From 1c291cc777922855004452256f78d1c887d661ec Mon Sep 17 00:00:00 2001
From: Shahab Dogar <shahab@dogar.dev>
Date: Sun, 21 Sep 2025 22:35:38 +0500
Subject: [PATCH] sec: add PDB and NetPol for gitea actions runners

---
 gitea/actions/runner.yaml | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/gitea/actions/runner.yaml b/gitea/actions/runner.yaml
index 75234ee..11653bd 100644
--- a/gitea/actions/runner.yaml
+++ b/gitea/actions/runner.yaml
@@ -60,3 +60,39 @@ spec:
         volumeMounts:
         - name: runner-data
           mountPath: /data
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: action-runner-pdb
+  namespace: homelab
+spec:
+  minAvailable: 6
+  selector:
+    matchLabels:
+      app: action-runner
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: action-runner-netpol
+  namespace: homelab
+spec:
+  podSelector:
+    matchLabels:
+      app: action-runner
+  policyTypes:
+  - Egress
+  egress:
+  - to: []
+    ports:
+    - protocol: TCP
+      port: 443
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          name: homelab
+    ports:
+    - protocol: TCP
+    - protocol: UDP
+      port: 53