apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: name: cicd-egress namespace: cicd spec: endpointSelector: {} egress: # Tekton entrypoint sidecar updates TaskRun status via the K8s API - toEntities: - kube-apiserver toPorts: - ports: - port: "443" protocol: TCP # Push built images to Harbor registry in-cluster - toEndpoints: - matchLabels: io.kubernetes.pod.namespace: harbor app: harbor toPorts: - ports: - port: "80" protocol: TCP # Git clone from internal Forgejo - toEndpoints: - matchLabels: io.kubernetes.pod.namespace: forgejo app: forgejo toPorts: - ports: - port: "3000" protocol: TCP # Tool downloads (kubeconform), schema lookups - toEntities: - world