32 lines
767 B
YAML
32 lines
767 B
YAML
# Note: NetworkPolicy applies to pod-level traffic via the cluster network.
|
|
# DNS traffic on port 53 arrives via hostNetwork and bypasses these policies.
|
|
# These policies govern cluster-internal traffic (e.g. Traefik → pihole web UI).
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: default-deny-ingress
|
|
namespace: pihole
|
|
spec:
|
|
podSelector: {}
|
|
policyTypes:
|
|
- Ingress
|
|
---
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-ingress-controller
|
|
namespace: pihole
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
app: pihole
|
|
policyTypes:
|
|
- Ingress
|
|
ingress:
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: traefik
|
|
ports:
|
|
- port: 80
|