# NetworkPolicies for the mfa namespace (privacyIDEA)
#
# Allowed paths:
#   INGRESS: Traefik (kube-system) → privacyIDEA :8080  (user-facing portal)
#   INGRESS: KeyCape (sso) → privacyIDEA :8080           (Provider API calls)
#   EGRESS:  privacyIDEA → databases :5432                (PostgreSQL)
#   EGRESS:  all pods → kube-dns :53                      (UDP+TCP)
#
# Everything else is denied.

# ── Default deny all ingress and egress ──────────────────────────────────────
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
  namespace: mfa
spec:
  podSelector: {}
  policyTypes:
    - Ingress
    - Egress
---
# ── Allow ingress from Traefik ───────────────────────────────────────────────
# pink.coulomb.social and pink-account.coulomb.social both terminate at Traefik.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-ingress-from-traefik
  namespace: mfa
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: privacyidea
  policyTypes:
    - Ingress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: kube-system
          podSelector:
            matchLabels:
              app.kubernetes.io/name: traefik
      ports:
        - port: 8080
          protocol: TCP
---
# ── Allow ingress from KeyCape (Provider API calls) ──────────────────────────
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-ingress-from-keycape
  namespace: mfa
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: privacyidea
  policyTypes:
    - Ingress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              net-kingdom/component: sso
          podSelector:
            matchLabels:
              app.kubernetes.io/name: keycape
      ports:
        - port: 8080
          protocol: TCP
---
# ── Allow egress to PostgreSQL ───────────────────────────────────────────────
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-egress-to-postgres
  namespace: mfa
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: privacyidea
  policyTypes:
    - Egress
  egress:
    - to:
        - namespaceSelector:
            matchLabels:
              net-kingdom/component: databases
      ports:
        - port: 5432
          protocol: TCP
---
# ── Allow egress DNS (all pods) ──────────────────────────────────────────────
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-egress-dns
  namespace: mfa
spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
    - to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: kube-system
      ports:
        - port: 53
          protocol: UDP
        - port: 53
          protocol: TCP