CVE-2026-32769

@@ -1,11 +1,11 @@
 module github.com/ctfer-io/fullchain
 
-go 1.25.6
+go 1.25.8
 
 require (
-	github.com/ctfer-io/chall-manager/deploy v0.6.4
+	github.com/ctfer-io/chall-manager/deploy v0.6.5
 	github.com/ctfer-io/ctfer v0.7.0
-	github.com/ctfer-io/monitoring v0.2.0
+	github.com/ctfer-io/monitoring v0.2.1
 	github.com/pkg/errors v0.9.1
 	github.com/pulumi/pulumi-kubernetes/sdk/v4 v4.28.0
 	github.com/pulumi/pulumi-random/sdk/v4 v4.19.1

@@ -141,12 +141,12 @@ github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGX
 github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5 h1:6xNmx7iTtyBRev0+D/Tv1FZd4SCg8axKApyNyRsAt/w=
 github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5/go.mod h1:KdCmV+x/BuvyMxRnYBlmVaq4OLiKW6iRQfvC62cvdkI=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
-github.com/ctfer-io/chall-manager/deploy v0.6.4 h1:kZAXBGuXwm+CDSDosfY+eOrrYL49HAEB5V+YEUbiorg=
-github.com/ctfer-io/chall-manager/deploy v0.6.4/go.mod h1:XUg95QdgoxKhQiK6jg6CMwYXF8qQeeJ6ZPg4gTGDAtU=
+github.com/ctfer-io/chall-manager/deploy v0.6.5 h1:HDaxmaQuI7Tkx4KPCM1cV/W+bZ3FW8yNeRL+Eqq0Pug=
+github.com/ctfer-io/chall-manager/deploy v0.6.5/go.mod h1:GS8wYeILiyyjmk5FJYLrvi0HnUb68Vco9WNSMXZMF3c=
 github.com/ctfer-io/ctfer v0.7.0 h1:EXNJJPz/Xnx/SoiBvbFxo5MVjOWlalQZ2rmz7Rhl5fY=
 github.com/ctfer-io/ctfer v0.7.0/go.mod h1:SPlg450ooTBT4hP0m8lMUT7vzVMA/QXWIfNULc+0um4=
-github.com/ctfer-io/monitoring v0.2.0 h1:G/GrSovjEBe54uB2enYRPaRB+ejo+LZfq2Tqgyrhgx4=
-github.com/ctfer-io/monitoring v0.2.0/go.mod h1:G+CFEzUokKFTpOAihRWKbkcjeakKvAhmCRSfQXeBV9Q=
+github.com/ctfer-io/monitoring v0.2.1 h1:Z7YamVUi9FLWKGRZdferOFvFOUgHZfxs/BH32GaWuQk=
+github.com/ctfer-io/monitoring v0.2.1/go.mod h1:FG53cYngi0TorBG01MrcLJ2nXtwXTSJPfaPcT7Wxe7Q=
 github.com/cyphar/filepath-securejoin v0.6.1 h1:5CeZ1jPXEiYt3+Z6zqprSAgSWiggmpVyciv8syjIpVE=
 github.com/cyphar/filepath-securejoin v0.6.1/go.mod h1:A8hd4EnAeyujCJRrICiOWqjS1AX0a9kM5XL+NwKoYSc=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=

@@ -21,7 +21,6 @@ type (
 		ns          *corev1.Namespace
 		npol        *netwv1.NetworkPolicy
 		dnspol      *netwv1.NetworkPolicy
-		internspol  *netwv1.NetworkPolicy
 		internetpol *netwv1.NetworkPolicy
 
 		// Name of the namespace. Is going to be appended a 8-char random string
@@ -170,43 +169,6 @@ func (ns *Namespace) provision(
 		return
 	}
 
-	// Whatever happens (IP ranges, DNS entries) deny all traffic to adjacent
-	// namespaces -> isolation by default/in depth.
-	ns.internspol, err = netwv1.NewNetworkPolicy(ctx, "inter-ns", &netwv1.NetworkPolicyArgs{
-		Metadata: metav1.ObjectMetaArgs{
-			Namespace: ns.ns.Metadata.Name(),
-			Labels:    args.AdditionalLabels,
-		},
-		Spec: netwv1.NetworkPolicySpecArgs{
-			PodSelector: metav1.LabelSelectorArgs{},
-			PolicyTypes: pulumi.ToStringArray([]string{
-				"Egress",
-			}),
-			Egress: netwv1.NetworkPolicyEgressRuleArray{
-				netwv1.NetworkPolicyEgressRuleArgs{
-					To: netwv1.NetworkPolicyPeerArray{
-						netwv1.NetworkPolicyPeerArgs{
-							NamespaceSelector: metav1.LabelSelectorArgs{
-								MatchExpressions: metav1.LabelSelectorRequirementArray{
-									metav1.LabelSelectorRequirementArgs{
-										Key:      pulumi.String("kubernetes.io/metadata.name"),
-										Operator: pulumi.String("NotIn"),
-										Values: pulumi.StringArray{
-											ns.ns.Metadata.Name().Elem(),
-										},
-									},
-								},
-							},
-						},
-					},
-				},
-			},
-		},
-	}, opts...)
-	if err != nil {
-		return
-	}
-
 	// For dependencies resolution and the use of external services, grant
 	// access to internet, i.e. all IP ranges except private ones
 	// (https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses).