kubedb · tamalsaha · May 18, 2026
diff --git a/apis/installer/v1/types.go b/apis/installer/v1/types.go
@@ -111,6 +111,19 @@ type PSPSpec struct {
 	Enabled bool `json:"enabled"`
 }
 
+// NetworkPolicyFlavor selects which API flavor is used when network policies
+// are emitted. Defaults to "kubernetes".
+// +kubebuilder:validation:Enum=kubernetes;cilium
+type NetworkPolicyFlavor string
+
+const (
+	NetworkPolicyFlavorKubernetes NetworkPolicyFlavor = "kubernetes"
+	NetworkPolicyFlavorCilium     NetworkPolicyFlavor = "cilium"
+)
+
 type NetworkPolicySpec struct {
 	Enabled bool `json:"enabled"`
+	// +optional
+	// +kubebuilder:default=kubernetes
+	Flavor NetworkPolicyFlavor `json:"flavor,omitempty"`
 }
diff --git a/charts/kubedb-certified/templates/_helpers.tpl b/charts/kubedb-certified/templates/_helpers.tpl
@@ -178,6 +178,35 @@ Returns whether the NetworkPolicy should be enabled
 {{- or .Values.global.networkPolicy.enabled (and .Values.networkPolicy .Values.networkPolicy.enabled) -}}
 {{- end }}
 
+{{/*
+Returns the configured NetworkPolicy flavor.
+"cilium" emits cilium.io/v2 CiliumNetworkPolicy; anything else emits the
+default networking.k8s.io/v1 NetworkPolicy.
+Local chart-scoped networkPolicy.flavor wins over the global value.
+*/}}
+{{- define "security.networkPolicyFlavor" -}}
+{{- $local := "" -}}
+{{- if and .Values.networkPolicy .Values.networkPolicy.flavor -}}
+{{- $local = .Values.networkPolicy.flavor -}}
+{{- end -}}
+{{- default (default "kubernetes" .Values.global.networkPolicy.flavor) $local -}}
+{{- end }}
+
+{{/*
+Returns "true" when CiliumNetworkPolicy resources should be emitted.
+*/}}
+{{- define "security.useCiliumNetworkPolicy" -}}
+{{- and (eq "true" (include "security.enableNetworkPolicy" .)) (eq "cilium" (include "security.networkPolicyFlavor" .)) | ternary "true" "false" -}}
+{{- end }}
+
+{{/*
+Returns "true" when the built-in networking.k8s.io/v1 NetworkPolicy resources
+should be emitted (the default flavor).
+*/}}
+{{- define "security.useKubernetesNetworkPolicy" -}}
+{{- and (eq "true" (include "security.enableNetworkPolicy" .)) (ne "cilium" (include "security.networkPolicyFlavor" .)) | ternary "true" "false" -}}
+{{- end }}
+
 {{/*
 Returns whether the OpenShift distribution is used
 */}}

diff --git a/charts/kubedb-certified/templates/cilium-network-policy.yaml b/charts/kubedb-certified/templates/cilium-network-policy.yaml
@@ -0,0 +1,53 @@
+{{- if eq "true" ( include "security.useCiliumNetworkPolicy" . ) }}
+# Allow every pod in the operator namespace to reach the Kubernetes API server.
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ .Release.Name }}-egress-kubernetes-api
+  namespace: {{ .Release.Namespace }}
+spec:
+  endpointSelector: {}
+  egress:
+  - toEntities:
+    - remote-node
+    - host
+    toPorts:
+    - ports:
+      - port: "6443"
+        protocol: TCP
+---
+# Allow the operator pods to reach the database pods (any kubedb-managed
+# namespace, on the standard DB ports).
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ .Release.Name }}-egress-to-databases
+  namespace: {{ .Release.Namespace }}
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  egress:
+  - toEndpoints:
+    - matchLabels:
+        app.kubernetes.io/component: database
+        app.kubernetes.io/managed-by: kubedb.com
+    toPorts:
+    - ports:
+      - port: "5432"
+        protocol: TCP
+      - port: "27017"
+        protocol: TCP
+      - port: "3306"
+        protocol: TCP
+      - port: "6379"
+        protocol: TCP
+      - port: "9200"
+        protocol: TCP
+      - port: "9092"
+        protocol: TCP
+      - port: "9000"
+        protocol: TCP
+      - port: "9042"
+        protocol: TCP
+{{- end }}
diff --git a/charts/kubedb-certified/templates/network-policy.yaml b/charts/kubedb-certified/templates/network-policy.yaml
@@ -1,4 +1,4 @@
-{{- if eq "true" ( include "security.enableNetworkPolicy" . ) }}
+{{- if eq "true" ( include "security.useKubernetesNetworkPolicy" . ) }}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:

