apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: deny-external-egress
  namespace: trivy-system
  labels:
    app.kubernetes.io/managed-by: argocd
    app.kubernetes.io/part-of: network-policies
spec:
  endpointSelector: {}
  egress:
    # Allow DNS resolution
    - toEndpoints:
        - matchLabels:
            io.kubernetes.pod.namespace: kube-system
            k8s-app: kube-dns
      toPorts:
        - ports:
            - port: "53"
              protocol: UDP
            - port: "53"
              protocol: TCP

    # Allow cluster-internal traffic (RFC1918)
    - toCIDR:
        - 10.0.0.0/8
        - 172.16.0.0/12
        - 192.168.0.0/16

    # Allow Trivy vulnerability DB downloads (ghcr.io OCI registry)
    - toFQDNs:
        - matchName: ghcr.io
        - matchName: pkg-containers.githubusercontent.com
      toPorts:
        - ports:
            - port: "443"
              protocol: TCP