diff --git a/deploy/infra/kustomization.yaml b/deploy/infra/kustomization.yaml index fa04b41..e34e100 100644 --- a/deploy/infra/kustomization.yaml +++ b/deploy/infra/kustomization.yaml @@ -5,6 +5,7 @@ resources: - continuous-deploy-account.yaml - network-policies/egress.yaml - network-policies/egress-local-services.yaml + - network-policies/ingress.yaml generatorOptions: disableNameSuffixHash: true diff --git a/deploy/infra/network-policies/ingress.yaml b/deploy/infra/network-policies/ingress.yaml new file mode 100644 index 0000000..2ab2a7d --- /dev/null +++ b/deploy/infra/network-policies/ingress.yaml @@ -0,0 +1,47 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: git-limbosolutions-com-ingress + namespace: git-limbosolutions-com +spec: + # Apply this policy only to the Gitea pods + podSelector: + matchLabels: + app.kubernetes.io/name: gitea + + policyTypes: + - Ingress + + ingress: + # --------------------------------------------------------------------- + # Allow HTTPS (3000) ONLY from Traefik running in kube-system + # --------------------------------------------------------------------- + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + podSelector: + matchLabels: + app.kubernetes.io/name: traefik + ports: + - protocol: TCP + port: http # HTTPS routed by Traefik + + # --------------------------------------------------------------------- + # Allow SSH (2222) from the internet, but block all internal traffic + # + # - cidr: 0.0.0.0/0 allows all external IPs + # - except: blocks all cluster networks + # + # This forces ALL SSH traffic to come through external firewall + # ,preventing pod-to-pod or service-to-pod SSH access. + # --------------------------------------------------------------------- + - from: + - ipBlock: + cidr: 0.0.0.0/0 + except: + - 10.0.0.0/16 # Pod network (blocks all pods) + - 10.43.0.0/16 # Service network (blocks ClusterIP access) + ports: + - protocol: TCP + port: ssh # ssh port routed by firewall \ No newline at end of file