Treat NetworkPolicy as part of the cluster contract, not as an afterthought.
The operator uses a deny-by-default posture and then adds the ingress and egress paths the cluster needs to function. That means DNS, Kubernetes API access, edge peers, and backup or restore dependencies should be configured intentionally rather than discovered during an outage.
Diagram
Default network posture
The namespace starts from deny-by-default, then allows the operator, peer traffic, DNS, Kubernetes API access, and whichever external systems you configure deliberately.
Decision matrix
Traffic the operator expects by default
| Direction | Path | Why it exists |
|---|---|---|
| Ingress | Operator to OpenBao on the service listener | Health checks, initialization, unseal coordination, and lifecycle orchestration all depend on this control-plane path. |
| Ingress | OpenBao peer-to-peer traffic | Raft members need to exchange cluster traffic on the peer port. |
| Egress | DNS and Kubernetes API | Pods and Jobs need name resolution and selected Kubernetes API access under strict policy. |
| Conditional ingress or egress | Gateway, ingress-controller, storage, transit, or PKI paths | These are environment-specific and should be configured explicitly rather than allowed broadly. |
DNS and Kubernetes API egress
Reference table
Core network settings
| Field | Use it for | When it matters |
|---|---|---|
network.dnsNamespace | Tell the operator where your DNS service actually runs. | Use this when the cluster DNS namespace is not kube-system, such as on OpenShift. |
network.dnsEndpointIPs | Allow direct DNS egress to resolver IPs instead of only to pod-backed Services. | Use this for node-local caches or host-networked DNS topologies where service-based rules are insufficient. |
network.apiServerCIDR | Override the default service-VIP allow-list for Kubernetes API access. | Use this when you know the exact API-service CIDR you want to allow. |
network.apiServerEndpointIPs | Allow egress directly to backing API-server endpoint IPs. | Use this when your CNI evaluates policy post-DNAT and the service VIP alone is not enough. |
- DNS
- Kubernetes API
Configure
Configure DNS for non-default or node-local resolver paths
spec:
network:
dnsNamespace: "openshift-dns"
dnsEndpointIPs:
- "169.254.20.10"
Use dnsEndpointIPs only when the resolver is enforced by IP rather than by Service-backed pod traffic. This also affects backup and restore Jobs.
Configure
Pin Kubernetes API egress explicitly when needed
spec:
network:
apiServerCIDR: "10.43.0.1/32"
apiServerEndpointIPs:
- "192.168.166.2"
Prefer the smallest safe scope. Endpoint IPs are usually only needed when the NetworkPolicy implementation evaluates the post-DNAT destination instead of the service VIP.
Add the environment-specific paths
- Trusted ingress peers
- External egress
- Raw ingress rules
Configure
Allow an ingress controller or Gateway data plane to reach the cluster
spec:
network:
trustedIngressPeers:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: traefik
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: ingress-system
podSelector:
matchLabels:
app.kubernetes.io/name: traefik
Use this when the source is a user-managed ingress controller or Gateway data plane. It is usually clearer than writing a raw ingressRules block for the same case.
Configure
Allow egress to transit, storage, or other external systems
spec:
network:
egressRules:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: openbao-infra
ports:
- protocol: TCP
port: 8200
- to:
- ipBlock:
cidr: 192.168.100.0/24
ports:
- protocol: TCP
port: 443
Use this for transit unseal, object storage, private PKI, or any other external dependency that should not be reachable through a broad allow-all rule.
Configure
Add a raw ingress rule when you need full control
spec:
network:
ingressRules:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: monitoring
ports:
- protocol: TCP
port: 8200
Reach for raw ingressRules when the source is not a normal ingress-controller path and you need exact port or peer matching.
Read the operator conditions
Reference table
Conditions that matter
| Condition | What it tells you | Typical next move |
|---|---|---|
APIServerNetworkReady=False | The operator could not build a safe Kubernetes API allow-list. | Fix the API CIDR or endpoint IP configuration first. |
APIServerNetworkReady=Unknown | The service-VIP path exists, but your environment may still need explicit endpoint IPs. | Check whether your CNI enforces egress post-DNAT and add apiServerEndpointIPs if required. |
BackupConfigurationReady=False or RestoreConfigurationReady=False with NetworkEgressRulesRequired | The lifecycle Jobs cannot reach the storage target safely under current policy. | Add explicit storage egress rules before relying on backup or restore workflows. |
Continue service boundary setup
You are reading docs for version 0.1.0. Use the version menu to switch to next or another archived release.
Was this page helpful?
Use Needs work to open a structured GitHub issue for this page. The Yes button only acknowledges the signal locally.