# Network Policies for EveAI Dev Environment
# File: network-policies.yaml
# Provides proper isolation and security for Kubernetes services
---
# Default deny all ingress traffic (security first approach)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
  namespace: eveai-dev
  labels:
    app: eveai
    environment: dev
spec:
  podSelector: {}
  policyTypes:
  - Ingress

---
# Allow ingress controller to reach app services
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-ingress-to-apps
  namespace: eveai-dev
  labels:
    app: eveai
    environment: dev
spec:
  podSelector:
    matchLabels:
      tier: frontend
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: ingress-nginx
    ports:
    - protocol: TCP
      port: 5001  # eveai-app
    - protocol: TCP
      port: 5003  # eveai-api
    - protocol: TCP
      port: 5004  # eveai-chat-client

---
# Allow app services to communicate with backend services
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-apps-to-backend
  namespace: eveai-dev
  labels:
    app: eveai
    environment: dev
spec:
  podSelector:
    matchLabels:
      tier: backend
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          tier: frontend
    ports:
    - protocol: TCP
      port: 6379  # Redis
    - protocol: TCP
      port: 9000  # MinIO S3 API
    - protocol: TCP
      port: 9001  # MinIO Console
    - protocol: TCP
      port: 5432  # PostgreSQL

---
# Allow internal service communication within eveai-dev namespace
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-internal-communication
  namespace: eveai-dev
  labels:
    app: eveai
    environment: dev
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: eveai-dev

---
# Allow monitoring services to scrape metrics
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-monitoring-scraping
  namespace: eveai-dev
  labels:
    app: eveai
    environment: dev
spec:
  podSelector:
    matchLabels:
      tier: monitoring
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: prometheus
    ports:
    - protocol: TCP
      port: 9090  # Prometheus
    - protocol: TCP
      port: 9091  # Pushgateway
    - protocol: TCP
      port: 5555  # Flower
    - protocol: TCP
      port: 3000  # Grafana

---
# Allow external access to monitoring services (NodePort)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-external-monitoring
  namespace: eveai-dev
  labels:
    app: eveai
    environment: dev
spec:
  podSelector:
    matchLabels:
      tier: monitoring
  policyTypes:
  - Ingress
  ingress:
  - {} # Allow all external traffic to monitoring services