Sankofa/cloudflare/gateway-policies.yaml

# Cloudflare Gateway Policies
# DNS filtering and network security policies

apiVersion: v1
kind: ConfigMap
metadata:
  name: cloudflare-gateway-policies
  namespace: default
data:
  # DNS Policies
  dns-policies: |
    {
      "policies": [
        {
          "name": "Block Malicious Domains",
          "action": "block",
          "precedence": 1,
          "filters": [
            {
              "type": "dns",
              "categories": [
                "malware",
                "phishing",
                "command-and-control",
                "ransomware",
                "spyware"
              ]
            }
          ]
        },
        {
          "name": "Block Adult Content",
          "action": "block",
          "precedence": 2,
          "filters": [
            {
              "type": "dns",
              "categories": [
                "adult"
              ]
            }
          ],
          "identity": {
            "groups": [
              {
                "name": "employees"
              }
            ]
          }
        },
        {
          "name": "Allow All for Admins",
          "action": "allow",
          "precedence": 100,
          "identity": {
            "groups": [
              {
                "name": "admins"
              }
            ]
          }
        }
      ]
    }

  # Network Policies
  network-policies: |
    {
      "policies": [
        {
          "name": "Block High Risk Ports",
          "action": "block",
          "precedence": 1,
          "rules": [
            {
              "protocol": "tcp",
              "ports": [
                "22",
                "23",
                "135",
                "139",
                "445",
                "1433",
                "3306",
                "3389",
                "5432"
              ]
            }
          ],
          "identity": {
            "groups": [
              {
                "name": "employees"
              }
            }
          }
        },
        {
          "name": "Allow Admin Access",
          "action": "allow",
          "precedence": 100,
          "identity": {
            "groups": [
              {
                "name": "admins"
              },
              {
                "name": "platform-engineers"
              }
            }
          }
        }
      ]
    }

  # Logging Configuration
  logging-config: |
    {
      "dns": {
        "enabled": true,
        "log_all": true,
        "log_blocks": true
      },
      "network": {
        "enabled": true,
        "log_all": true,
        "log_blocks": true
      },
      "retention": {
        "days": 30
      }
    }

  # Split DNS Configuration
  split-dns: |
    {
      "domains": [
        "sankofa.nexus",
        "*.sankofa.nexus",
        "*.svc.cluster.local",
        "*.local"
      ],
      "dns_servers": [
        "10.0.0.53",
        "10.1.0.53",
        "10.2.0.53"
      ]
    }