apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
    name: allow-https-egress
    namespace: ai
spec:
    podSelector: {}
    policyTypes: ["Egress"]
    egress:
        - to:
              - ipBlock:
                    cidr: 0.0.0.0/0
                    # exclude RFC1918/private ranges so this only permits Internet egress
                    except:
                        - 10.0.0.0/8
                        - 172.16.0.0/12
                        - 192.168.0.0/16
          ports:
              - { protocol: TCP, port: 443 }
              - { protocol: TCP, port: 80 }