Network policies
GitGuardian self-hosted ships built-in Kubernetes NetworkPolicy resources that isolate the GIM namespace from the rest of the cluster. When enabled, ingress from outside the namespace is denied by default and only namespaces you explicitly allow can reach GitGuardian pods.
Network policies are available for Helm-based installations and configured entirely through Helm values under the top-level networkPolicy.* keys. Full value reference: Helm values.
NetworkPolicy objects are enforced by your CNI plugin (Calico, Cilium, AWS VPC CNI with policy enforcement, etc.). Make sure your cluster has a policy-enforcing CNI before enabling this feature — otherwise the policies are deployed but ignored.
Quick start
The recommended rollout is a two-step process: deploy in dryrun first to validate your configuration, then switch to enforce to activate blocking.
1. Deploy in dryrun mode
In dryrun mode, all policies are applied but a temporary allow-all rule prevents any traffic from being blocked. Use this phase to review the generated policies and identify every namespace that needs to talk to GIM.
networkPolicy:
enabled: true
mode: dryrun
allowedNamespaces:
- ingress-nginx
- monitoring
Inspect the deployed policies and your traffic patterns (CNI logs, service mesh metrics, etc.) to confirm nothing legitimate would be blocked.
2. Switch to enforce mode
Once you're confident, remove the safety net by switching to enforce:
networkPolicy:
enabled: true
mode: enforce
allowedNamespaces:
- ingress-nginx
- monitoring
Ingress from any namespace not in allowedNamespaces is now actively blocked.
Configuration reference
| Value | Default | Description |
|---|---|---|
networkPolicy.enabled | false | Enable NetworkPolicy resources for the GIM namespace. |
networkPolicy.mode | dryrun | dryrun: policies are deployed with an allow-all safety net. enforce: the allow-all is removed and policies actively block unauthorized ingress. |
networkPolicy.allowedNamespaces | [] | Namespaces allowed to reach GIM pods. Include your ingress controller, monitoring stack, and any other workload that needs access. Example: ["ingress-nginx", "monitoring"]. |
networkPolicy.extraPolicies | [] | Full NetworkPolicy spec entries rendered alongside the defaults. Use this for custom allow/deny rules outside of the allowedNamespaces model. |
Custom policies
Use networkPolicy.extraPolicies when you need rules that don't fit the allowedNamespaces pattern (e.g. egress restrictions, pod-selector-based rules). Each entry is rendered as a full NetworkPolicy spec:
networkPolicy:
enabled: true
mode: enforce
allowedNamespaces:
- ingress-nginx
extraPolicies:
- apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-external-smtp
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 587
Troubleshooting
- Traffic blocked unexpectedly: Go back to
mode: dryrun, then add the missing namespace toallowedNamespacesbefore switching back toenforce. - Policies deployed but not enforced: Check that your CNI plugin supports
NetworkPolicyenforcement. Runkubectl get networkpolicies -n <gitguardian-namespace>to confirm the resources exist. - Ingress controller unable to reach GIM: The namespace of your ingress controller (e.g.
ingress-nginx,istio-system) must be listed inallowedNamespaces.
