apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: git-limbosolutions-com-ingress
  namespace: git-limbosolutions-com
spec:
  # Apply this policy only to the Gitea pods
  podSelector:
    matchLabels:
      app.kubernetes.io/name: gitea

  policyTypes:
    - Ingress

  ingress:
    # ---------------------------------------------------------------------
    # Allow HTTPS (3000) ONLY from Traefik running in kube-system
    # ---------------------------------------------------------------------
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: kube-system
          podSelector:
            matchLabels:
              app.kubernetes.io/name: traefik
      ports:
        - protocol: TCP
          port: http   # HTTPS routed by Traefik

    # ---------------------------------------------------------------------
    # Allow SSH (2222) from the internet, but block all internal traffic
    #
    #    - cidr: 0.0.0.0/0 allows all external IPs
    #    - except: blocks all cluster networks
    #
    #    This forces ALL SSH traffic to come through external firewall
    #    ,preventing pod-to-pod or service-to-pod SSH access.
    # ---------------------------------------------------------------------
    - from:
        - ipBlock:
            cidr: 0.0.0.0/0
            except:
              - 10.0.0.0/16      # Pod network (blocks all pods)
              - 10.43.0.0/16     # Service network (blocks ClusterIP access)
      ports:
        - protocol: TCP
          port: ssh   # ssh port routed by firewall