apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-infra-from-authorized-ips
  namespace: jam-cloud-infra
spec:
  podSelector: {} # apply to all pods in jam-cloud-infra
  policyTypes:
  - Ingress
  ingress:
  - from:
    - ipBlock:
        cidr: 72.14.184.26/32
    - ipBlock:
        cidr: 173.255.192.5/32
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: jam-cloud # allow apps in jam-cloud to talk to infra
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: ingress-nginx # allow ingress controller to reach infra
  - ports: # Optional: Keep management UI reachable from everywhere? Or also restrict? 
    - protocol: TCP
      port: 15672