# 示例：后端 Namespace 仅允许来自 kube-system（Traefik）的入站
# 将 namespace、podSelector、端口改为你的应用标签与 Service 端口。
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: backend-from-traefik-example
  namespace: default
spec:
  podSelector:
    matchLabels:
      app: nginx
  policyTypes:
    - Ingress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: kube-system
      ports:
        - protocol: TCP
          port: 80