Skip to content

chore: add solution proposal for opt-in least-privilege NetworkPolicies#6459

Draft
eamonnmoloney wants to merge 1 commit into
mainfrom
3519-network-policies-proposal
Draft

chore: add solution proposal for opt-in least-privilege NetworkPolicies#6459
eamonnmoloney wants to merge 1 commit into
mainfrom
3519-network-policies-proposal

Conversation

@eamonnmoloney

@eamonnmoloney eamonnmoloney commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Which problem does the PR fix?

Stores the Define-stage solution proposal for product-hub#3519Self-Managed: Least Privilege Network Policies. No chart behavior changes.

What's in this PR?

Adds docs/proposals/network-policies.md, a solution proposal for DRI review (PDP Define stage). It covers:

  • Verified codebase facts — 8.10 and 8.9 are both unified (templates/orchestration/), so the backport is structurally identical and low-risk; no NetworkPolicy support exists today; existing *.matchLabels helpers and the and <component>.enabled <feature>.enabled gating idiom are reused.
  • Traffic matrix — per-component ingress/egress with default ports, plus in-cluster vs external (CIDR) datastore handling.
  • Recommended design — single networkPolicy.enabled toggle + optional default-deny + external-endpoint CIDR config + per-component extraIngress/extraEgress escape hatches; per-component template files reusing existing selectors.
  • Implementation phases — 8.10 templates+values → tests → 8.9 backport → docs → cross-repo coordination.
  • Open questions for the Eng/Docs DRIs, honest positive/negative consequences, and validation criteria.

This is a proposal only — no ADR is authored here (per repo policy, ADRs are human-authored). A ratified decision should be captured in an ADR under docs/adr/ afterwards.

Kept as a draft for storage/review.

Checklist

Before opening the PR:

  • In the repo's root dir, run make go.update-golden-only.
  • There is no other open pull request for the same update/change.
  • Tests for charts are added (if needed).
  • In-repo documentation are updated (if needed).

After opening the PR:

  • Did you sign our CLA (Contributor License Agreement)? It will show once you open the PR.
  • Did all checks/tests pass in the PR?

@eamonnmoloney @claude
chore: add solution proposal for opt-in least-privilege NetworkPolicies
58ad5fb 
Define-stage solution proposal for product-hub#3519. Documents the traffic
matrix, values schema (single networkPolicy.enabled toggle + extras),
per-component packaging, 8.10 + 8.9 backport plan, and test/validation
strategy for DRI review. No chart code changed.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-actions

github-actions Bot commented Jun 26, 2026

Copy link
Copy Markdown
PR Preview Action v1.8.1

QR code for preview link

🚀 View preview at
https://camunda.github.io/camunda-platform-helm/camunda-platform-helm/pr-preview/pr-6459/

Built to branch gh-pages at 2026-06-26 08:13 UTC.
Preview will be ready when the GitHub Pages deployment is complete.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@eamonnmoloney