apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: project-default-deny
  namespace: bakery-ia
  labels:
    app: project-global
    component: network-policy
    tier: security
spec:
  podSelector: {}
  policyTypes:
    - Ingress
    - Egress
  ingress: []
  egress: []
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: project-allow-dns
  namespace: bakery-ia
  labels:
    app: project-global
    component: network-policy
    tier: security
spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
    # Allow DNS resolution to kube-system namespace
    - to:
        - namespaceSelector:
            matchLabels:
              name: kube-system
      ports:
        - port: 53
          protocol: UDP
        - port: 53
          protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: project-allow-ingress-access
  namespace: bakery-ia
  labels:
    app: project-global
    component: network-policy
    tier: security
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: ingress-nginx
  policyTypes:
    - Ingress
  ingress:
    # Allow all traffic to ingress controller
    - from:
        - ipBlock:
            cidr: 0.0.0.0/0
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: project-allow-internal-comm
  namespace: bakery-ia
  labels:
    app: project-global
    component: network-policy
    tier: security
spec:
  podSelector: {}
  policyTypes:
    - Ingress
    - Egress
  ingress:
    # Allow communication between project services
    - from:
        - namespaceSelector:
            matchLabels:
              name: bakery-ia
  egress:
    # Allow communication to project services
    - to:
        - namespaceSelector:
            matchLabels:
              name: bakery-ia
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: project-allow-monitoring
  namespace: bakery-ia
  labels:
    app: project-global
    component: network-policy
    tier: security
spec:
  podSelector:
    matchLabels:
      app: signoz
  policyTypes:
    - Ingress
  ingress:
    # Allow monitoring access from project services
    - from:
        - namespaceSelector:
            matchLabels:
              name: bakery-ia
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: project-allow-database-access
  namespace: bakery-ia
  labels:
    app: project-global
    component: network-policy
    tier: security
spec:
  podSelector:
    matchLabels:
      app: postgres
  policyTypes:
    - Ingress
  ingress:
    # Allow database access from application services
    - from:
        - namespaceSelector:
            matchLabels:
              name: bakery-ia
      ports:
        - port: 5432
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: project-allow-cache-access
  namespace: bakery-ia
  labels:
    app: project-global
    component: network-policy
    tier: security
spec:
  podSelector:
    matchLabels:
      app: redis
  policyTypes:
    - Ingress
  ingress:
    # Allow cache access from application services
    - from:
        - namespaceSelector:
            matchLabels:
              name: bakery-ia
      ports:
        - port: 6379