From ac3e98b54ea5579f702e37765a2f73862224ffd6 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Fri, 19 Jun 2026 11:03:43 +0530 Subject: [PATCH 1/2] docs(setup): document global.networkPolicy configuration Signed-off-by: Tamal Saha --- docs/setup/install/kubestash/configuration.md | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/docs/setup/install/kubestash/configuration.md b/docs/setup/install/kubestash/configuration.md index 3bc22b4..55c0143 100644 --- a/docs/setup/install/kubestash/configuration.md +++ b/docs/setup/install/kubestash/configuration.md @@ -16,6 +16,46 @@ section_menu_id: setup The steps below apply regardless of which [installation method](/docs/setup/install/kubestash/) you used. +## Network Policy + +KubeStash can optionally generate NetworkPolicies that restrict traffic to and from the KubeStash operator and webhook server pods so only the required communication is allowed. This is disabled by default. Enable it through `global.networkPolicy`: + +```yaml +global: + # Controls the network policy creation + networkPolicy: + enabled: false + # flavor selects which network policy API is used. + # Accepted values: "kubernetes" (default) or "cilium". + flavor: kubernetes +``` + +Set `enabled: true` to create the policies. The `flavor` field selects which API the generated policies target: `kubernetes` (the built-in `networking.k8s.io` `NetworkPolicy`, the default) or `cilium` (Cilium's `CiliumNetworkPolicy`, for clusters running the Cilium CNI). + +Enable it inline with `--set`: + +```bash +$ helm upgrade -i kubestash oci://ghcr.io/appscode-charts/kubestash \ + --version {{< param "info.version" >}} \ + --namespace stash --create-namespace \ + --set-file global.license=/path/to/the/license.txt \ + --set global.networkPolicy.enabled=true \ + --set global.networkPolicy.flavor=kubernetes \ + --wait --burst-limit=10000 --debug +``` + +### Required network communication + +KubeStash does not need any connectivity outside the cluster. It can run fully disconnected from the internet, as long as every required image is cached in a registry the cluster can reach (see the [offline installation guide](/docs/setup/install/kubestash/helm.md)). + +Within the cluster, the following paths must stay open. When `global.networkPolicy.enabled` is `true`, the generated policies allow exactly these; if you maintain your own policies, make sure to permit them yourself: + +1. KubeStash operator to the kube-apiserver. +2. KubeStash operator to DNS. +3. kube-apiserver to the webhook server, for the mutating, validating, and conversion webhook endpoints. + +In addition, backup and restore jobs need to reach the workloads they protect and the object storage backend (S3, MinIO, and similar). + ## Verify installation To check if KubeStash operator and webhook pods have started, run the following command: From 5ea68e977f6262434ac7164a0e6a14311fa2f487 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Fri, 19 Jun 2026 17:04:47 +0530 Subject: [PATCH 2/2] Update configuration.md Signed-off-by: Tamal Saha --- docs/setup/install/kubestash/configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/setup/install/kubestash/configuration.md b/docs/setup/install/kubestash/configuration.md index 55c0143..cabe234 100644 --- a/docs/setup/install/kubestash/configuration.md +++ b/docs/setup/install/kubestash/configuration.md @@ -46,7 +46,7 @@ $ helm upgrade -i kubestash oci://ghcr.io/appscode-charts/kubestash \ ### Required network communication -KubeStash does not need any connectivity outside the cluster. It can run fully disconnected from the internet, as long as every required image is cached in a registry the cluster can reach (see the [offline installation guide](/docs/setup/install/kubestash/helm.md)). +KubeStash can run fully disconnected from the internet, as long as every required image is cached in a registry the cluster can reach (see the [offline installation guide](/docs/setup/install/kubestash/helm.md)). Within the cluster, the following paths must stay open. When `global.networkPolicy.enabled` is `true`, the generated policies allow exactly these; if you maintain your own policies, make sure to permit them yourself: