kubeops · tamalsaha · May 18, 2026
diff --git a/apis/installer/v1alpha1/types.go b/apis/installer/v1alpha1/types.go
@@ -121,6 +121,19 @@ type TLSConfig struct {
 	InsecureSkipTLSVerify bool   `json:"insecureSkipTLSVerify"`
 }
 
+// NetworkPolicyFlavor selects which API flavor is used when network policies
+// are emitted. Defaults to "kubernetes".
+// +kubebuilder:validation:Enum=kubernetes;cilium
+type NetworkPolicyFlavor string
+
+const (
+	NetworkPolicyFlavorKubernetes NetworkPolicyFlavor = "kubernetes"
+	NetworkPolicyFlavorCilium     NetworkPolicyFlavor = "cilium"
+)
+
 type NetworkPolicySpec struct {
 	Enabled bool `json:"enabled"`
+	// +optional
+	// +kubebuilder:default=kubernetes
+	Flavor NetworkPolicyFlavor `json:"flavor,omitempty"`
 }
diff --git a/charts/petset/templates/_helpers.tpl b/charts/petset/templates/_helpers.tpl
@@ -113,6 +113,39 @@ Returns whether the NetworkPolicy should be enabled
 {{- ternary "true" "false" .Values.networkPolicy.enabled -}}
 {{- end }}
 
+{{/*
+Returns the configured NetworkPolicy flavor.
+"cilium" emits cilium.io/v2 CiliumNetworkPolicy; anything else emits the
+default networking.k8s.io/v1 NetworkPolicy. The local chart's
+networkPolicy.flavor wins over the global value.
+*/}}
+{{- define "security.networkPolicyFlavor" -}}
+{{- $globalFlavor := "" -}}
+{{- if and .Values.global .Values.global.networkPolicy -}}
+{{- $globalFlavor = .Values.global.networkPolicy.flavor -}}
+{{- end -}}
+{{- $localFlavor := "" -}}
+{{- if and .Values.networkPolicy .Values.networkPolicy.flavor -}}
+{{- $localFlavor = .Values.networkPolicy.flavor -}}
+{{- end -}}
+{{- default (default "kubernetes" $globalFlavor) $localFlavor -}}
+{{- end }}
+
+{{/*
+Returns "true" when CiliumNetworkPolicy resources should be emitted.
+*/}}
+{{- define "security.useCiliumNetworkPolicy" -}}
+{{- and (eq "true" (include "security.enableNetworkPolicy" .)) (eq "cilium" (include "security.networkPolicyFlavor" .)) | ternary "true" "false" -}}
+{{- end }}
+
+{{/*
+Returns "true" when the built-in networking.k8s.io/v1 NetworkPolicy resources
+should be emitted (the default flavor).
+*/}}
+{{- define "security.useKubernetesNetworkPolicy" -}}
+{{- and (eq "true" (include "security.enableNetworkPolicy" .)) (ne "cilium" (include "security.networkPolicyFlavor" .)) | ternary "true" "false" -}}
+{{- end }}
+
 {{/*
 Returns whether the OpenShift distribution is used
 */}}

diff --git a/charts/petset/templates/cilium-network-policy.yaml b/charts/petset/templates/cilium-network-policy.yaml
@@ -0,0 +1,40 @@
+{{- if eq "true" ( include "security.useCiliumNetworkPolicy" . ) }}
+# Allow the kube-apiserver (via host / remote-node identities in Cilium) to
+# reach the PetSet webhook server's conversion and validation endpoints.
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ include "petset.fullname" . }}-ingress-from-apiserver
+  namespace: {{ .Release.Namespace }}
+spec:
+  endpointSelector:
+    matchLabels:
+      {{- include "petset.selectorLabels" . | nindent 6 }}
+  ingress:
+  - fromEntities:
+    - remote-node
+    - host
+    toPorts:
+    - ports:
+      - port: "9443"
+        protocol: TCP
+---
+# Allow the petset operator pods to reach the Kubernetes API server.
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ include "petset.fullname" . }}-egress-kubernetes-api
+  namespace: {{ .Release.Namespace }}
+spec:
+  endpointSelector:
+    matchLabels:
+      {{- include "petset.selectorLabels" . | nindent 6 }}
+  egress:
+  - toEntities:
+    - remote-node
+    - host
+    toPorts:
+    - ports:
+      - port: "6443"
+        protocol: TCP
+{{- end }}
diff --git a/charts/petset/templates/network-policy.yaml b/charts/petset/templates/network-policy.yaml
@@ -1,4 +1,4 @@
-{{- if eq "true" ( include "security.enableNetworkPolicy" . ) }}
+{{- if eq "true" ( include "security.useKubernetesNetworkPolicy" . ) }}
 
