bakery-ia/infrastructure/platform/security/network-policies/global-default-networkpolicy.yaml

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
  namespace: bakery-ia
  labels:
    app: global
    component: network-policy
    tier: security
spec:
  podSelector: {}
  policyTypes:
    - Ingress
    - Egress
  ingress: []
  egress: []
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-kube-dns
  namespace: bakery-ia
  labels:
    app: global
    component: network-policy
    tier: security
spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
    # Allow DNS resolution to kube-system namespace
    - to:
        - namespaceSelector:
            matchLabels:
              name: kube-system
      ports:
        - port: 53
          protocol: UDP
        - port: 53
          protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-ingress-controller
  namespace: bakery-ia
  labels:
    app: global
    component: network-policy
    tier: security
spec:
  podSelector:
    matchLabels:
      # This label should match your ingress controller's namespace
      # Adjust as needed for your specific ingress controller
      app: nginx-ingress-microk8s
  policyTypes:
    - Ingress
  ingress:
    # Allow all traffic to ingress controller
    - from:
        - ipBlock:
            cidr: 0.0.0.0/0
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-internal-communication
  namespace: bakery-ia
  labels:
    app: global
    component: network-policy
    tier: security
spec:
  podSelector: {}
  policyTypes:
    - Ingress
    - Egress
  ingress:
    # Allow communication between pods in the same namespace
    - from:
        - podSelector: {}
  egress:
    # Allow communication to pods in the same namespace
    - to:
        - podSelector: {}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-egress-external
  namespace: bakery-ia
  labels:
    app: global
    component: network-policy
    tier: security
spec:
  podSelector:
    matchLabels:
      app: external-egress-allowed
  policyTypes:
    - Egress
  egress:
    # Allow external communication for services that need it
    - to:
        - ipBlock:
            cidr: 0.0.0.0/0
Add new infra architecture 2026-01-19 11:55:17 +01:00			`apiVersion: networking.k8s.io/v1`
			`kind: NetworkPolicy`
			`metadata:`
			`name: default-deny-all`
			`namespace: bakery-ia`
			`labels:`
			`app: global`
			`component: network-policy`
			`tier: security`
			`spec:`
			`podSelector: {}`
			`policyTypes:`
			`- Ingress`
			`- Egress`
			`ingress: []`
			`egress: []`
			`---`
			`apiVersion: networking.k8s.io/v1`
			`kind: NetworkPolicy`
			`metadata:`
			`name: allow-kube-dns`
			`namespace: bakery-ia`
			`labels:`
			`app: global`
			`component: network-policy`
			`tier: security`
			`spec:`
			`podSelector: {}`
			`policyTypes:`
			`- Egress`
			`egress:`
			`# Allow DNS resolution to kube-system namespace`
			`- to:`
			`- namespaceSelector:`
			`matchLabels:`
			`name: kube-system`
			`ports:`
			`- port: 53`
			`protocol: UDP`
			`- port: 53`
			`protocol: TCP`
			`---`
			`apiVersion: networking.k8s.io/v1`
			`kind: NetworkPolicy`
			`metadata:`
			`name: allow-ingress-controller`
			`namespace: bakery-ia`
			`labels:`
			`app: global`
			`component: network-policy`
			`tier: security`
			`spec:`
			`podSelector:`
			`matchLabels:`
			`# This label should match your ingress controller's namespace`
			`# Adjust as needed for your specific ingress controller`
			`app: nginx-ingress-microk8s`
			`policyTypes:`
			`- Ingress`
			`ingress:`
			`# Allow all traffic to ingress controller`
			`- from:`
			`- ipBlock:`
			`cidr: 0.0.0.0/0`
			`---`
			`apiVersion: networking.k8s.io/v1`
			`kind: NetworkPolicy`
			`metadata:`
			`name: allow-internal-communication`
			`namespace: bakery-ia`
			`labels:`
			`app: global`
			`component: network-policy`
			`tier: security`
			`spec:`
			`podSelector: {}`
			`policyTypes:`
			`- Ingress`
			`- Egress`
			`ingress:`
			`# Allow communication between pods in the same namespace`
			`- from:`
			`- podSelector: {}`
			`egress:`
			`# Allow communication to pods in the same namespace`
			`- to:`
			`- podSelector: {}`
			`---`
			`apiVersion: networking.k8s.io/v1`
			`kind: NetworkPolicy`
			`metadata:`
			`name: allow-egress-external`
			`namespace: bakery-ia`
			`labels:`
			`app: global`
			`component: network-policy`
			`tier: security`
			`spec:`
			`podSelector:`
			`matchLabels:`
			`app: external-egress-allowed`
			`policyTypes:`
			`- Egress`
			`egress:`
			`# Allow external communication for services that need it`
			`- to:`
			`- ipBlock:`
			`cidr: 0.0.0.0/0`