apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-repo-to-gitea
  namespace: argocd
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: argocd-repo-server

  policyTypes:
    - Egress

  egress:
    # Beispiel: nur DNS erlauben (anpassen, falls du mehr brauchst)
    - to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: kube-system
          podSelector:
            matchLabels:
              k8s-app: kube-dns
      ports:
        - protocol: UDP
          port: 53