feat(k8s/pihole): add Pi-hole stack (deployment scaled to 0 for data migration)

kubernetes/app/pihole/networkpolicy.yaml

@@ -0,0 +1,31 @@
+# Note: NetworkPolicy applies to pod-level traffic via the cluster network.
+# DNS traffic on port 53 arrives via hostNetwork and bypasses these policies.
+# These policies govern cluster-internal traffic (e.g. Traefik → pihole web UI).
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-ingress
+  namespace: pihole
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-ingress-controller
+  namespace: pihole
+spec:
+  podSelector:
+    matchLabels:
+      app: pihole
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: traefik
+      ports:
+        - port: 80