refactor(k8s/immich): minor tweaks to match new schema

kubernetes/app/immich/networkpolicy.yaml

@@ -44,9 +44,6 @@ spec:
         - podSelector:
             matchLabels:
               app.kubernetes.io/name: server
-        - podSelector:
-            matchLabels:
-              app.kubernetes.io/name: microservices
         - podSelector:
             matchLabels:
               app: immich-db-backup
@@ -68,9 +65,6 @@ spec:
         - podSelector:
             matchLabels:
               app.kubernetes.io/name: server
-        - podSelector:
-            matchLabels:
-              app.kubernetes.io/name: microservices
 ---
 # Allow immich pods to reach machine-learning
 apiVersion: networking.k8s.io/v1
@@ -89,6 +83,35 @@ spec:
         - podSelector:
             matchLabels:
               app.kubernetes.io/name: server
+---
+# Allow backup pods egress to Synology (rest-server), B2, DNS, and DB
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-backup-egress
+  namespace: immich
+spec:
+  podSelector:
+    matchLabels:
+      app: immich-backup
+  policyTypes:
+    - Egress
+  egress:
+    - ports:
+        - port: 53
+          protocol: UDP
+        - port: 53
+          protocol: TCP
+    - ports:
+        - port: 8888
+          protocol: TCP
+    - ports:
+        - port: 443
+          protocol: TCP
+    - ports:
+        - port: 5432
+          protocol: TCP
+      to:
         - podSelector:
             matchLabels:
-              app.kubernetes.io/name: microservices
+              app: immich-db