From 64bfa02db4e66b9b2932dfcdf5911f9eb587ab3b Mon Sep 17 00:00:00 2001
From: Stefan Prodan <stefan.prodan@gmail.com>
Date: Wed, 3 Sep 2025 13:57:38 +0300
Subject: [PATCH] Add Artifact access restrictions to recommendations

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
---
 rfcs/0012-external-artifact/README.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/rfcs/0012-external-artifact/README.md b/rfcs/0012-external-artifact/README.md
index eb21f917..602c4918 100644
--- a/rfcs/0012-external-artifact/README.md
+++ b/rfcs/0012-external-artifact/README.md
@@ -208,6 +208,12 @@ when developing 3rd party source controllers:
   or failures. Following source-controller best practices for artifact storage is highly recommended:
   at startup, ensure that the artifacts in-storage have not been tampered with by verifying
   the checksums of all stored artifacts against the `ExternalArtifact` digests in the cluster.
+- **Artifact access restrictions**: If the controller is deployed outside of flux-system namespace,
+  it should include network policies that restrict access to the artifact storage endpoint to only
+  kustomize-controller and helm-controller.
+  Following source-controller best practices for network policies is highly recommended:
+  use Kubernetes NetworkPolicies to restrict ingress and egress traffic to/from the controller pods,
+  allowing only necessary communication with upstream sources and trusted consumers.
 
 ### User Stories