# Cloudflare Gateway Policies # DNS filtering and network security policies apiVersion: v1 kind: ConfigMap metadata: name: cloudflare-gateway-policies namespace: default data: # DNS Policies dns-policies: | { "policies": [ { "name": "Block Malicious Domains", "action": "block", "precedence": 1, "filters": [ { "type": "dns", "categories": [ "malware", "phishing", "command-and-control", "ransomware", "spyware" ] } ] }, { "name": "Block Adult Content", "action": "block", "precedence": 2, "filters": [ { "type": "dns", "categories": [ "adult" ] } ], "identity": { "groups": [ { "name": "employees" } ] } }, { "name": "Allow All for Admins", "action": "allow", "precedence": 100, "identity": { "groups": [ { "name": "admins" } ] } } ] } # Network Policies network-policies: | { "policies": [ { "name": "Block High Risk Ports", "action": "block", "precedence": 1, "rules": [ { "protocol": "tcp", "ports": [ "22", "23", "135", "139", "445", "1433", "3306", "3389", "5432" ] } ], "identity": { "groups": [ { "name": "employees" } } } }, { "name": "Allow Admin Access", "action": "allow", "precedence": 100, "identity": { "groups": [ { "name": "admins" }, { "name": "platform-engineers" } } } } ] } # Logging Configuration logging-config: | { "dns": { "enabled": true, "log_all": true, "log_blocks": true }, "network": { "enabled": true, "log_all": true, "log_blocks": true }, "retention": { "days": 30 } } # Split DNS Configuration split-dns: | { "domains": [ "sankofa.nexus", "*.sankofa.nexus", "*.svc.cluster.local", "*.local" ], "dns_servers": [ "10.0.0.53", "10.1.0.53", "10.2.0.53" ] }