apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-most-allow-some
  namespace: game-servers
spec:
  # Apply to all pods in this namespace
  podSelector: {}
  ingress:
  - from:
    # Allow all pods in this namespace
    - namespaceSelector:
        matchLabels:
          name: "game-servers"

    # Allow traefik pods
    - namespaceSelector:
        matchLabels:
          name: "traefik"

    # Allow all pods with this label
    - podSelector:
        matchLabels:
          needsGameServers: "yes"
  egress:
  - to:
    - ipBlock:
        # allow all IPs
        cidr: 0.0.0.0/0
        except:
          # except the private IP ranges: https://en.wikipedia.org/wiki/Private_network
          - 10.0.0.0/8
          - 192.168.0.0/16
          - 172.16.0.0/20
    - ipBlock:
        cidr: 192.168.87.250/24 # server