# Default Deny Policy - blocks all traffic unless explicitly allowed
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: default-deny-all
  namespace: default
spec:
  endpointSelector: {}
  ingress:
  - {}
  egress:
  - {}
---
# Escape Game App Network Policy
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: escape-game-netpol
  namespace: default
spec:
  endpointSelector:
    matchLabels:
      app: escape-game
  ingress:
  # Allow HTTP traffic from anywhere (for user access)
  - fromEndpoints:
    - {}
    toPorts:
    - ports:
      - port: "8080"
        protocol: TCP
  egress:
  # Allow DNS
  - toEndpoints:
    - matchLabels:
        k8s:io.kubernetes.pod.namespace: kube-system
        k8s-app: kube-dns
    toPorts:
    - ports:
      - port: "53"
        protocol: UDP
  # Allow connection to Redis
  - toEndpoints:
    - matchLabels:
        app: redis
    toPorts:
    - ports:
      - port: "6379"
        protocol: TCP
  # Allow connection to NATS
  - toEndpoints:
    - matchLabels:
        app: nats
    toPorts:
    - ports:
      - port: "4222"
        protocol: TCP
---
# Redis Network Policy
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: redis-netpol
  namespace: default
spec:
  endpointSelector:
    matchLabels:
      app: redis
  ingress:
  # Only allow connections from escape-game app
  - fromEndpoints:
    - matchLabels:
        app: escape-game
    toPorts:
    - ports:
      - port: "6379"
        protocol: TCP
  egress:
  # Allow DNS
  - toEndpoints:
    - matchLabels:
        k8s:io.kubernetes.pod.namespace: kube-system
        k8s-app: kube-dns
    toPorts:
    - ports:
      - port: "53"
        protocol: UDP
---
# NATS Network Policy
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: nats-netpol
  namespace: default
spec:
  endpointSelector:
    matchLabels:
      app: nats
  ingress:
  # Allow client connections from escape-game app
  - fromEndpoints:
    - matchLabels:
        app: escape-game
    toPorts:
    - ports:
      - port: "4222"
        protocol: TCP
  # Allow cluster traffic between NATS pods
  - fromEndpoints:
    - matchLabels:
        app: nats
    toPorts:
    - ports:
      - port: "6222"
        protocol: TCP
  egress:
  # Allow DNS
  - toEndpoints:
    - matchLabels:
        k8s:io.kubernetes.pod.namespace: kube-system
        k8s-app: kube-dns
    toPorts:
    - ports:
      - port: "53"
        protocol: UDP
  # Allow cluster communication to other NATS pods
  - toEndpoints:
    - matchLabels:
        app: nats
    toPorts:
    - ports:
      - port: "6222"
        protocol: TCP