async () => {
const clusterId = "cls_abc123"; // resolved by the agent from conversation
const kubePost = (path, body) => cnap.request({
method: "POST",
path: `/v1/clusters/${clusterId}/kube/${path}`,
body,
}).then(r => ({ status: r.status, name: r.body?.metadata?.name }));
const namespaces = [
{ ns: "pde-k17236...", name: "cloudflare-gateway", ports: [] },
{ ns: "pde-k1737k...", name: "openclaw2", ports: [18789] },
{ ns: "pde-k174wk...", name: "httpbin", ports: [8000] },
{ ns: "pde-k175jm...", name: "openclaw", ports: [18789] },
];
const results = [];
for (const { ns, name, ports } of namespaces) {
const apiPath = `apis/networking.k8s.io/v1/namespaces/${ns}/networkpolicies`;
// 1. Default deny all ingress + egress
const defaultDeny = await kubePost(apiPath, {
apiVersion: "networking.k8s.io/v1",
kind: "NetworkPolicy",
metadata: { name: "default-deny-all", namespace: ns },
spec: { podSelector: {}, policyTypes: ["Ingress", "Egress"] },
});
// 2. Allow DNS egress to kube-system
const allowDns = await kubePost(apiPath, {
apiVersion: "networking.k8s.io/v1",
kind: "NetworkPolicy",
metadata: { name: "allow-dns", namespace: ns },
spec: {
podSelector: {},
policyTypes: ["Egress"],
egress: [{
to: [{ namespaceSelector: { matchLabels: { "kubernetes.io/metadata.name": "kube-system" } } }],
ports: [{ protocol: "UDP", port: 53 }, { protocol: "TCP", port: 53 }],
}],
},
});
// 3. Allow ingress on app ports (if any)
let allowIngress = null;
if (ports.length > 0) {
allowIngress = await kubePost(apiPath, {
apiVersion: "networking.k8s.io/v1",
kind: "NetworkPolicy",
metadata: { name: "allow-app-ingress", namespace: ns },
spec: {
podSelector: {},
policyTypes: ["Ingress"],
ingress: [{ ports: ports.map(p => ({ protocol: "TCP", port: p })) }],
},
});
}
results.push({ install: name, defaultDeny, allowDns, allowIngress });
}
return results;
}