policy-generator/cmd/policygen/templates/netpol/pod/apiserver.yaml

---
kind: CiliumNetworkPolicy
apiVersion: cilium.io/v2
metadata:
  name: {{.app.Name}}
  namespace: {{.app.Namespace.Name}}
  labels: {{ .labels | toYaml | nindent 4 }}
spec:
  endpointSelector: {{ .app.MatchLabels | toYaml | nindent 4 }}
  {{- if .ingress }}
  ingress:
  - fromEntities:
    - kube-apiserver
    # See https://github.com/cilium/cilium/issues/35401
    - remote-node
  {{- end }}
  {{- if .egress }}
  egress:
  - toEntities:
      - kube-apiserver
  - toPorts:
      - ports:
          - port: "6443"
            protocol: TCP
  {{- end }}