apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
  namespace: vpn
  labels:
    platform.edge.ncr.com/component: wireguard-relay
spec:
  ingress:
  - {}
  podSelector: {}
  policyTypes:
  - Ingress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-egress
  namespace: vpn
  labels:
    platform.edge.ncr.com/component: wireguard-relay
spec:
  egress:
  - {}
  podSelector: {}
  policyTypes:
  - Egress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: wireguard-relay
  namespace: vpn
  labels:
    platform.edge.ncr.com/component: wireguard-relay
spec:
  ingress:
  - ports:
    - protocol: UDP
      port: 51820
    from:
  - ports:
    - protocol: TCP
      port: 9586
    from:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: prometheus
  podSelector:
    matchLabels:
      platform.edge.ncr.com/component: wireguard-relay
  policyTypes:
  - Ingress