MATIH Platform is in active MVP development. Documentation reflects current implementation status.
17. Kubernetes & Helm
Network Policies
Ingress Policies

Ingress Policies

Ingress policies control which pods and namespaces can send traffic to MATIH services. Each service defines its own ingress rules based on its documented API consumers, ensuring that only authorized sources can reach service endpoints.

Ingress Policy Pattern

Every service NetworkPolicy includes three standard ingress rules:

ingress:
  # 1. Allow traffic from NGINX Ingress Controller
  - from:
      - namespaceSelector:
          matchLabels:
            name: matih-ingress
    ports:
      - protocol: TCP
        port: 8000
 
  # 2. Allow traffic from same namespace
  - from:
      - podSelector: {}
    ports:
      - protocol: TCP
        port: 8000
 
  # 3. Allow Prometheus scraping
  - from:
      - namespaceSelector:
          matchLabels:
            name: matih-monitoring
    ports:
      - protocol: TCP
        port: 8000

AI Service Ingress Rules

The AI Service networkpolicy.yaml template allows ingress from:

SourceNamespace LabelPortPurpose
NGINX Ingressname: matih-ingress8000External API traffic
Same namespace podsAny in namespace8000Inter-service calls
Prometheusname: matih-monitoring8000Metrics scraping

Service-Specific Ingress

ServiceAdditional Ingress SourcesReason
API GatewayExternal ingress controllerFrontend traffic
AI ServiceAPI Gateway, BI WorkbenchChat and agent API calls
Query EngineAI Service, BI ServiceSQL query execution
KafkaAI Service, Audit ServiceEvent production and consumption
RedisAI Service, Session ServiceCache and session access
QdrantAI ServiceVector search queries
PostgreSQLAll data plane servicesDatabase connections

Restricting by Pod Labels

For fine-grained control, ingress rules can match specific pod labels:

ingress:
  - from:
      - podSelector:
          matchLabels:
            app: api-gateway
    ports:
      - protocol: TCP
        port: 8000

This is more restrictive than allowing all pods in the namespace and is used for security-sensitive services.

Cross-Namespace Ingress

Cross-namespace ingress requires both namespaceSelector and optionally podSelector:

ingress:
  - from:
      - namespaceSelector:
          matchLabels:
            name: matih-system
        podSelector:
          matchLabels:
            app: api-gateway
    ports:
      - protocol: TCP
        port: 8000

Helm Values Configuration

Ingress policy rules can be extended via Helm values:

# values.yaml
networkPolicy:
  enabled: true
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app: custom-service
      ports:
        - port: 8000

Testing Ingress Policies

After deploying a new NetworkPolicy, verify connectivity:

# Use platform-status.sh to check service connectivity
./scripts/tools/platform-status.sh

Troubleshooting

IssueSymptomResolution
Service unreachableConnection timeout from allowed sourceVerify pod labels match policy selectors
Prometheus scrape failingMissing metrics for serviceEnsure monitoring namespace label exists
Cross-namespace blockedInter-service calls failingVerify namespace labels and policy selectors
All traffic blockedService completely unreachableCheck for default-deny policy without exceptions
OverviewEgress Policies