bluejay/bluejay-infra
1
0
Fork 0
Code Issues Pull Requests 14 Actions Packages Projects Releases Wiki Activity

Add SIP/RTP NetworkPolicy rules for Asterisk PBX ingress and egress

Browse Source
This commit is contained in:
bluejay
2026-03-11 08:19:12 +00:00
parent e50f556aa1
commit 8bb1279800
1 changed files with 25 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
apps/telephony/telephony.yaml
View File

@@ -202,7 +202,7 @@ spec:
tls: tls:
secretName: cf-origin-flowercore-io secretName: cf-origin-flowercore-io
--- ---
# NetworkPolicy: deny-all baseline + Traefik ingress + DNS egress + edge1 TTS egress # NetworkPolicy: deny-all baseline + Traefik ingress + SIP/RTP ingress + DNS egress + TTS egress
apiVersion: networking.k8s.io/v1 apiVersion: networking.k8s.io/v1
kind: NetworkPolicy kind: NetworkPolicy
metadata: metadata:
@@ -219,6 +219,18 @@ spec:
- namespaceSelector: - namespaceSelector:
matchLabels: matchLabels:
kubernetes.io/metadata.name: traefik-system kubernetes.io/metadata.name: traefik-system
# Allow SIP/RTP from external sources (Yealink phones, Twilio SIP trunk)
- from:
- ipBlock:
cidr: 0.0.0.0/0
ports:
- port: 5060
protocol: UDP
- port: 5060
protocol: TCP
- port: 10000
endPort: 20000
protocol: UDP
egress: egress:
# Allow DNS resolution (CoreDNS in kube-system) # Allow DNS resolution (CoreDNS in kube-system)
- to: - to:
@@ -248,6 +260,18 @@ spec:
ports: ports:
- port: 443 - port: 443
protocol: TCP protocol: TCP
# Allow SIP/RTP responses (Asterisk → phones and Twilio)
- to:
- ipBlock:
cidr: 0.0.0.0/0
ports:
- port: 5060
protocol: UDP
- port: 5060
protocol: TCP
- port: 10000
endPort: 20000
protocol: UDP
# Allow 1Password Connect for secret sync # Allow 1Password Connect for secret sync
- to: - to:
- namespaceSelector: - namespaceSelector: