{{- if eq .Values.NETWORK_POLICY_ENABLED "yes" }}
# https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/04-deny-traffic-from-other-namespaces.md
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  namespace: "{{ .Values.NAMESPACE }}"
  name: nextcloud-aio-deny-from-other-namespaces
spec:
  podSelector:
    matchLabels:
  policyTypes:
    - Ingress
    - Egress
  ingress:
  - from:
    - podSelector: {}
  egress:
  - {} # Allows all egress traffic
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  namespace: "{{ .Values.NAMESPACE }}"
  name: nextcloud-aio-webserver-allow
spec:
  podSelector:
    matchExpressions:
      - key: io.kompose.service
        operator: In
        values:
          - nextcloud-aio-apache
  policyTypes:
    - Ingress
  ingress:
    - {} # Allows all ingress traffic
{{- end }}