communication to other NATS pods
+  - toEndpoints:
+    - matchLabels:
+        app: nats
+    toPorts:
+    - ports:
+      - port: "6222"
+        protocol: TCP

pkg/physics/physics.go

@@ -51,8 +51,7 @@ func DefaultPlayerConstants() PlayerConstants {
 	}
 }
 
-// ApplyPhysics wendet einen Physik-Tick auf den Spieler an
+// ApplyPhysics wendet einen Physik-Tick
-// Diese Funktion wird 1:1 von Server und Client verwendet
 func ApplyPhysics(
 	state *PlayerPhysicsState,
 	input PhysicsInput,