diff --git a/deploy/infra/network-policies.yaml b/deploy/infra/network-policies.yaml
index 6625b6b..bd47dd4 100644
--- a/deploy/infra/network-policies.yaml
+++ b/deploy/infra/network-policies.yaml
@@ -25,7 +25,7 @@ spec:
 
   ingress:
     # -------------------------------------------------------------
-    # Allow Traefik (in kube-system) to reach Gitea on port 3000 and 2222
+    # Allow Traefik (internal and public) to reach Gitea on port 3000 (web)
     # -------------------------------------------------------------
     - fromEndpoints:
         - matchLabels:
@@ -39,7 +39,22 @@ spec:
       toPorts:
         - ports:
             - port: "3000"
+    
               protocol: TCP
+
+    # -------------------------------------------------------------
+    # Allow Traefik (internal) to reach Gitea on port 3000 (ssh)
+    # -------------------------------------------------------------
+    - fromEndpoints:
+        - matchLabels:
+            app.kubernetes.io/name: traefik
+          matchExpressions:
+            - key: k8s:io.kubernetes.pod.namespace
+              operator: In
+              values:
+                - traefik
+
+      toPorts:
         - ports:
             - port: "2222"
               protocol: TCP
\ No newline at end of file