{{- if not .app.Namespace.Open }}
---
kind: CiliumNetworkPolicy
apiVersion: cilium.io/v2
metadata:
  name: {{.app.Name}}-apiserver
  namespace: {{.app.Namespace.Name}}
  labels: {{ .labels | toJson }}
spec:
  endpointSelector:
    matchLabels: {{ .app.MatchLabels | toJson }}
    matchExpressions: {{ .app.MatchExpressions | toJson }}
  {{- if .ingress }}
  ingress:
  - fromEntities:
    - kube-apiserver
    # See https://github.com/cilium/cilium/issues/35401
    - remote-node
  {{- end }}
  {{- if .egress }}
  egress:
  - toEntities:
      - kube-apiserver
  - toPorts:
      - ports:
          - port: "6443"
            protocol: TCP
  {{- end }}

  {{- end }}