# Default Deny Policy - blocks all traffic unless explicitly allowed
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: default-deny-all
  namespace: ${TARGET_NS}
spec:
  endpointSelector: {}
  ingress:
  - {}
  egress:
  - {}
---
# Escape Game App Network Policy
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: escape-game-netpol
spec:
  endpointSelector:
    matchLabels:
      app: escape-game
  ingress:
   - toPorts:
     - ports:
       - port: "8080"
         protocol: TCP
  egress:
  # Allow DNS
  - toEndpoints:
    - matchLabels:
        k8s:io.kubernetes.pod.namespace: kube-system
        k8s-app: kube-dns
    toPorts:
    - ports:
      - port: "53"
        protocol: UDP
  # Allow connection to Redis
  - toEndpoints:
    - matchLabels:
        app: redis
    toPorts:
    - ports:
      - port: "6379"
        protocol: TCP
  # Allow connection to NATS
  - toEndpoints:
    - matchLabels:
        app: nats
    toPorts:
    - ports:
      - port: "4222"
        protocol: TCP
---
# Redis Network Policy
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: redis-netpol
spec:
  endpointSelector:
    matchLabels:
      app: redis
  ingress:
  # Only allow connections from escape-game app
  - fromEndpoints:
    - matchLabels:
        app: escape-game
    toPorts:
    - ports:
      - port: "6379"
        protocol: TCP
  egress:
  # Allow DNS
  - toEndpoints:
    - matchLabels:
        k8s:io.kubernetes.pod.namespace: kube-system
        k8s-app: kube-dns
    toPorts:
    - ports:
      - port: "53"
        protocol: UDP
---
# NATS Network Policy
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: nats-netpol
spec:
  endpointSelector:
    matchLabels:
      app: nats
  ingress:
  # Allow client connections from escape-game app
  - fromEndpoints:
    - matchLabels:
        app: escape-game
    toPorts:
    - ports:
      - port: "4222"
        protocol: TCP
  # Allow cluster traffic between NATS pods
  - fromEndpoints:
    - matchLabels:
        app: nats
    toPorts:
    - ports:
      - port: "6222"
        protocol: TCP
  egress:
  # Allow DNS
  - toEndpoints:
    - matchLabels:
        k8s:io.kubernetes.pod.namespace: kube-system
        k8s-app: kube-dns
    toPorts:
    - ports:
      - port: "53"
        protocol: UDP
  # Allow cluster communication to other NATS pods
  - toEndpoints:
    - matchLabels:
        app: nats
    toPorts:
    - ports:
      - port: "6222"
        protocol: TCP
---
# ACME Challenge Solver Network Policy
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: acme-solver-netpol
  namespace: ${TARGET_NS}
spec:
  endpointSelector:
    matchLabels:
      acme.cert-manager.io/http01-solver: "true"
  ingress:
  # Allow ingress from Traefik
  - fromEndpoints:
    - matchLabels:
        k8s:io.kubernetes.pod.namespace: traefik
    toPorts:
    - ports:
      - port: "8089"
        protocol: TCP
  egress:
  # Allow egress to internet for self-check (if needed) and DNS
  - toEntities:
    - world
  - toEndpoints:
    - matchLabels:
        k8s:io.kubernetes.pod.namespace: kube-system
        k8s-app: kube-dns
    toPorts:
    - ports:
      - port: "53"
        protocol: UDP