Add SIP/RTP NetworkPolicy rules for Asterisk PBX ingress and egress

2026-03-11 08:19:12 +00:00
parent e50f556aa1
commit 8bb1279800
1 changed files with 25 additions and 1 deletions
--- a/apps/telephony/telephony.yaml
+++ b/apps/telephony/telephony.yaml
@@ -202,7 +202,7 @@ spec:
  tls:
    secretName: cf-origin-flowercore-io
 ---
-# NetworkPolicy: deny-all baseline + Traefik ingress + DNS egress + edge1 TTS egress
+# NetworkPolicy: deny-all baseline + Traefik ingress + SIP/RTP ingress + DNS egress + TTS egress
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
@@ -219,6 +219,18 @@ spec:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: traefik-system
+    # Allow SIP/RTP from external sources (Yealink phones, Twilio SIP trunk)
+    - from:
+        - ipBlock:
+            cidr: 0.0.0.0/0
+      ports:
+        - port: 5060
+          protocol: UDP
+        - port: 5060
+          protocol: TCP
+        - port: 10000
+          endPort: 20000
+          protocol: UDP
  egress:
    # Allow DNS resolution (CoreDNS in kube-system)
    - to:
@@ -248,6 +260,18 @@ spec:
      ports:
        - port: 443
          protocol: TCP
+    # Allow SIP/RTP responses (Asterisk → phones and Twilio)
+    - to:
+        - ipBlock:
+            cidr: 0.0.0.0/0
+      ports:
+        - port: 5060
+          protocol: UDP
+        - port: 5060
+          protocol: TCP
+        - port: 10000
+          endPort: 20000
+          protocol: UDP
    # Allow 1Password Connect for secret sync
    - to:
        - namespaceSelector: