Add Artifact access restrictions to recommendations

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2026-02-06 19:05:55 +00:00 · 2025-09-03 13:57:38 +03:00
parent 1e662e5ed9
commit 64bfa02db4
1 changed files with 6 additions and 0 deletions
--- a/rfcs/0012-external-artifact/README.md
+++ b/rfcs/0012-external-artifact/README.md
@@ -208,6 +208,12 @@ when developing 3rd party source controllers:
  or failures. Following source-controller best practices for artifact storage is highly recommended:
  at startup, ensure that the artifacts in-storage have not been tampered with by verifying
  the checksums of all stored artifacts against the `ExternalArtifact` digests in the cluster.
+- **Artifact access restrictions**: If the controller is deployed outside of flux-system namespace,
+  it should include network policies that restrict access to the artifact storage endpoint to only
+  kustomize-controller and helm-controller.
+  Following source-controller best practices for network policies is highly recommended:
+  use Kubernetes NetworkPolicies to restrict ingress and egress traffic to/from the controller pods,
+  allowing only necessary communication with upstream sources and trusted consumers.

 ### User Stories