From e31b243719d70aefde5fb587f14a9e8d94f61638 Mon Sep 17 00:00:00 2001 From: Przemyslaw Roguski Date: Fri, 8 May 2026 12:22:41 +0200 Subject: [PATCH] Add network policy usage documentation to README Co-Authored-By: Claude Opus 4.6 (1M context) --- README.md.gotmpl | 54 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) diff --git a/README.md.gotmpl b/README.md.gotmpl index 4def014..aa2eb98 100644 --- a/README.md.gotmpl +++ b/README.md.gotmpl @@ -19,6 +19,60 @@ This chart is used by the Validated Patterns installation script that can be fou {{ template "helm-docs.versionFooter" . }} +## Network Policies + +This chart supports deploying Kubernetes NetworkPolicies for network isolation +in the vault namespace. Two layers are available: + +### Default-deny policy + +A namespace-wide default-deny NetworkPolicy that blocks all ingress and egress +traffic for every pod in the vault namespace unless an explicit allow policy +exists. Enable it by setting: + +```yaml +defaultDenyNetworkPolicy: + enabled: true +``` + +### Per-pod allow rules + +The upstream vault subchart includes a `vault.server.networkPolicy` value that +lets you define fine-grained ingress and egress rules for vault server pods. +When combined with the default-deny policy above, only explicitly allowed +traffic can reach or leave vault. + +Example — allow ingress from a specific namespace and egress to DNS: + +```yaml +vault: + server: + networkPolicy: + enabled: true + ingress: + - ports: + - protocol: TCP + port: 8200 + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: my-app + egress: + - ports: + - protocol: UDP + port: 5353 + - protocol: TCP + port: 5353 + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: openshift-dns +``` + +Patterns can supply these values via `extraValueFiles` in their +`values-hub.yaml` to keep network policy configuration separate from the main +chart values. + ## Updating the chart 1. Edit Chart.yaml with the new version