# Network Policy for rdev-api
# Restricts network access to only required endpoints
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: rdev-api-policy
  namespace: rdev
  labels:
    app.kubernetes.io/name: rdev-api
    app.kubernetes.io/part-of: rdev
spec:
  podSelector:
    matchLabels:
      app: rdev-api
  policyTypes:
    - Ingress
    - Egress
  ingress:
    # Allow ingress from ingress controller
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: ingress-nginx
      ports:
        - protocol: TCP
          port: 8080
    # Allow ingress from within the rdev namespace (for service mesh, probes)
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: rdev
      ports:
        - protocol: TCP
          port: 8080
  egress:
    # Allow egress to PostgreSQL in databases namespace
    - to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: databases
      ports:
        - protocol: TCP
          port: 5432
    # Allow egress to claudebox pods within the rdev namespace
    - to:
        - podSelector:
            matchLabels:
              rdev.orchard9.ai/project: "true"
    # Allow DNS resolution
    - to:
        - namespaceSelector: {}
          podSelector:
            matchLabels:
              k8s-app: kube-dns
      ports:
        - protocol: UDP
          port: 53
        - protocol: TCP
          port: 53