fix: allow Kyverno egress to Gitea external for registry token exchange

After changing Gitea ROOT_URL to https://git.georgepet.duckdns.org, the registry V2 auth challenge redirects to the external URL. Kyverno needs to reach 185.47.204.231:443 for token exchange. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-24 21:29:00 +01:00 · 2026-02-24 21:29:00 +01:00 · 17e55ae0c9
commit 17e55ae0c9
parent cd49407c75
1 changed files with 14 additions and 0 deletions
--- a/apps/infra-network-policies/kyverno.yaml
+++ b/apps/infra-network-policies/kyverno.yaml
@ -59,6 +59,13 @@ spec:
      ports:
        - port: 3000
          protocol: TCP
+    # Gitea external (registry token exchange via ROOT_URL)
+    - to:
+        - ipBlock:
+            cidr: 185.47.204.231/32
+      ports:
+        - port: 443
+          protocol: TCP
 ---
 # Background controller: K8s API + registry
 apiVersion: networking.k8s.io/v1
@ -84,6 +91,13 @@ spec:
      ports:
        - port: 3000
          protocol: TCP
+    # Gitea external (registry token exchange via ROOT_URL)
+    - to:
+        - ipBlock:
+            cidr: 185.47.204.231/32
+      ports:
+        - port: 443
+          protocol: TCP
 ---
 # Cleanup controller: K8s API only
 apiVersion: networking.k8s.io/v1