diff --git a/charts/kubedb-certified/values.openapiv3_schema.yaml b/charts/kubedb-certified/values.openapiv3_schema.yaml
@@ -2683,6 +2683,11 @@ properties:
         properties:
           enabled:
             type: boolean
+          flavor:
+            enum:
+            - kubernetes
+            - cilium
+            type: string
         required:
         - enabled
         type: object
@@ -21330,6 +21335,11 @@ properties:
         properties:
           enabled:
             type: boolean
+          flavor:
+            enum:
+            - kubernetes
+            - cilium
+            type: string
         required:
         - enabled
         type: object

diff --git a/charts/kubedb-certified/values.yaml b/charts/kubedb-certified/values.yaml
@@ -104,6 +104,9 @@ global:
   # Controls the network policy creation
   networkPolicy:
     enabled: false
+    # flavor selects which network policy API is used.
+    # Accepted values: "kubernetes" (default) or "cilium".
+    flavor: kubernetes
 
   distro:
     openshift: false

diff --git a/charts/kubedb-opscenter/templates/_helpers.tpl b/charts/kubedb-opscenter/templates/_helpers.tpl
@@ -122,6 +122,35 @@ Returns whether the NetworkPolicy should be enabled
 {{- or .Values.global.networkPolicy.enabled (and .Values.networkPolicy .Values.networkPolicy.enabled) -}}
 {{- end }}
 
+{{/*
+Returns the configured NetworkPolicy flavor.
+"cilium" emits cilium.io/v2 CiliumNetworkPolicy; anything else emits the
+default networking.k8s.io/v1 NetworkPolicy.
+Local chart-scoped networkPolicy.flavor wins over the global value.
+*/}}
+{{- define "security.networkPolicyFlavor" -}}
+{{- $local := "" -}}
+{{- if and .Values.networkPolicy .Values.networkPolicy.flavor -}}
+{{- $local = .Values.networkPolicy.flavor -}}
+{{- end -}}
+{{- default (default "kubernetes" .Values.global.networkPolicy.flavor) $local -}}
+{{- end }}
+
+{{/*
+Returns "true" when CiliumNetworkPolicy resources should be emitted.
+*/}}
+{{- define "security.useCiliumNetworkPolicy" -}}
+{{- and (eq "true" (include "security.enableNetworkPolicy" .)) (eq "cilium" (include "security.networkPolicyFlavor" .)) | ternary "true" "false" -}}
+{{- end }}
+
+{{/*
+Returns "true" when the built-in networking.k8s.io/v1 NetworkPolicy resources
+should be emitted (the default flavor).
+*/}}
+{{- define "security.useKubernetesNetworkPolicy" -}}
+{{- and (eq "true" (include "security.enableNetworkPolicy" .)) (ne "cilium" (include "security.networkPolicyFlavor" .)) | ternary "true" "false" -}}
+{{- end }}
+
 {{/*
 Returns whether the OpenShift distribution is used
 */}}

