why

manifests/policy/allow-common-egress.yaml

@@ -0,0 +1,26 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+    name: allow-common-egress
+    namespace: ai
+spec:
+    podSelector: {}
+    policyTypes: ["Egress"]
+    egress:
+        # Allow DNS to kube-dns/CoreDNS in kube-system
+        - to:
+              - namespaceSelector:
+                    matchLabels:
+                        kubernetes.io/metadata.name: kube-system
+          ports:
+              - { protocol: UDP, port: 53 }
+              - { protocol: TCP, port: 53 }
+
+        # Allow PostgreSQL to services/pods in namespace ai on 5432
+        - to:
+              - namespaceSelector:
+                    matchLabels:
+                        kubernetes.io/metadata.name: ai
+          ports:
+              - { protocol: TCP, port: 5432 }
+

manifests/policy/allow-https-egress.yaml

@@ -0,0 +1,20 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+    name: allow-https-egress
+    namespace: ai
+spec:
+    podSelector: {}
+    policyTypes: ["Egress"]
+    egress:
+        - to:
+              - ipBlock:
+                    cidr: 0.0.0.0/0
+                    # exclude RFC1918/private ranges so this only permits Internet egress
+                    except:
+                        - 10.0.0.0/8
+                        - 172.16.0.0/12
+                        - 192.168.0.0/16
+          ports:
+              - { protocol: TCP, port: 443 }
+              - { protocol: TCP, port: 80 }

manifests/policy/kustomization.yaml

@@ -5,4 +5,5 @@ resources:
     - default-deny.yaml
     - allow-openwebui-ingress.yaml
     - allow-browser-ingress.yaml
-
+    - allow-common-egress.yaml
+    - allow-https-egress.yaml