NetworkPolicy - ingress

deploy/infra/kustomization.yaml

@@ -5,6 +5,7 @@ resources:
   - continuous-deploy-account.yaml
   - network-policies/egress.yaml
   - network-policies/egress-local-services.yaml
+  - network-policies/ingress.yaml
 generatorOptions:
   disableNameSuffixHash: true
 

deploy/infra/network-policies/ingress.yaml

@@ -0,0 +1,47 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: git-limbosolutions-com-ingress
+  namespace: git-limbosolutions-com
+spec:
+  # Apply this policy only to the Gitea pods
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: gitea
+
+  policyTypes:
+    - Ingress
+
+  ingress:
+    # ---------------------------------------------------------------------
+    # Allow HTTPS (3000) ONLY from Traefik running in kube-system
+    # ---------------------------------------------------------------------
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/name: traefik
+      ports:
+        - protocol: TCP
+          port: http   # HTTPS routed by Traefik
+
+    # ---------------------------------------------------------------------
+    # Allow SSH (2222) from the internet, but block all internal traffic
+    #
+    #    - cidr: 0.0.0.0/0 allows all external IPs
+    #    - except: blocks all cluster networks
+    #
+    #    This forces ALL SSH traffic to come through external firewall
+    #    ,preventing pod-to-pod or service-to-pod SSH access.
+    # ---------------------------------------------------------------------
+    - from:
+        - ipBlock:
+            cidr: 0.0.0.0/0
+            except:
+              - 10.0.0.0/16      # Pod network (blocks all pods)
+              - 10.43.0.0/16     # Service network (blocks ClusterIP access)
+      ports:
+        - protocol: TCP
+          port: ssh   # ssh port routed by firewall