# ============================================================
# NetworkPolicy: content-security-policy
# Restrict access to content security service:
# - Only allow ingress from game namespaces (tankwar, etc.)
# - Allow egress to WeChat APIs and DNS
# ============================================================
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: content-security-ingress-policy
  namespace: content-security
spec:
  podSelector:
    matchLabels:
      app: content-security-service
  policyTypes:
    - Ingress
  ingress:
    # Allow from tankwar namespace
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: tankwar
      ports:
        - protocol: TCP
          port: 3000
    # Allow from any namespace with the game-client label
    - from:
        - podSelector:
            matchLabels:
              content-security-client: "true"
      ports:
        - protocol: TCP
          port: 3000
    # Allow health checks from within same namespace
    - from:
        - podSelector: {}
      ports:
        - protocol: TCP
          port: 3000