apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-most-allow-some
  namespace: monitoring
spec:
  # Apply to all pods in this namespace
  podSelector: {}
  ingress:
  - from:
    # Allow all pods in this namespace
    - namespaceSelector:
        matchLabels:
          name: "monitoring"
#    - podSelector: {}

    # Allow traefik pods
    - namespaceSelector:
        matchLabels:
          name: "traefik"

    # Allow all pods with this label
    - podSelector:
        matchLabels:
          needsMonitoring: "yes"