actions/fluxcd-flux2
3
0
Fork 0
mirror of https://github.com/fluxcd/flux2.git synced 2026-02-07 16:27:27 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add Artifact access restrictions to recommendations

Browse source 
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
This commit is contained in:
Stefan Prodan 2025-09-03 13:57:38 +03:00
parent 1e662e5ed9
commit 64bfa02db4
No known key found for this signature in database
GPG key ID: 3299AEB0E4085BAF
1 changed files with 6 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
rfcs/0012-external-artifact/README.md
View file

@ -208,6 +208,12 @@ when developing 3rd party source controllers:
or failures. Following source-controller best practices for artifact storage is highly recommended: or failures. Following source-controller best practices for artifact storage is highly recommended:
at startup, ensure that the artifacts in-storage have not been tampered with by verifying at startup, ensure that the artifacts in-storage have not been tampered with by verifying
the checksums of all stored artifacts against the `ExternalArtifact` digests in the cluster. the checksums of all stored artifacts against the `ExternalArtifact` digests in the cluster.
- **Artifact access restrictions**: If the controller is deployed outside of flux-system namespace,
it should include network policies that restrict access to the artifact storage endpoint to only
kustomize-controller and helm-controller.
Following source-controller best practices for network policies is highly recommended:
use Kubernetes NetworkPolicies to restrict ingress and egress traffic to/from the controller pods,
allowing only necessary communication with upstream sources and trusted consumers.
### User Stories ### User Stories