apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: sealed-deny-all-egress
  namespace: default
  labels:
    stellaops.dev/owner: devops
    stellaops.dev/purpose: sealed-mode
spec:
  podSelector:
    matchLabels:
      sealed: "true"
  policyTypes:
    - Egress
  egress: []
---
# Optional patch to allow in-cluster DNS while still blocking external egress.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: sealed-allow-dns
  namespace: default
  labels:
    stellaops.dev/owner: devops
    stellaops.dev/purpose: sealed-mode
spec:
  podSelector:
    matchLabels:
      sealed: "true"
  policyTypes:
    - Egress
  egress:
    - to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: kube-system
          podSelector:
            matchLabels:
              k8s-app: kube-dns
      ports:
        - protocol: UDP
          port: 53