diff --git a/charts/kubedb-opscenter/templates/cilium-network-policy.yaml b/charts/kubedb-opscenter/templates/cilium-network-policy.yaml
@@ -0,0 +1,20 @@
+{{- if eq "true" ( include "security.useCiliumNetworkPolicy" . ) }}
+# Allow the opscenter pods to reach the Kubernetes API server.
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ .Release.Name }}-egress-kubernetes-api
+  namespace: {{ .Release.Namespace }}
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  egress:
+  - toEntities:
+    - remote-node
+    - host
+    toPorts:
+    - ports:
+      - port: "6443"
+        protocol: TCP
+{{- end }}
diff --git a/charts/kubedb-opscenter/templates/network-policy.yaml b/charts/kubedb-opscenter/templates/network-policy.yaml
@@ -1,4 +1,4 @@
-{{- if eq "true" ( include "security.enableNetworkPolicy" . ) }}
+{{- if eq "true" ( include "security.useKubernetesNetworkPolicy" . ) }}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:

diff --git a/charts/kubedb-opscenter/values.yaml b/charts/kubedb-opscenter/values.yaml
@@ -77,6 +77,9 @@ global:
   # Controls the network policy creation
   networkPolicy:
     enabled: false
+    # flavor selects which network policy API is used.
+    # Accepted values: "kubernetes" (default) or "cilium".
+    flavor: kubernetes
 
   distro:
     openshift: false

diff --git a/charts/kubedb-provisioner/templates/statefulset.yaml b/charts/kubedb-provisioner/templates/statefulset.yaml
@@ -101,6 +101,7 @@ spec:
         {{- end }}
         {{- if and .Values.global .Values.global.networkPolicy.enabled }}
         - --enable-network-policy=true
+        - --network-policy-flavor={{ default "kubernetes" .Values.global.networkPolicy.flavor }}
         {{- end }}
         {{- with .Values.envFrom }}
         envFrom:

diff --git a/charts/kubedb-webhook-server/templates/_helpers.tpl b/charts/kubedb-webhook-server/templates/_helpers.tpl
@@ -113,6 +113,39 @@ Returns whether the NetworkPolicy should be enabled
 {{- ternary "true" "false" .Values.networkPolicy.enabled -}}
 {{- end }}
 
+{{/*
+Returns the configured NetworkPolicy flavor.
+"cilium" emits cilium.io/v2 CiliumNetworkPolicy; anything else emits the
+default networking.k8s.io/v1 NetworkPolicy. The local chart's
+networkPolicy.flavor wins over the global value.
+*/}}
+{{- define "security.networkPolicyFlavor" -}}
+{{- $globalFlavor := "" -}}
+{{- if and .Values.global .Values.global.networkPolicy -}}
+{{- $globalFlavor = .Values.global.networkPolicy.flavor -}}
+{{- end -}}
+{{- $localFlavor := "" -}}
+{{- if and .Values.networkPolicy .Values.networkPolicy.flavor -}}
+{{- $localFlavor = .Values.networkPolicy.flavor -}}
+{{- end -}}
+{{- default (default "kubernetes" $globalFlavor) $localFlavor -}}
+{{- end }}
+
+{{/*
+Returns "true" when CiliumNetworkPolicy resources should be emitted.
+*/}}
+{{- define "security.useCiliumNetworkPolicy" -}}
+{{- and (eq "true" (include "security.enableNetworkPolicy" .)) (eq "cilium" (include "security.networkPolicyFlavor" .)) | ternary "true" "false" -}}
+{{- end }}
+
+{{/*
+Returns "true" when the built-in networking.k8s.io/v1 NetworkPolicy resources
+should be emitted (the default flavor).
+*/}}
+{{- define "security.useKubernetesNetworkPolicy" -}}
+{{- and (eq "true" (include "security.enableNetworkPolicy" .)) (ne "cilium" (include "security.networkPolicyFlavor" .)) | ternary "true" "false" -}}
+{{- end }}
+
 {{/*
 Returns whether the OpenShift distribution is used
 */}}

