apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: tenant-isolation-policy
  namespace: testtenant
spec:
  podSelector: {}  # Selects all pods in the namespace
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - podSelector: {}  # Allow from all pods in the same namespace
  egress:
  - to:
    - podSelector: {}  # Allow to all pods in the same namespace
  - to:
    - podSelector: {}
      namespaceSelector: 
        matchLabels:
          kubernetes.io/metadata.name: openshift-dns # Target the openshift-dns namespace
    # Note, only opening port 53 is not enough, will have to dig deeper into this one eventually
    # ports:
    # - protocol: UDP
    #   port: 53
    # - protocol: TCP
    #   port: 53
  # Allow egress to public internet only
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
        except:
        - 10.0.0.0/8      # RFC1918
        - 172.16.0.0/12   # RFC1918
        - 192.168.0.0/16  # RFC1918
        - 169.254.0.0/16  # Link-local
        - 127.0.0.0/8     # Loopback
        - 224.0.0.0/4     # Multicast
        - 240.0.0.0/4     # Reserved
        - 100.64.0.0/10   # Carrier-grade NAT
        - 0.0.0.0/8       # Reserved