nextcloud/deploy/infra/network-policies.yaml

apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: allow-same-namespace-ingress
spec:
  endpointSelector: {}   # All pods in this namespace
  ingress:
    - fromEndpoints:
        - matchExpressions:
            - key: k8s:io.kubernetes.pod.namespace
              operator: In
              values:
                - cloud-limbosolutions-com
  
---

apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: allow-traefik-to-nextcloud-ingress
spec:
  endpointSelector:
    matchLabels:
      app.kubernetes.io/name: nextcloud

  ingress:
    # -------------------------------------------------------------
    # Allow Traefik (internal and public) to reach nextcloud web port
    # -------------------------------------------------------------
    - fromEndpoints:
        - matchLabels:
            app.kubernetes.io/name: traefik
          matchExpressions:
            - key: k8s:io.kubernetes.pod.namespace
              operator: In
              values:
                - traefik
                - traefik-public
      toPorts:
        - ports:
            - port: "80"
    
              protocol: TCP

---


apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: allow-traefik-to-onlyoffice-ingress
spec:
  endpointSelector:
    matchLabels:
      app: onlyoffice

  ingress:
    # -------------------------------------------------------------
    # Allow Traefik (internal and public) to reach onlyoffice web port
    # -------------------------------------------------------------
    - fromEndpoints:
        - matchLabels:
            app.kubernetes.io/name: traefik
          matchExpressions:
            - key: k8s:io.kubernetes.pod.namespace
              operator: In
              values:
                - traefik
                - traefik-public
      toPorts:
        - ports:
            - port: "80"
    
              protocol: TCP
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: allow-traefik-to-whiteboard-ingress
spec:
  endpointSelector:
    matchLabels:
      app: nextcloud-whiteboard

  ingress:
    # -------------------------------------------------------------
    # Allow Traefik (internal and public) to reach whiteboard ws
    # -------------------------------------------------------------
    - fromEndpoints:
        - matchLabels:
            app.kubernetes.io/name: traefik
          matchExpressions:
            - key: k8s:io.kubernetes.pod.namespace
              operator: In
              values:
                - traefik
                - traefik-public
      toPorts:
        - ports:
            - port: "3002"
    
              protocol: TCP