# NetworkPolicies for gitea-db cnpg cluster # The databases namespace has a default-deny-all policy; each cluster needs # explicit egress-to-kube-api, ingress-from-cnpg-operator, and # ingress-from-app-namespace policies. --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-egress-kube-api-gitea-db namespace: databases spec: podSelector: matchLabels: cnpg.io/cluster: gitea-db policyTypes: - Egress egress: - ports: - port: 6443 protocol: TCP --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-ingress-from-cnpg-operator-gitea-db namespace: databases spec: podSelector: matchLabels: cnpg.io/cluster: gitea-db policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: cnpg-system ports: - port: 5432 protocol: TCP - port: 8000 protocol: TCP - port: 9187 protocol: TCP --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-ingress-from-default-gitea-db namespace: databases spec: podSelector: matchLabels: cnpg.io/cluster: gitea-db policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: default ports: - port: 5432 protocol: TCP