---
apiVersion: "cilium.io/v2"
kind: CiliumClusterwideNetworkPolicy
metadata:
  name: baseline-allow-coredns-egress
spec:
  description: "Allow all pods to send DNS queries out to CoreDNS"
  endpointSelector:
    matchLabels: {}
  egress:
    - toEndpoints:
      - matchLabels:
          k8s:io.kubernetes.pod.namespace: kube-system
          k8s-app: kube-dns
      toPorts:
        - ports:
            - port: "53"
              protocol: UDP
            - port: "53"
              protocol: TCP
---
apiVersion: "cilium.io/v2"
kind: CiliumClusterwideNetworkPolicy
metadata:
  name: baseline-allow-coredns-ingress
spec:
  description: "Allow CoreDNS to receive incoming DNS queries"
  endpointSelector:
    matchLabels:
      k8s:io.kubernetes.pod.namespace: kube-system
      k8s-app: kube-dns
  ingress:
    - fromEndpoints:
      - matchLabels: {} # Accepts from any pod
      toPorts:
        - ports:
            - port: "53"
              protocol: UDP
            - port: "53"
              protocol: TCP
---
apiVersion: "cilium.io/v2"
kind: CiliumClusterwideNetworkPolicy
metadata:
  name: baseline-allow-apiserver
spec:
  description: "Allow all pods to communicate with the K8s API"
  endpointSelector:
    matchLabels: {}
  egress:
    - toEntities:
        - kube-apiserver
---
apiVersion: "cilium.io/v2"
kind: CiliumClusterwideNetworkPolicy
metadata:
  name: baseline-allow-coredns-to-internet
spec:
  description: "Allow CoreDNS pods to reach upstream DNS servers on the internet"
  endpointSelector:
    matchLabels:
      k8s:io.kubernetes.pod.namespace: kube-system
      k8s-app: kube-dns
  egress:
    - toEntities:
        - world
      toPorts:
        - ports:
            - port: "53"
              protocol: ANY