# Network policies for the veylant namespace (E10-02).
# Strategy: default-deny-all, then explicit whitelist per service.
# Apply: kubectl apply -f deploy/k8s/network-policies.yaml -n veylant
---
# Default deny all ingress and egress within the namespace.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
  namespace: veylant
spec:
  podSelector: {}
  policyTypes:
    - Ingress
    - Egress

---
# Allow inbound HTTP traffic to the proxy from the ingress controller only.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-proxy-ingress
  namespace: veylant
spec:
  podSelector:
    matchLabels:
      app: veylant-proxy
  policyTypes:
    - Ingress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: ingress-nginx
      ports:
        - protocol: TCP
          port: 8090

---
# Allow the proxy to call the PII sidecar gRPC service.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-proxy-to-pii
  namespace: veylant
spec:
  podSelector:
    matchLabels:
      app: veylant-proxy
  policyTypes:
    - Egress
  egress:
    - to:
        - podSelector:
            matchLabels:
              app: pii-service
      ports:
        - protocol: TCP
          port: 50051

---
# Allow the proxy to connect to PostgreSQL.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-proxy-to-postgres
  namespace: veylant
spec:
  podSelector:
    matchLabels:
      app: veylant-proxy
  policyTypes:
    - Egress
  egress:
    - to:
        - podSelector:
            matchLabels:
              app: postgres
      ports:
        - protocol: TCP
          port: 5432

---
# Allow the proxy to connect to ClickHouse for audit logging.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-proxy-to-clickhouse
  namespace: veylant
spec:
  podSelector:
    matchLabels:
      app: veylant-proxy
  policyTypes:
    - Egress
  egress:
    - to:
        - podSelector:
            matchLabels:
              app: clickhouse
      ports:
        - protocol: TCP
          port: 9000

---
# Allow the proxy to connect to Redis (rate limiting + PII pseudonym cache).
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-proxy-to-redis
  namespace: veylant
spec:
  podSelector:
    matchLabels:
      app: veylant-proxy
  policyTypes:
    - Egress
  egress:
    - to:
        - podSelector:
            matchLabels:
              app: redis
      ports:
        - protocol: TCP
          port: 6379

---
# Allow DNS resolution (CoreDNS) for all pods.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-dns-egress
  namespace: veylant
spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
    - to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: kube-system
      ports:
        - protocol: UDP
          port: 53
        - protocol: TCP
          port: 53