apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
  namespace: wordpress
spec:
  podSelector: {} # Selects all pods in the namespace
  policyTypes:
    - Ingress
    - Egress
# This policy creates a default-deny state. 
# Specific policies below will allow necessary traffic.

---

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-traefik-ingress
  namespace: wordpress
spec:
  podSelector: {} # Apply to all pods in the namespace
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app.kubernetes.io/name: traefik # Assuming Traefik pods have this label
              # If Traefik is in a different namespace, specify that namespace:
              # namespaceSelector:
              #   matchLabels:
              #     kubernetes.io/metadata.name: traefik # Example label for Traefik namespace
      ports:
        - protocol: TCP
          port: 80
        - protocol: TCP
          port: 443

---

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-wordpress-to-cnpg
  namespace: wordpress
spec:
  podSelector:
    matchLabels:
      app: wordpress # Label for WordPress pods
  policyTypes:
    - Egress
  egress:
    - to:
        - podSelector:
            matchLabels:
              app.kubernetes.io/name: cloudnativepg # Label for CNPG pods
      ports:
        - protocol: TCP
          port: 5432 # Default PostgreSQL port
    # Allow DNS
    - to:
      - namespaceSelector: {}
        podSelector:
          matchLabels:
            k8s-app: kube-dns
      ports:
        - protocol: UDP
          port: 53
        - protocol: TCP
          port: 53

---

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-wordpress-ingress # Fixed syntax for ingress rule
  namespace: wordpress
spec:
  podSelector:
    matchLabels:
      app: wordpress # Label for WordPress pods
  policyTypes:
    - Ingress
  ingress:
    - from: [] # Empty from means allow from all sources (will be restricted by Traefik Ingress)
      ports:
        - protocol: TCP
          port: 80

---

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-egress-to-apiserver
  namespace: wordpress
spec:
  podSelector:
    matchLabels:
      cnpg.io/cluster: wordpress-db # Targets all components of the wordpress-db cluster
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 10.96.0.1/32 # Kubernetes API Server IP
    ports:
    - protocol: TCP
      port: 443