es_networkpolicy.yaml

---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
  namespace: ${namespace}
spec:
  podSelector: {}
  policyTypes:
    - Ingress

# https://docs.giantswarm.io/guides/limiting-pod-communication-with-network-policies/
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-internal-namespace-traffic
  namespace: ${namespace}
spec:
  podSelector:
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              name: ${namespace}

# https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/07-allow-traffic-from-some-pods-in-another-namespace.md
# https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/09-allow-traffic-only-to-a-port.md
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  namespace: ${namespace}
  name: allow-from-controller-from-all-namespaces-to-9200
spec:
  podSelector:
    matchLabels:
      app: ${elasticsearchName}-master
  ingress:
    - from:
      - namespaceSelector: {}
        podSelector:
          matchLabels:
            "app.kubernetes.io/name": "controller"
      ports:
        - port: 9200