feat(helm): add opt-in NetworkPolicy to restrict ingress/egress#98
Merged
Conversation
Signed-off-by: Bhavya <bhavyajain3004@gmail.com>
|
🚀 First PR — welcome aboard! A few things to expect:
If you get stuck, reply here or jump to Discussions. We want this PR to land. |
github-actions
Bot
added
level:intermediate
btwshivam
requested changes
May 31, 2026
Member
btwshivam
left a comment
btwshivam
left a comment
There was a problem hiding this comment.
the policy targets a hostNetwork daemonset, so a standard NetworkPolicy doesn't enforce on it and restricts nothing, despite the docs saying deny-by-default. make the docs honest about that (or rethink the mechanism), plus the open-egress default. also the readme mentions /debug/pprof, which isn't implemented and the policy only opens the metrics port.
Signed-off-by: Bhavya <bhavyajain3004@gmail.com>
github-actions
Bot
added
the
level:intermediate
btwshivam
approved these changes
Jun 6, 2026
Member
btwshivam
left a comment
btwshivam
left a comment
There was a problem hiding this comment.
thanks for the fix, the hostNetwork caveat is documented honestly now and empty cidrs deny instead of allow. verified the render both ways.
Member
|
/lgtm |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds an opt-in
NetworkPolicytemplate to the Kerno Helm chart to secure network traffic for the DaemonSet agent pods by restricting ingress and egress by default.Why
Fixes #43
How
networkPolicydefaults tovalues.yaml(disabled by default) specifying ingress targets for Prometheus and egress targets for DNS, Kubelet, and Kubernetes API server.templates/networkpolicy.yamlsupporting custom ingress (additionalIngress) and egress (additionalEgress) rules, with clean YAML list formatting (no bullet points on empty lines).deploy/helm/kerno/README.mdand updated rootREADME.md.Testing
go build ./...passes (validated usingGOOS=linux go build ./...)go test ./...passes (validated compile cleanly viaGOOS=linux go test -c)go vet ./...passesgolangci-lint run ./...passes (no Go code modified, vet is clean)Tested locally with:
helm lint deploy/helm/kernoandhelm templatechecksN/A — pure docs/refactor / helm templates
Checklist
feat(helm): add opt-in NetworkPolicy to restrict traffic)git commit -s)scripts/verify.sh(N/A)