# Default deny all ingress in the immich namespace apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-ingress namespace: immich spec: podSelector: {} policyTypes: - Ingress --- # Allow ingress controller to reach immich-server apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-ingress-controller namespace: immich spec: podSelector: matchLabels: app.kubernetes.io/name: server policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: traefik --- # immich-db: only reachable from immich app pods and backup jobs apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: immich-db namespace: immich spec: podSelector: matchLabels: app: immich-db policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app.kubernetes.io/name: server - podSelector: matchLabels: app.kubernetes.io/name: microservices - podSelector: matchLabels: app: immich-db-backup --- # Allow immich pods to reach valkey apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-valkey namespace: immich spec: podSelector: matchLabels: app.kubernetes.io/name: valkey policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app.kubernetes.io/name: server - podSelector: matchLabels: app.kubernetes.io/name: microservices --- # Allow immich pods to reach machine-learning apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-machine-learning namespace: immich spec: podSelector: matchLabels: app.kubernetes.io/name: machine-learning policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app.kubernetes.io/name: server - podSelector: matchLabels: app.kubernetes.io/name: microservices