From 20360ff1dcdff40d7cd7845e8f880b65c266e73f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?M=C3=A1rcio=20Fernandes?= <marcio.fernandes@outlook.pt>
Date: Sun, 12 Apr 2026 13:21:30 +0000
Subject: [PATCH] network policy:  remove 2222 from traefik public ingress

---
 deploy/infra/network-policies.yaml | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/deploy/infra/network-policies.yaml b/deploy/infra/network-policies.yaml
index 6625b6b..bd47dd4 100644
--- a/deploy/infra/network-policies.yaml
+++ b/deploy/infra/network-policies.yaml
@@ -25,7 +25,7 @@ spec:
 
   ingress:
     # -------------------------------------------------------------
-    # Allow Traefik (in kube-system) to reach Gitea on port 3000 and 2222
+    # Allow Traefik (internal and public) to reach Gitea on port 3000 (web)
     # -------------------------------------------------------------
     - fromEndpoints:
         - matchLabels:
@@ -39,7 +39,22 @@ spec:
       toPorts:
         - ports:
             - port: "3000"
+    
               protocol: TCP
+
+    # -------------------------------------------------------------
+    # Allow Traefik (internal) to reach Gitea on port 3000 (ssh)
+    # -------------------------------------------------------------
+    - fromEndpoints:
+        - matchLabels:
+            app.kubernetes.io/name: traefik
+          matchExpressions:
+            - key: k8s:io.kubernetes.pod.namespace
+              operator: In
+              values:
+                - traefik
+
+      toPorts:
         - ports:
             - port: "2222"
               protocol: TCP
\ No newline at end of file