---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: camera-motion-detect
spec:
  podSelector:
    matchLabels:
      component: camera-motion-detect
  policyTypes:
    - Ingress
    - Egress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app.kubernetes.io/name: camtiler
              component: camera-tiler
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: monitoring
          podSelector:
            matchLabels:
              app.kubernetes.io/name: prometheus
  egress:
    - to:
        - ipBlock:
            # Permit access to cameras outside the cluster
            cidr: 100.102.0.0/16
    - to:
        - podSelector:
            matchLabels:
              app: mongodb-svc
      ports:
        - port: 27017
    - to:
        - podSelector:
            matchLabels:
              app.kubernetes.io/name: minio
      ports:
        - port: 9000
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: camera-tiler
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: camtiler
      component: camera-tiler
  policyTypes:
    - Ingress
    - Egress
  egress:
    - to:
        - podSelector:
            matchLabels:
              component: camera-motion-detect
      ports:
        - port: 5000
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: monitoring
          podSelector:
            matchLabels:
              app.kubernetes.io/name: prometheus
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: traefik
          podSelector:
            matchLabels:
              app.kubernetes.io/name: traefik
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: logmower-eventsource
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: camtiler
      component: logmower-eventsource
  policyTypes:
    - Ingress
    - Egress
  egress:
    - to:
        - podSelector:
            matchLabels:
              app: mongodb-svc
        - podSelector:
            matchLabels:
              component: logmower-event-broker
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: traefik
          podSelector:
            matchLabels:
              app.kubernetes.io/name: traefik
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: logmower-event-broker
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: camtiler
      component: logmower-event-broker
  policyTypes:
    - Ingress
    - Egress
  egress:
    - to:
        # Minio access via Traefik's public endpoint
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: traefik
          podSelector:
            matchLabels:
              app.kubernetes.io/name: traefik
  ingress:
    - from:
        - podSelector:
            matchLabels:
              component: logmower-eventsource
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: logmower-frontend
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: camtiler
      component: logmower-frontend
  policyTypes:
    - Ingress
    - Egress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: traefik
          podSelector:
            matchLabels:
              app.kubernetes.io/name: traefik
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: minio
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: minio
  policyTypes:
    - Ingress
    - Egress
  egress:
    - ports:
        - port: http
      to:
        - podSelector:
            matchLabels:
              app.kubernetes.io/name: minio
  ingress:
    - ports:
        - port: http
      from:
        - podSelector: {}
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: traefik
          podSelector:
            matchLabels:
              app.kubernetes.io/name: traefik
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: monitoring
          podSelector:
            matchLabels:
              app.kubernetes.io/name: prometheus