# Default deny all ingress in the media namespace
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
  namespace: media
spec:
  podSelector: {}
  policyTypes:
    - Ingress
---
# Allow ingress controller to reach qbittorrent, sonarr, radarr
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-ingress-controller
  namespace: media
spec:
  podSelector:
    matchExpressions:
      - key: app
        operator: In
        values:
          - qbittorrent
          - sonarr
          - radarr
  policyTypes:
    - Ingress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: traefik
---
# sonarr-db: only reachable from sonarr and backup jobs
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: sonarr-db
  namespace: media
spec:
  podSelector:
    matchLabels:
      app: sonarr-db
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app: sonarr
        - podSelector:
            matchLabels:
              app: sonarr-db-backup
---
# radarr-db: only reachable from radarr and backup jobs
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: radarr-db
  namespace: media
spec:
  podSelector:
    matchLabels:
      app: radarr-db
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app: radarr
        - podSelector:
            matchLabels:
              app: radarr-db-backup
---
# Allow prowlarr to receive connections from sonarr and radarr
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-internal-comms
  namespace: media
spec:
  podSelector:
    matchLabels:
      app: prowlarr
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app: sonarr
        - podSelector:
            matchLabels:
              app: radarr
---
# Allow prowlarr to reach sonarr, radarr, and qbittorrent
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-prowlarr-to-apps
  namespace: media
spec:
  podSelector:
    matchExpressions:
      - key: app
        operator: In
        values:
          - sonarr
          - radarr
          - qbittorrent
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app: prowlarr
---
# Allow qbittorrent to receive connections from sonarr, radarr, and external BT traffic
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-qbittorrent
  namespace: media
spec:
  podSelector:
    matchLabels:
      app: qbittorrent
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app: sonarr
        - podSelector:
            matchLabels:
              app: radarr
    - ports:
        - port: 23312
          protocol: TCP
        - port: 23312
          protocol: UDP