apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: flower-policy
  namespace: monitoring
spec:
  podSelector:
    matchLabels:
      app: flower
  policyTypes:
    - Ingress
    - Egress
  # Default deny all ingress by providing empty ingress rules
  ingress: []
  egress:
    # Allow egress to Redis (TLS) on specific IP and port
    - to:
        - ipBlock:
            cidr: 172.16.16.2/32
      ports:
        - protocol: TCP
          port: 6379
    # Allow DNS queries to CoreDNS in kube-system (UDP 53)
    - to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: kube-system
          podSelector:
            matchLabels:
              k8s-app: kube-dns
      ports:
        - protocol: UDP
          port: 53
    # Also allow TCP 53 (some resolvers use TCP for large responses)
    - to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: kube-system
          podSelector:
            matchLabels:
              k8s-app: kube-dns
      ports:
        - protocol: TCP
          port: 53