# Network policies for sandbox isolation
# Sandboxes can only communicate with specific services, not with each other
# or with the Kubernetes API
---
# Default deny all ingress and egress in sandboxes namespace
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
  namespace: dexorder-sandboxes
spec:
  podSelector: {}
  policyTypes:
    - Ingress
    - Egress
---
# Allow sandboxes to receive connections from gateway (MCP)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-gateway-ingress
  namespace: dexorder-sandboxes
spec:
  podSelector:
    matchLabels:
      dexorder.io/component: sandbox
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app: gateway
      ports:
        - protocol: TCP
          port: 3000  # MCP server port
        - protocol: TCP
          port: 5555  # ZeroMQ control channel
---
# Allow sandboxes to connect to required services
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-sandbox-egress
  namespace: dexorder-sandboxes
spec:
  podSelector:
    matchLabels:
      dexorder.io/component: sandbox
  policyTypes:
    - Egress
  egress:
    # DNS resolution (required)
    - to:
        - namespaceSelector: {}
          podSelector:
            matchLabels:
              k8s-app: kube-dns
      ports:
        - protocol: UDP
          port: 53
        - protocol: TCP
          port: 53
    # Gateway (for callbacks)
    - to:
        - podSelector:
            matchLabels:
              app: gateway
      ports:
        - protocol: TCP
          port: 3000
    # Kafka/Redpanda for data subscriptions
    - to:
        - namespaceSelector:
            matchLabels:
              dexorder.io/type: system
          podSelector:
            matchLabels:
              app: redpanda
      ports:
        - protocol: TCP
          port: 9092
    # External HTTPS (for exchange APIs, LLM APIs)
    - to:
        - ipBlock:
            cidr: 0.0.0.0/0
            except:
              # Block access to k8s API server (common ranges)
              - 10.0.0.0/8
              - 172.16.0.0/12
              - 192.168.0.0/16
      ports:
        - protocol: TCP
          port: 443
---
# Default namespace: allow ingress from sandboxes to gateway
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-sandbox-callbacks
spec:
  podSelector:
    matchLabels:
      app: gateway
  policyTypes:
    - Ingress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              dexorder.io/type: sandboxes
      ports:
        - protocol: TCP
          port: 3000