# Default deny all ingress in the jellyfin namespace
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
  namespace: jellyfin
spec:
  podSelector: {}
  policyTypes:
    - Ingress
---
# Allow Traefik ingress controller to reach Jellyfin
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-ingress-controller
  namespace: jellyfin
spec:
  podSelector:
    matchLabels:
      app: jellyfin
  policyTypes:
    - Ingress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: traefik
---
# Allow UDP discovery and DLNA from local network
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-udp-discovery
  namespace: jellyfin
spec:
  podSelector:
    matchLabels:
      app: jellyfin
  policyTypes:
    - Ingress
  ingress:
    - ports:
        - port: 7359
          protocol: UDP
        - port: 1900
          protocol: UDP