diff --git a/apps/infra-network-policies/kyverno.yaml b/apps/infra-network-policies/kyverno.yaml
index 1ddd335..4be709a 100644
--- a/apps/infra-network-policies/kyverno.yaml
+++ b/apps/infra-network-policies/kyverno.yaml
@@ -59,6 +59,13 @@ spec:
       ports:
         - port: 3000
           protocol: TCP
+    # Gitea external (registry token exchange via ROOT_URL)
+    - to:
+        - ipBlock:
+            cidr: 185.47.204.231/32
+      ports:
+        - port: 443
+          protocol: TCP
 ---
 # Background controller: K8s API + registry
 apiVersion: networking.k8s.io/v1
@@ -84,6 +91,13 @@ spec:
       ports:
         - port: 3000
           protocol: TCP
+    # Gitea external (registry token exchange via ROOT_URL)
+    - to:
+        - ipBlock:
+            cidr: 185.47.204.231/32
+      ports:
+        - port: 443
+          protocol: TCP
 ---
 # Cleanup controller: K8s API only
 apiVersion: networking.k8s.io/v1