diff --git a/charts/kubedb-webhook-server/templates/cilium-network-policy.yaml b/charts/kubedb-webhook-server/templates/cilium-network-policy.yaml
@@ -0,0 +1,23 @@
+{{- if eq "true" ( include "security.useCiliumNetworkPolicy" . ) }}
+# Allow the kube-apiserver (via host / remote-node identities in Cilium) to
+# reach the webhook server's mutating, validating, and conversion endpoints.
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ include "kubedb-webhook-server.fullname" . }}-ingress-from-apiserver
+  namespace: {{ .Release.Namespace }}
+spec:
+  endpointSelector:
+    matchLabels:
+      {{- include "kubedb-webhook-server.selectorLabels" . | nindent 6 }}
+  ingress:
+  - fromEntities:
+    - remote-node
+    - host
+    toPorts:
+    - ports:
+      - port: "8443"
+        protocol: TCP
+      - port: "9443"
+        protocol: TCP
+{{- end }}
diff --git a/charts/kubedb-webhook-server/templates/network-policy.yaml b/charts/kubedb-webhook-server/templates/network-policy.yaml
@@ -1,4 +1,4 @@
-{{- if eq "true" ( include "security.enableNetworkPolicy" . ) }}
+{{- if eq "true" ( include "security.useKubernetesNetworkPolicy" . ) }}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:

diff --git a/charts/kubedb-webhook-server/values.openapiv3_schema.yaml b/charts/kubedb-webhook-server/values.openapiv3_schema.yaml
@@ -1402,6 +1402,11 @@ properties:
     properties:
       enabled:
         type: boolean
+      flavor:
+        enum:
+        - kubernetes
+        - cilium
+        type: string
     required:
     - enabled
     type: object

diff --git a/charts/kubedb-webhook-server/values.yaml b/charts/kubedb-webhook-server/values.yaml
@@ -161,6 +161,9 @@ hostNetwork: false
 
 networkPolicy:
   enabled: false
+  # flavor selects which network policy API is used.
+  # Accepted values: "kubernetes" (default) or "cilium".
+  flavor: kubernetes
 
 defaultSeccompProfileType: ""
 

diff --git a/charts/kubedb/templates/_helpers.tpl b/charts/kubedb/templates/_helpers.tpl
@@ -178,6 +178,35 @@ Returns whether the NetworkPolicy should be enabled
 {{- or .Values.global.networkPolicy.enabled (and .Values.networkPolicy .Values.networkPolicy.enabled) -}}
 {{- end }}
 
+{{/*
+Returns the configured NetworkPolicy flavor.
+"cilium" emits cilium.io/v2 CiliumNetworkPolicy; anything else emits the
+default networking.k8s.io/v1 NetworkPolicy.
+Local chart-scoped networkPolicy.flavor wins over the global value.
+*/}}
+{{- define "security.networkPolicyFlavor" -}}
+{{- $local := "" -}}
+{{- if and .Values.networkPolicy .Values.networkPolicy.flavor -}}
+{{- $local = .Values.networkPolicy.flavor -}}
+{{- end -}}
+{{- default (default "kubernetes" .Values.global.networkPolicy.flavor) $local -}}
+{{- end }}
+
+{{/*
+Returns "true" when CiliumNetworkPolicy resources should be emitted.
+*/}}
+{{- define "security.useCiliumNetworkPolicy" -}}
+{{- and (eq "true" (include "security.enableNetworkPolicy" .)) (eq "cilium" (include "security.networkPolicyFlavor" .)) | ternary "true" "false" -}}
+{{- end }}
+
+{{/*
+Returns "true" when the built-in networking.k8s.io/v1 NetworkPolicy resources
+should be emitted (the default flavor).
+*/}}
+{{- define "security.useKubernetesNetworkPolicy" -}}
+{{- and (eq "true" (include "security.enableNetworkPolicy" .)) (ne "cilium" (include "security.networkPolicyFlavor" .)) | ternary "true" "false" -}}
+{{- end }}
+
 {{/*
 Returns whether the OpenShift distribution is used
 */}}