# Frontend: allow ingress from ingress controller only
# Static assets; no egress required for serving
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: frontend-allow
  namespace: veza-production
spec:
  podSelector:
    matchLabels:
      app: veza-frontend
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: ingress-nginx
    ports:
    - protocol: TCP
      port: 80