# Note: NetworkPolicy applies to pod-level traffic via the cluster network.
# DNS traffic on port 53 arrives via hostNetwork and bypasses these policies.
# These policies govern cluster-internal traffic (e.g. Traefik → pihole web UI).
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
  namespace: pihole
spec:
  podSelector: {}
  policyTypes:
    - Ingress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-ingress-controller
  namespace: pihole
spec:
  podSelector:
    matchLabels:
      app: pihole
  policyTypes:
    - Ingress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: traefik
      ports:
        - port: 80