git.limbosolutions.com/deploy/infra/network-policies.yaml

apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: deny-default
spec:
  endpointSelector: {}
  ingressDeny:
    - fromEndpoints: []
---


apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: allow-gitea-ingress
spec:
  endpointSelector:
    matchLabels:
      app.kubernetes.io/name: gitea

  ingress:
    # -------------------------------------------------------------
    # Allow Traefik (in kube-system) to reach Gitea on port 3000
    # -------------------------------------------------------------
    - fromEndpoints:
        - matchLabels:
            app.kubernetes.io/name: traefik
          matchExpressions:
            - key: k8s:io.kubernetes.pod.namespace
              operator: In
              values:
                - kube-system
      toPorts:
        - ports:
            - port: "3000"
              protocol: TCP

    # -------------------------------------------------------------
    # Allow SSH (2222)
    # -------------------------------------------------------------
    - fromCIDRSet:
        - cidr: 0.0.0.0/0
      toPorts:
        - ports:
            - port: "2222"
              protocol: TCP


---

apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: allow-postgresql-ingress
  namespace: git-limbosolutions-com
spec:
  endpointSelector:
    matchLabels:
      app.kubernetes.io/name: postgresql

  ingress:
    - fromEndpoints:
        - matchLabels:
            app.kubernetes.io/name: gitea
          matchExpressions:
            - key: k8s:io.kubernetes.pod.namespace
              operator: In
              values:
                - git-limbosolutions-com
        - matchLabels:
            dbAccess: "true"
          matchExpressions:
            - key: k8s:io.kubernetes.pod.namespace
              operator: In
              values:
                - git-limbosolutions-com
      toPorts:
        - ports:
            - port: "5432"
              protocol: TCP

---

apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: allow-valkey-ingress
  namespace: git-limbosolutions-com
spec:
  endpointSelector:
    matchLabels:
      app.kubernetes.io/name: valkey

  ingress:
    - fromEndpoints:
        - matchLabels:
            app.kubernetes.io/name: gitea
          matchExpressions:
            - key: k8s:io.kubernetes.pod.namespace
              operator: In
              values:
                - git-limbosolutions-com
      toPorts:
        - ports:
            - port: "6379"
              protocol: TCP