From f1bb238f19b9e0a4b721b360e58b76e4fd21e3fd Mon Sep 17 00:00:00 2001
From: ATM Platform <platform@athleticmap.local>
Date: Tue, 16 Jun 2026 20:04:28 +0000
Subject: [PATCH] fix(netpol): liberar egress ao CIDR de services (ClusterIP)
 para backups/JWKS

---
 tenants/demo/00-namespace-quota-netpol.yaml   | 3 ++-
 tenants/piloto/00-namespace-quota-netpol.yaml | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/tenants/demo/00-namespace-quota-netpol.yaml b/tenants/demo/00-namespace-quota-netpol.yaml
index eb31abe..0f06004 100644
--- a/tenants/demo/00-namespace-quota-netpol.yaml
+++ b/tenants/demo/00-namespace-quota-netpol.yaml
@@ -52,8 +52,9 @@ spec:
             matchLabels:
               kubernetes.io/metadata.name: kube-system
   egress:
-    - to:                                        # intra-namespace (postgres, keycloak)
+    - to:                                        # intra-namespace (pods) + ClusterIPs (VIP de service, pre-DNAT)
         - podSelector: {}
+        - ipBlock: { cidr: 10.43.0.0/16 }
     - to:                                        # DNS (CoreDNS em kube-system)
         - namespaceSelector:
             matchLabels:
diff --git a/tenants/piloto/00-namespace-quota-netpol.yaml b/tenants/piloto/00-namespace-quota-netpol.yaml
index ad90c1c..de41666 100644
--- a/tenants/piloto/00-namespace-quota-netpol.yaml
+++ b/tenants/piloto/00-namespace-quota-netpol.yaml
@@ -56,8 +56,9 @@ spec:
             matchLabels:
               kubernetes.io/metadata.name: kube-system   # Traefik (ingress)
   egress:
-    - to:                                        # intra-namespace (postgres, keycloak)
+    - to:                                        # intra-namespace (pods) + ClusterIPs (VIP de service, pre-DNAT)
         - podSelector: {}
+        - ipBlock: { cidr: 10.43.0.0/16 }
     - to:                                        # DNS (CoreDNS em kube-system)
         - namespaceSelector:
             matchLabels: