apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: apod-web
  namespace: apod
spec:
  podSelector:
    matchLabels:
      app: apod-web
  ingress:
  - {}
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: apod
      podSelector:
        matchLabels:
          app: apod-api
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: apod
      podSelector:
        matchLabels:
          app: apod-log
    ports:
    - port: api   
  - to:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: kube-system
      podSelector:
        matchLabels:
          k8s-app: kube-dns
    ports:
    - protocol: TCP
      port: 53
    - protocol: UDP
      port: 53
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: apod-api
  namespace: apod
spec:
  podSelector:
    matchLabels:
      app: apod-api
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: apod
      podSelector:
        matchLabels:
          app: apod-web
    ports:
    - port: api
  egress:   
  - to:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: kube-system
      podSelector:
        matchLabels:
          k8s-app: kube-dns
    ports:
    - protocol: TCP
      port: 53
    - protocol: UDP
      port: 53 
  - to:
    - ipBlock:
        cidr: 3.30.35.101/24
    - ipBlock:
        cidr: 15.200.69.242/24
    ports:
    - protocol: TCP
      port: 443
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: apod-log
  namespace: apod
spec:
  podSelector:
    matchLabels:
      app: apod-log
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: apod
      podSelector:
        matchLabels:
          app: apod-web
    ports:
    - port: api
  egress: []  # deny all