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy

diff --git a/charts/petset/values.openapiv3_schema.yaml b/charts/petset/values.openapiv3_schema.yaml
@@ -1729,6 +1729,11 @@ properties:
     properties:
       enabled:
         type: boolean
+      flavor:
+        enum:
+        - kubernetes
+        - cilium
+        type: string
     required:
     - enabled
     type: object

diff --git a/charts/petset/values.yaml b/charts/petset/values.yaml
@@ -109,6 +109,9 @@ monitoring:
 
 networkPolicy:
   enabled: false
+  # flavor selects which network policy API is used.
+  # Accepted values: "kubernetes" (default) or "cilium".
+  flavor: kubernetes
 
 distro:
   # Set true, if installed in OpenShift

diff --git a/charts/sidekick/templates/_helpers.tpl b/charts/sidekick/templates/_helpers.tpl
@@ -113,6 +113,39 @@ Returns whether the NetworkPolicy should be enabled
 {{- ternary "true" "false" .Values.networkPolicy.enabled -}}
 {{- end }}
 
+{{/*
+Returns the configured NetworkPolicy flavor.
+"cilium" emits cilium.io/v2 CiliumNetworkPolicy; anything else emits the
+default networking.k8s.io/v1 NetworkPolicy. The local chart's
+networkPolicy.flavor wins over the global value.
+*/}}
+{{- define "security.networkPolicyFlavor" -}}
+{{- $globalFlavor := "" -}}
+{{- if and .Values.global .Values.global.networkPolicy -}}
+{{- $globalFlavor = .Values.global.networkPolicy.flavor -}}
+{{- end -}}
+{{- $localFlavor := "" -}}
+{{- if and .Values.networkPolicy .Values.networkPolicy.flavor -}}
+{{- $localFlavor = .Values.networkPolicy.flavor -}}
+{{- end -}}
+{{- default (default "kubernetes" $globalFlavor) $localFlavor -}}
+{{- end }}
+
+{{/*
+Returns "true" when CiliumNetworkPolicy resources should be emitted.
+*/}}
+{{- define "security.useCiliumNetworkPolicy" -}}
+{{- and (eq "true" (include "security.enableNetworkPolicy" .)) (eq "cilium" (include "security.networkPolicyFlavor" .)) | ternary "true" "false" -}}
+{{- end }}
+
+{{/*
+Returns "true" when the built-in networking.k8s.io/v1 NetworkPolicy resources
+should be emitted (the default flavor).
+*/}}
+{{- define "security.useKubernetesNetworkPolicy" -}}
+{{- and (eq "true" (include "security.enableNetworkPolicy" .)) (ne "cilium" (include "security.networkPolicyFlavor" .)) | ternary "true" "false" -}}
+{{- end }}
+
 {{/*
 Returns whether the OpenShift distribution is used
 */}}

diff --git a/charts/sidekick/templates/cilium-network-policy.yaml b/charts/sidekick/templates/cilium-network-policy.yaml
@@ -0,0 +1,20 @@
+{{- if eq "true" ( include "security.useCiliumNetworkPolicy" . ) }}
+# Allow the sidekick operator pods to reach the Kubernetes API server.
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ include "sidekick.fullname" . }}-egress-kubernetes-api
+  namespace: {{ .Release.Namespace }}
+spec:
+  endpointSelector:
+    matchLabels:
+      {{- include "sidekick.selectorLabels" . | nindent 6 }}
+  egress:
+  - toEntities:
+    - remote-node
+    - host
+    toPorts:
+    - ports:
+      - port: "6443"
+        protocol: TCP
+{{- end }}
diff --git a/charts/sidekick/templates/network-policy.yaml b/charts/sidekick/templates/network-policy.yaml
@@ -1,4 +1,4 @@
-{{- if eq "true" ( include "security.enableNetworkPolicy" . ) }}
+{{- if eq "true" ( include "security.useKubernetesNetworkPolicy" . ) }}
 
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy

diff --git a/charts/sidekick/values.openapiv3_schema.yaml b/charts/sidekick/values.openapiv3_schema.yaml
@@ -1706,6 +1706,11 @@ properties:
     properties:
       enabled:
         type: boolean
+      flavor:
+        enum:
+        - kubernetes
+        - cilium
+        type: string
     required:
     - enabled
     type: object

diff --git a/charts/sidekick/values.yaml b/charts/sidekick/values.yaml
@@ -109,6 +109,9 @@ monitoring:
 
 networkPolicy:
   enabled: false
+  # flavor selects which network policy API is used.
+  # Accepted values: "kubernetes" (default) or "cilium".
+  flavor: kubernetes
 
 distro:
   # Set true, if installed in OpenShift