prod deployment

deploy/k8s/base/network-policies.yaml

@@ -2,12 +2,12 @@
 # Sandboxes can only communicate with specific services, not with each other
 # or with the Kubernetes API
 ---
-# Default deny all ingress and egress in sandboxes namespace
+# Default deny all ingress and egress in sandbox namespace
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
   name: default-deny-all
-  namespace: dexorder-sandboxes
+  namespace: sandbox
 spec:
   podSelector: {}
   policyTypes:
@@ -19,7 +19,7 @@ apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
   name: allow-gateway-ingress
-  namespace: dexorder-sandboxes
+  namespace: sandbox
 spec:
   podSelector:
     matchLabels:
@@ -42,7 +42,7 @@ apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
   name: allow-sandbox-egress
-  namespace: dexorder-sandboxes
+  namespace: sandbox
 spec:
   podSelector:
     matchLabels:
@@ -69,17 +69,6 @@ spec:
       ports:
         - protocol: TCP
           port: 3000
-    # Kafka/Redpanda for data subscriptions
-    - to:
-        - namespaceSelector:
-            matchLabels:
-              dexorder.io/type: system
-          podSelector:
-            matchLabels:
-              app: redpanda
-      ports:
-        - protocol: TCP
-          port: 9092
     # External HTTPS (for exchange APIs, LLM APIs)
     - to:
         - ipBlock:
@@ -93,7 +82,8 @@ spec:
         - protocol: TCP
           port: 443
 ---
-# Default namespace: allow ingress from sandboxes to gateway
+# Allow ingress from sandboxes to gateway (no explicit namespace = context default)
+# In dev: applies to 'default' namespace. In prod: applies to 'ai' namespace.
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata: