Skip to content

Add NetworkPolicy to allow mediawiki → mariadb traffic (port 3306)#38

Merged
velghea merged 2 commits intomainfrom
copilot/fix-mediawiki-network-policy
Mar 18, 2026
Merged

Add NetworkPolicy to allow mediawiki → mariadb traffic (port 3306)#38
velghea merged 2 commits intomainfrom
copilot/fix-mediawiki-network-policy

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 18, 2026
edited
Loading

Cilium was dropping egress TCP/3306 from the mediawiki pod to the mariadb pod despite both being in the same namespace, due to an implicit deny policy with no explicit allow rules in the chart.

Changes

  • values.yaml: Add networkPolicy.enabled: true toggle
  • deployment.yaml: Add app.kubernetes.io/component: mediawiki label to pod template, enabling NetworkPolicy selectors to distinguish app pods from mariadb pods (which already carry component: mariadb)
  • templates/networkpolicy.yaml (new): NetworkPolicy for the mediawiki pod — ingress on 80, egress to mariadb on 3306, egress DNS on 53
  • templates/mariadb-networkpolicy.yaml (new): NetworkPolicy for the mariadb pod — ingress from mediawiki on 3306 only, egress DNS on 53
  • README.md: Document networkPolicy parameters

Rendered output (internal MariaDB)

# mediawiki pod
egress:
  - to:
      - podSelector:
          matchLabels:
            app.kubernetes.io/component: mariadb
    ports:
      - port: 3306

# mariadb pod
ingress:
  - from:
      - podSelector:
          matchLabels:
            app.kubernetes.io/component: mediawiki
    ports:
      - port: 3306

When using an external database (mariadb.internal.enabled: false), the mariadb NetworkPolicy is skipped and the mediawiki egress rule opens port 3306 to all destinations.

Original prompt

This section details on the original issue you should resolve

<issue_title>Network policy mediawiki</issue_title>
<issue_description>Au sein du namespace mediawiki, il semble que le flux entre le pod de l'application et la base de donnée mariaDB soit dropped. Au sein d'un même namespace les communications sont autorisées.

low Details
Timestamp
2026-03-18T17:26:38.174Z
Verdict
dropped
Drop reason
Policy denied
Traffic direction
egress
TCP flags
SYN
Source pod
mediawiki-65598b5bc8-5p565
Source identity
677232
Source labels
instance=mediawiki
name=mediawiki
io.cilium.k8s.namespace.labels.ifpen.fr/dev-team=DIFF-F064-CHARTE
io.cilium.k8s.namespace.labels.ifpen.fr/env=PROD
io.cilium.k8s.namespace.labels.ifpen.fr/po-team=DIFF-F064-PLUS
io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=mediawiki
io.cilium.k8s.namespace.labels.kustomize.toolkit.fluxcd.io/name=apps-prod
io.cilium.k8s.namespace.labels.kustomize.toolkit.fluxcd.io/namespace=flux-system
io.cilium.k8s.policy.cluster=dataprod
io.cilium.k8s.policy.serviceaccount=default
namespace=mediawiki
Source IP
10.245.17.225
Destination pod
mediawiki-mariadb-7c6b9bbb57-x6l2x
Destination identity
668514
Destination labels
component=mariadb
instance=mediawiki
name=mediawiki
io.cilium.k8s.namespace.labels.ifpen.fr/dev-team=DIFF-F064-CHARTE
io.cilium.k8s.namespace.labels.ifpen.fr/env=PROD
io.cilium.k8s.namespace.labels.ifpen.fr/po-team=DIFF-F064-PLUS
io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=mediawiki
io.cilium.k8s.namespace.labels.kustomize.toolkit.fluxcd.io/name=apps-prod
io.cilium.k8s.namespace.labels.kustomize.toolkit.fluxcd.io/namespace=flux-system
io.cilium.k8s.policy.cluster=dataprod
io.cilium.k8s.policy.serviceaccount=default
namespace=mediawiki
Destination IP
10.245.12.227
Destination port • protocol
3306 • TCP</issue_description>

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Mar 18, 2026
edited
Loading

🏷️ Version RC publiée
Chart RC 3.6.2-rc.2
Version finale prévue 3.6.2
FileSender 3.6

Installation pour test

helm repo update ifpen
helm install filesender-rc ifpen/filesender --version 3.6.2-rc.2

Vérification

helm search repo ifpen/filesender --versions --devel

⚠️ Cette version RC sera remplacée par la version stable 3.6.2 lors du merge.

github-actions Bot added a commit that referenced this pull request Mar 18, 2026
@github-actions
chore: publish RC 3.6.2-rc.1 from PR #38
102b634
@velghea
Add NetworkPolicy for mediawiki and mariadb pods to fix Cilium egress…
287d00a 
… drop on port 3306

Co-authored-by: velghea <70569153+velghea@users.noreply.github.com>
github-actions Bot added a commit that referenced this pull request Mar 18, 2026
@github-actions
chore: publish RC 3.6.2-rc.2 from PR #38
ca50f5c
Copilot AI changed the title [WIP] [Network policy mediawiki] Fix dropped traffic between mediawiki pod and mariaDB Add NetworkPolicy to allow mediawiki → mariadb traffic (port 3306) Mar 18, 2026
Copilot AI requested a review from velghea March 18, 2026 17:32
@velghea
Copy link
Copy Markdown
Contributor

velghea commented Mar 18, 2026

pourquoi ajouter des network policiy ? par défaut, le namespace est ouvert.

@velghea velghea marked this pull request as ready for review March 18, 2026 17:35
@velghea velghea merged commit ba10692 into main Mar 18, 2026
4 checks passed
@mechermu mechermu deleted the copilot/fix-mediawiki-network-policy branch April 8, 2026 07:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@velghea velghea Awaiting requested review from velghea

Assignees

@velghea velghea

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Network policy mediawiki

2 participants

@velghea