Network Policies
Securing inter-service communication with Kubernetes NetworkPolicies
Berserk includes optional Kubernetes NetworkPolicies that restrict both ingress and egress traffic for each service. When enabled, only known communication paths are allowed -- blocking unauthorized pod-to-pod traffic and outbound connections.
NetworkPolicy enforcement requires a CNI plugin. On EKS, use the VPC CNI
v1.14+ with ENABLE_NETWORK_POLICY=true on the aws-node DaemonSet, or
install Calico. Without a compatible CNI, the NetworkPolicy resources are
created but have no effect.
Enabling
Network policies are disabled by default. Enable them in your values file:
global:
networkPolicy:
enabled: trueService Communication Map
The following table shows the allowed traffic when network policies are enabled:
| Service | Ingress From | Egress To | External Ingress |
|---|---|---|---|
| meta | query, ingest, janitor, ui, nursery | S3, PostgreSQL | No |
| query | ui, janitor | meta, S3 | Yes |
| ingest | (external telemetry sources) | meta, S3 | Yes |
| janitor | (none) | meta, query, S3 | No |
| ui | (external ingress controller) | query, meta, S3 | Yes |
| nursery | (none) | meta, S3 | No |
All services are always allowed DNS egress (port 53 UDP/TCP).
External Egress
Services that need to reach external endpoints (S3, PostgreSQL) use a configurable CIDR allowlist. By default, HTTPS (443) and PostgreSQL (5432) are open to all IPs. Tighten these for production:
global:
networkPolicy:
enabled: true
externalEgress:
# S3 VPC endpoint
- cidr: 10.0.0.0/16
ports:
- port: 443
protocol: TCP
# RDS PostgreSQL
- cidr: 10.1.0.0/24
ports:
- port: 5432
protocol: TCPOTLP Telemetry
When global.observability.otlpEnabled is true, all services automatically get
egress to the OTLP endpoint. Two cases are handled:
Default endpoint (ingest:4317): Egress to the ingest pod is added
automatically via pod selector. The ingest service also gets an ingress rule
allowing all namespace pods to send telemetry on port 4317.
External collector: If global.observability.otlpEndpoint points outside
the namespace, configure global.networkPolicy.otlpEgress with the
appropriate CIDR rules:
global:
observability:
otlpEnabled: true
otlpEndpoint: "otel-collector.monitoring:4317"
networkPolicy:
enabled: true
otlpEgress:
- cidr: 10.2.0.0/16
ports:
- port: 4317
protocol: TCPHelm prints a warning during install/upgrade if OTLP is enabled with a
non-default endpoint but no otlpEgress rules are configured.
Custom Rules
Add custom ingress or egress rules for all services via the global values, or per-service via the sub-chart values.
Global (applied to all services):
global:
networkPolicy:
additionalIngress:
- from:
- namespaceSelector:
matchLabels:
name: monitoring
ports:
- port: 9090
protocol: TCPPer-service (e.g., allow a specific namespace to reach query):
query:
networkPolicy:
additionalIngress:
- from:
- namespaceSelector:
matchLabels:
name: data-team
ports:
- port: 9510
protocol: TCPPer-Service Configuration
Each service supports these networkPolicy values:
| Value | Type | Description |
|---|---|---|
allowExternal | bool | Allow ingress from any source on service ports |
allowExternalEgress | bool | Allow egress to global.networkPolicy.externalEgress CIDRs |
ingressFrom | list | Berserk peers allowed to connect ([{app, ports}]) |
egressTo | list | Berserk peers this service connects to ([{app, ports}]) |
additionalIngress | list | Extra raw NetworkPolicy ingress rules |
additionalEgress | list | Extra raw NetworkPolicy egress rules |