apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: firefly-iii
  labels:
    app.kubernetes.io/name: firefly-iii
    app.kubernetes.io/component: firefly-iii
spec:
  egress:
  # Allow access to other components of the Firefly III ecosystem
  - to:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: firefly-iii
  # Allow access Kubernetes cluster DNS
  - to:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: kube-system
      podSelector:
        matchLabels:
          k8s-app: kube-dns
    ports:
    - port: 53
      protocol: UDP
    - port: 53
      protocol: TCP
  # Allow access to the PostgreSQL database server
  - to:
    - ipBlock:
        cidr: 172.30.0.0/26
    ports:
    - port: 5432
      protocol: TCP
  # Allow access to SMTP on mail.pyrocufflink.blue
  - to:
    - ipBlock:
        cidr: 172.30.0.12/32
    ports:
    - port: 25
  # Allow access dch-webhooks
  - to:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: default
      podSelector:
        matchLabels:
          app.kubernetes.io/name: dch-webhooks
  # Allow access ntfy
  - to:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: ntfy
      podSelector:
        matchLabels:
          app.kubernetes.io/name: ntfy
  podSelector:
    matchLabels:
      app.kubernetes.io/component: firefly-iii
  policyTypes:
  - Egress