apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test_project-network-policy
  namespace: test_project
  labels:
    app: test_project
spec:
  podSelector:
    matchLabels:
      app: test_project
  policyTypes:
  - Ingress
  - Egress
  ingress:
  # Allow ingress from same namespace
  - from:
    - namespaceSelector:
        matchLabels:
          name: test_project
    - podSelector:
        matchLabels:
          app: test_project
    ports:
    - protocol: TCP
      port: 8000
  # Allow ingress from ingress controller
  - from:
    - namespaceSelector:
        matchLabels:
          name: ingress-nginx
    - podSelector:
        matchLabels:
          app: ingress-nginx
    ports:
    - protocol: TCP
      port: 8000
  # Allow ingress from monitoring namespace (Prometheus)
  egress:
  # Allow DNS resolution
  - to:
    - namespaceSelector: {}
    ports:
    - protocol: UDP
      port: 53
  # Allow egress to database
  - to:
    - podSelector:
        matchLabels:
          app: postgres
    ports:
    - protocol: TCP
      port: 5432
  # Allow egress to Redis
  # Allow egress to Kafka
  # Allow egress to external APIs (HTTPS)
  - to:
    - namespaceSelector: {}
    ports:
    - protocol: TCP
      port: 443
  # Allow egress to monitoring (Prometheus)