# Default deny all ingress in the immich namespace apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-ingress namespace: immich spec: podSelector: {} policyTypes: - Ingress --- # Allow ingress controller to reach immich-server apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-ingress-controller namespace: immich spec: podSelector: matchLabels: app.kubernetes.io/name: server policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: traefik --- # immich-db: only reachable from immich app pods and backup jobs apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: immich-db namespace: immich spec: podSelector: matchLabels: app: immich-db policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app.kubernetes.io/name: server - podSelector: matchLabels: app: immich-backup --- # Allow immich pods to reach valkey apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-valkey namespace: immich spec: podSelector: matchLabels: app.kubernetes.io/name: valkey policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app.kubernetes.io/name: server --- # Allow immich pods to reach machine-learning apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-machine-learning namespace: immich spec: podSelector: matchLabels: app.kubernetes.io/name: machine-learning policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app.kubernetes.io/name: server --- # Allow backup pods egress to Synology (rest-server), B2, DNS, and DB apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-backup-egress namespace: immich spec: podSelector: matchLabels: app: immich-backup policyTypes: - Egress egress: - ports: - port: 53 protocol: UDP - port: 53 protocol: TCP - ports: - port: 8888 protocol: TCP - ports: - port: 443 protocol: TCP - ports: - port: 5432 protocol: TCP to: - podSelector: matchLabels: app: immich-db