apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-all namespace: bakery-ia labels: app: global component: network-policy tier: security spec: podSelector: {} policyTypes: - Ingress - Egress ingress: [] egress: [] --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-kube-dns namespace: bakery-ia labels: app: global component: network-policy tier: security spec: podSelector: {} policyTypes: - Egress egress: # Allow DNS resolution to kube-system namespace - to: - namespaceSelector: matchLabels: name: kube-system ports: - port: 53 protocol: UDP - port: 53 protocol: TCP --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-ingress-controller namespace: bakery-ia labels: app: global component: network-policy tier: security spec: podSelector: matchLabels: # This label should match your ingress controller's namespace # Adjust as needed for your specific ingress controller app: nginx-ingress-microk8s policyTypes: - Ingress ingress: # Allow all traffic to ingress controller - from: - ipBlock: cidr: 0.0.0.0/0 --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-internal-communication namespace: bakery-ia labels: app: global component: network-policy tier: security spec: podSelector: {} policyTypes: - Ingress - Egress ingress: # Allow communication between pods in the same namespace - from: - podSelector: {} egress: # Allow communication to pods in the same namespace - to: - podSelector: {} --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-egress-external namespace: bakery-ia labels: app: global component: network-policy tier: security spec: podSelector: matchLabels: app: external-egress-allowed policyTypes: - Egress egress: # Allow external communication for services that need it - to: - ipBlock: cidr: 0.0.0.0/0