Security: Add Kubernetes NetworkPolicies for UCP and Radius components

[vinayada1]

Summary

The UCP threat assessment (docs/security/ucp-threat-assessment.yaml) identifies multiple threats that are mitigated by deploying Kubernetes NetworkPolicies:

• THR03: Unauthenticated communication between UCP and resource providers — network-level isolation complements the planned mTLS (Secure communication between UCP and resource providers #8083)
• THR08: Kubernetes API server aggregation bypass — without NetworkPolicies, UCP is directly reachable via ClusterIP/pod IP, bypassing authentication
• THR10: Metrics and health endpoint information disclosure — unrestricted access to port 9090

Proposed Changes

1. Add a NetworkPolicy to the Helm chart restricting ingress to the UCP pod to only:

   • The Kubernetes API server (for APIService aggregation)
   • Authorized Radius components (Applications RP, Dynamic RP, Deployment Engine, Controller)
   • Prometheus scrapers (for metrics port 9090, when enabled)

2. Add a NetworkPolicy restricting egress from the UCP pod to only:

   • Known resource provider services
   • The Kubernetes API server
   • External cloud APIs (Azure, AWS)

3. Consider making NetworkPolicies opt-in via a Helm value (e.g., global.networkPolicy.enabled) for clusters without a CNI that supports NetworkPolicy.

Related

• Secure communication between UCP and resource providers #8083 (mTLS between UCP and resource providers)
• UCP threat assessment: RAD.UCP.THR03, RAD.UCP.THR08, RAD.UCP.THR10
• Control catalog: RAD.UCP.CN08, RAD.UCP.CN09