apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: irc
  namespace: irc
spec:
  podSelector:
    matchExpressions:
      - key: app.kubernetes.io/name
        operator: In
        values:
          - znc
          - thelounge

  policyTypes:
    - Ingress
    - Egress

  ingress:
    # Allow all in-namespace traffic (includes Service -> Pod, Gateway -> Service -> Pod)
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: irc

  egress:
    # Allow in-namespace pod communication
    - to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: irc

    # Allow public internet only (block RFC1918)
    - to:
        - ipBlock:
            cidr: 0.0.0.0/0
            except:
              - 10.0.0.0/8
              - 172.16.0.0/12
              - 192.168.0.0/16