Treat NetworkPolicy as part of the cluster contract, not as an afterthought.

The operator uses a deny-by-default posture and then adds the ingress and egress paths the cluster needs to function. That means DNS, Kubernetes API access, edge peers, and backup or restore dependencies should be configured intentionally rather than discovered during an outage.

Diagram

Default network posture

The namespace starts from deny-by-default, then allows the operator, peer traffic, DNS, Kubernetes API access, and whichever external systems you configure deliberately.

Decision matrix

Traffic the operator expects by default

Traffic the operator expects by default.

Direction	Path	Why it exists
Ingress	Operator to OpenBao on the service listener	Health checks, initialization, unseal coordination, and lifecycle orchestration all depend on this control-plane path.
Ingress	OpenBao peer-to-peer traffic	Raft members need to exchange cluster traffic on the peer port.
Egress	DNS and Kubernetes API	Pods and Jobs need name resolution and selected Kubernetes API access under strict policy.
Conditional ingress or egress	Gateway, ingress-controller, storage, transit, or PKI paths	These are environment-specific and should be configured explicitly rather than allowed broadly.

DNS and Kubernetes API egress

Reference table

Core network settings

Core network settings.

Field	Use it for	When it matters
network.dnsNamespace	Tell the operator where your DNS service actually runs.	Use this when the cluster DNS namespace is not kube-system, such as on OpenShift.
network.dnsEndpointIPs	Allow direct DNS egress to resolver IPs instead of only to pod-backed Services.	Use this for node-local caches or host-networked DNS topologies where service-based rules are insufficient.
network.apiServerCIDR	Override the default service-VIP allow-list for Kubernetes API access.	Use this when you know the exact API-service CIDR you want to allow.
network.apiServerEndpointIPs	Allow egress directly to backing API-server endpoint IPs.	Use this when your CNI evaluates policy post-DNAT and the service VIP alone is not enough.

DNS

Configure

Configure DNS for non-default or node-local resolver paths

yaml

spec:
network:
  dnsNamespace: "openshift-dns"
  dnsEndpointIPs:
    - "169.254.20.10"

Use dnsEndpointIPs only when the resolver is enforced by IP rather than by Service-backed pod traffic. This also affects backup and restore Jobs.

Kubernetes API

Configure

Pin Kubernetes API egress explicitly when needed

yaml

spec:
network:
  apiServerCIDR: "10.43.0.1/32"
  apiServerEndpointIPs:
    - "192.168.166.2"

Prefer the smallest safe scope. Endpoint IPs are usually only needed when the NetworkPolicy implementation evaluates the post-DNAT destination instead of the service VIP.

Add the environment-specific paths

Trusted ingress peers

Configure

Allow an ingress controller or Gateway data plane to reach the cluster

yaml

spec:
network:
  trustedIngressPeers:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: traefik
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: ingress-system
      podSelector:
        matchLabels:
          app.kubernetes.io/name: traefik

Use this when the source is a user-managed ingress controller or Gateway data plane. It is usually clearer than writing a raw ingressRules block for the same case.

External egress

Configure

Allow egress to transit, storage, or other external systems

yaml

spec:
network:
  egressRules:
    - to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: openbao-infra
      ports:
        - protocol: TCP
          port: 8200
    - to:
        - ipBlock:
            cidr: 192.168.100.0/24
      ports:
        - protocol: TCP
          port: 443

Use this for transit unseal, object storage, private PKI, or any other external dependency that should not be reachable through a broad allow-all rule.

Raw ingress rules

Configure

Add a raw ingress rule when you need full control

yaml

spec:
network:
  ingressRules:
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: monitoring
      ports:
        - protocol: TCP
          port: 8200

Reach for raw ingressRules when the source is not a normal ingress-controller path and you need exact port or peer matching.

Read the operator conditions

Reference table

Conditions that matter

Conditions that matter.

Condition	What it tells you	Typical next move
APIServerNetworkReady=False	The operator could not build a safe Kubernetes API allow-list.	Fix the API CIDR or endpoint IP configuration first.
APIServerNetworkReady=Unknown	The service-VIP path exists, but your environment may still need explicit endpoint IPs.	Check whether your CNI enforces egress post-DNAT and add apiServerEndpointIPs if required.
BackupConfigurationReady=False or RestoreConfigurationReady=False with NetworkEgressRulesRequired	The lifecycle Jobs cannot reach the storage target safely under current policy.	Add explicit storage egress rules before relying on backup or restore workflows.

Continue service boundary setup

Gateway API supportUse the detailed Gateway API guide when that is the primary edge model.Backup operationsReview the object-storage and job-identity path that depends on these network rules.Network securityGo deeper on the security model behind the deny-by-default posture and namespace isolation.