jakciehan
d263c7bf48
- GameGlobal.js: keep upstream SERVER_URL with /ws suffix - en.js/zh.js: merge both settings.nickname and settings.profile keys - SettingsScene.js: keep both nickname row and profile button - server/index.js: merge express app + content security proxy with noServer WebSocket mode and path validation - Add .gitignore for node_modules and .codebuddy
41 lines
1.1 KiB
YAML
41 lines
1.1 KiB
YAML
# ============================================================
|
|
# NetworkPolicy: content-security-policy
|
|
# Restrict access to content security service:
|
|
# - Only allow ingress from game namespaces (tankwar, etc.)
|
|
# - Allow egress to WeChat APIs and DNS
|
|
# ============================================================
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: content-security-ingress-policy
|
|
namespace: content-security
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
app: content-security-service
|
|
policyTypes:
|
|
- Ingress
|
|
ingress:
|
|
# Allow from tankwar namespace
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: tankwar
|
|
ports:
|
|
- protocol: TCP
|
|
port: 3000
|
|
# Allow from any namespace with the game-client label
|
|
- from:
|
|
- podSelector:
|
|
matchLabels:
|
|
content-security-client: "true"
|
|
ports:
|
|
- protocol: TCP
|
|
port: 3000
|
|
# Allow health checks from within same namespace
|
|
- from:
|
|
- podSelector: {}
|
|
ports:
|
|
- protocol: TCP
|
|
port: 3000
|