apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-most-allow-some
  namespace: download
spec:
  # Apply to all pods in this namespace
  podSelector: {}
  ingress:
  - from:
    # Allow all pods in this namespace
    - namespaceSelector:
        matchLabels:
          name: "download"
#    - podSelector: {}

    # Allow traefik pods
    - namespaceSelector:
        matchLabels:
          name: "traefik"

    - namespaceSelector:
        matchLabels:
          name: "media"

    - namespaceSelector:
        matchLabels:
          needsDownload: "yes"

    # Allow all pods with this label
    - podSelector:
        matchLabels:
          needsDownload: "yes"