# ---------------------------------------------------- # Ingress only from Gateway API # ---------------------------------------------------- apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: name: allow-ingress namespace: forgejo spec: endpointSelector: matchLabels: app: forgejo ingress: - fromEntities: - ingress toPorts: - ports: - port: "3000" protocol: TCP # --- # # ---------------------------------------------------- # # CI runner access (in-cluster service) # # ---------------------------------------------------- # apiVersion: cilium.io/v2 # kind: CiliumNetworkPolicy # metadata: # name: allow-ci-runner # namespace: forgejo # spec: # endpointSelector: # matchLabels: # app: forgejo # # egress: # - toEndpoints: # - matchLabels: # app: ci-runner # adjust to your runner labels # toPorts: # - ports: # - port: "80" # protocol: TCP # - port: "443" # protocol: TCP # --- # ---------------------------------------------------- # External git providers (FQDN restricted) # ---------------------------------------------------- apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: name: allow-git-egress namespace: forgejo spec: endpointSelector: matchLabels: app: forgejo egress: - toFQDNs: - matchName: github.com - matchName: api.github.com - matchName: raw.githubusercontent.com toPorts: - ports: - port: "443" protocol: TCP --- # ---------------------------------------------------- # OPTIONAL: unrestricted egress (disabled by default) # Enable ONLY when required for troubleshooting or apps # ---------------------------------------------------- # apiVersion: cilium.io/v2 # kind: CiliumNetworkPolicy # metadata: # name: allow-all-egress # namespace: forgejo # spec: # endpointSelector: # matchLabels: # app: forgejo # # egress: # - toEntities: # - world # toPorts: # - ports: # - port: "443" # protocol: TCP # - port: "80" # protocol: TCP