apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-ingress namespace: paperless spec: podSelector: {} policyTypes: - Ingress --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-ingress-controller namespace: paperless spec: podSelector: matchLabels: app: paperless policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: traefik --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-app-to-db namespace: paperless spec: podSelector: matchLabels: app: paperless-db policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app: paperless - podSelector: matchLabels: app: paperless-backup ports: - port: 5432 --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-app-to-redis namespace: paperless spec: podSelector: matchLabels: app: paperless-redis policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app: paperless ports: - port: 6379 --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-app-to-gotenberg namespace: paperless spec: podSelector: matchLabels: app: paperless-gotenberg policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app: paperless ports: - port: 3000 --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-app-to-tika namespace: paperless spec: podSelector: matchLabels: app: paperless-tika policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app: paperless ports: - port: 9998 --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-backup-egress namespace: paperless spec: podSelector: matchLabels: app: paperless-backup policyTypes: - Egress egress: - ports: - port: 53 protocol: UDP - port: 53 protocol: TCP - ports: - port: 8000 protocol: TCP - ports: - port: 443 protocol: TCP - ports: - port: 5432 protocol: TCP to: - podSelector: matchLabels: app: paperless-db