apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-wg-and-200
  namespace: argos-core
spec:
  podSelector: {}
  policyTypes: [Ingress]
  ingress:
    - from:
        - ipBlock: { cidr: 192.168.254.0/24 }   # WireGuard peers
        - ipBlock: { cidr: 192.168.200.0/24 }   # red 200 (acceso interno/admin)