---
# Network Policy - Solo permitir tráfico necesario
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
  namespace: student-enrollment
spec:
  podSelector: {}
  policyTypes:
    - Ingress
---
# Permitir tráfico al frontend desde ingress
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-frontend-ingress
  namespace: student-enrollment
spec:
  podSelector:
    matchLabels:
      app: student-frontend
  policyTypes:
    - Ingress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: kube-system
      ports:
        - protocol: TCP
          port: 80
---
# Permitir tráfico al API desde frontend e ingress
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-api-ingress
  namespace: student-enrollment
spec:
  podSelector:
    matchLabels:
      app: student-api
  policyTypes:
    - Ingress
  ingress:
    # Desde ingress controller
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: kube-system
      ports:
        - protocol: TCP
          port: 8080
    # Desde frontend (para nginx proxy)
    - from:
        - podSelector:
            matchLabels:
              app: student-frontend
      ports:
        - protocol: TCP
          port: 8080
---
# Permitir tráfico a SQL Server solo desde API
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-sqlserver-from-api
  namespace: student-enrollment
spec:
  podSelector:
    matchLabels:
      app: sqlserver
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app: student-api
      ports:
        - protocol: TCP
          port: 1433