apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: deny-app-policy
spec:
  namespaceSelector: has(projectcalico.org/name) && projectcalico.org/name not in {"kube-system", "calico-system"}
  types:
  - Ingress
  - Egress
  egress:
  # allow all namespaces to communicate to DNS pods
  - action: Allow
    protocol: UDP
    destination:
      selector: 'k8s-app == "kube-dns"'
      ports:
      - 53
---
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: restrict-log4j-ns
  namespace: log4j-demo
spec:
  types:
  - Ingress
  - Egress
  ingress:
  - action: Allow
    metadata:
      annotations:
        from: www
        to: vuln-server
    protocol: TCP
    destination:
      ports:
      - 8080
  egress:
  - action: Allow
    metadata:
      annotations:
        from: vuln-server
        to: www
    protocol: TCP
    source:
      ports:
      - 8080