# Cloudflare Zero Trust Access Policies # These policies control who can access which applications apiVersion: v1 kind: ConfigMap metadata: name: cloudflare-access-policies namespace: default data: # Portal Access Policy portal-policy: | { "name": "Portal Access", "application": { "domain": "portal.sankofa.nexus", "name": "Hybrid Cloud Portal" }, "policies": [ { "name": "Allow Authenticated Users", "decision": "allow", "include": [ { "email": { "domain": "sankofa.nexus" } } ], "require": [ { "email": { "domain": "sankofa.nexus" } } ], "session_duration": "24h" }, { "name": "Require MFA for Admins", "decision": "allow", "include": [ { "group": { "name": "admins" } } ], "require": [ { "mfa": {} } ], "session_duration": "8h" } ] } # Rancher Access Policy rancher-policy: | { "name": "Rancher Access", "application": { "domain": "rancher.sankofa.nexus", "name": "Rancher UI" }, "policies": [ { "name": "Allow Admin Group", "decision": "allow", "include": [ { "group": { "name": "admins" } }, { "group": { "name": "platform-engineers" } } ], "require": [ { "mfa": {} }, { "device_posture": { "check": "managed_device" } } ], "session_duration": "4h" } ] } # ArgoCD Access Policy argocd-policy: | { "name": "ArgoCD Access", "application": { "domain": "argocd.sankofa.nexus", "name": "ArgoCD GitOps" }, "policies": [ { "name": "Allow Platform Engineers", "decision": "allow", "include": [ { "group": { "name": "platform-engineers" } }, { "group": { "name": "admins" } } ], "require": [ { "mfa": {} } ], "session_duration": "8h" } ] } # Grafana Access Policy grafana-policy: | { "name": "Grafana Access", "application": { "domain": "grafana.sankofa.nexus", "name": "Grafana Dashboards" }, "policies": [ { "name": "Allow All Authenticated", "decision": "allow", "include": [ { "email": { "domain": "sankofa.nexus" } } ], "session_duration": "24h" } ] } # Vault Access Policy vault-policy: | { "name": "Vault Access", "application": { "domain": "vault.sankofa.nexus", "name": "HashiCorp Vault" }, "policies": [ { "name": "Allow Admin Group Only", "decision": "allow", "include": [ { "group": { "name": "admins" } } ], "require": [ { "mfa": {} }, { "device_posture": { "check": "managed_device" } } ], "session_duration": "2h" } ] } # Proxmox API Access Policy proxmox-api-policy: | { "name": "Proxmox API Access", "application": { "domain": "proxmox-api.sankofa.nexus", "name": "Proxmox API" }, "policies": [ { "name": "Allow Service Accounts", "decision": "allow", "include": [ { "service_token": { "name": "crossplane-proxmox-token" } } ], "session_duration": "1h" }, { "name": "Allow Platform Engineers", "decision": "allow", "include": [ { "group": { "name": "platform-engineers" } } ], "require": [ { "mfa": {} } ], "session_duration": "4h" } ] } # Keycloak Access Policy keycloak-policy: | { "name": "Keycloak Access", "application": { "domain": "keycloak.sankofa.nexus", "name": "Keycloak Admin" }, "policies": [ { "name": "Allow Admin Group Only", "decision": "allow", "include": [ { "group": { "name": "admins" } } ], "require": [ { "mfa": {} }, { "device_posture": { "check": "managed_device" } } ], "session_duration": "2h" } ] }