apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: name: deny-default spec: endpointSelector: {} ingressDeny: - fromEndpoints: [] --- apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: name: allow-gitea-ingress spec: endpointSelector: matchLabels: app.kubernetes.io/name: gitea ingress: # ------------------------------------------------------------- # Allow Traefik (in kube-system) to reach Gitea on port 3000 # ------------------------------------------------------------- - fromEndpoints: - matchLabels: app.kubernetes.io/name: traefik matchExpressions: - key: k8s:io.kubernetes.pod.namespace operator: In values: - kube-system toPorts: - ports: - port: "3000" protocol: TCP # ------------------------------------------------------------- # Allow SSH (2222) # ------------------------------------------------------------- - fromCIDRSet: - cidr: 0.0.0.0/0 toPorts: - ports: - port: "2222" protocol: TCP --- apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: name: allow-postgresql-ingress namespace: git-limbosolutions-com spec: endpointSelector: matchLabels: app.kubernetes.io/name: postgresql ingress: - fromEndpoints: - matchLabels: app.kubernetes.io/name: gitea matchExpressions: - key: k8s:io.kubernetes.pod.namespace operator: In values: - git-limbosolutions-com - matchLabels: dbAccess: "true" matchExpressions: - key: k8s:io.kubernetes.pod.namespace operator: In values: - git-limbosolutions-com toPorts: - ports: - port: "5432" protocol: TCP --- apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: name: allow-valkey-ingress namespace: git-limbosolutions-com spec: endpointSelector: matchLabels: app.kubernetes.io/name: valkey ingress: - fromEndpoints: - matchLabels: app.kubernetes.io/name: gitea matchExpressions: - key: k8s:io.kubernetes.pod.namespace operator: In values: - git-limbosolutions-com toPorts: - ports: - port: "6379" protocol: TCP