Skip to content

Flannel network policies #12590

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
smasset-orange wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Flannel network policies #12590

smasset-orange wants to merge 2 commits into from
+524 −92

Conversation

@smasset-orange
Copy link

@smasset-orange smasset-orange commented Jan 13, 2026
edited
Loading

Pull Request

What? (description)

Although not enabled by default, Flannel Helm chart enables NetworkPolicy support by setting the netpol.enabled value (see documentation).

This PR, adds an extra kubeNetworkPoliciesEnabled field in FlannelCNIConfig to mimic that.

Why? (reasoning)

Even if it is not enabled by default, it should be possible to automatically deploy a cluster with the default CNI with support for NetworkPolicy.

Fixes #11707 without enabling NetworkPolicy by default and without adding CNI plugins in the default Talos image and only with customizing existing manifests depending on configuration.

Acceptance

Please use the following checklist:

  • you linked an issue (if applicable)
  • you included tests (if applicable)
  • you ran conformance (make conformance)
  • you formatted your code (make fmt)
  • you linted your code (make lint)
  • you generated documentation (make docs)
  • you ran unit-tests (make unit-tests)

See make help for a description of the available targets.

@github-project-automation github-project-automation bot moved this to To Do in Planning Jan 13, 2026
@smasset-orange
feat(machined): refactor preparing changes for optionally handling ne…
e76b8a5 
…twork policies with flannel

Small changes before adding the feature

Signed-off-by: Sébastien Masset <[email protected]>
@smasset-orange
feat(machined): change manifests to handle network policies with flannel
fe2b3d8 
Add boolean in cluster flannel CNI config to deploy extra resources to
handle network policies. Inspired by flannel Helm chart handling of
netpol.enabled value (cf. https://github.com/flannel-io/flannel/blob/master/Documentation/netpol.md)

Signed-off-by: Sébastien Masset <[email protected]>
@smasset-orange smasset-orange force-pushed the feat/flannel-network-policies branch from de629f6 to fe2b3d8 Compare January 13, 2026 19:42
@smasset-orange smasset-orange mentioned this pull request Jan 14, 2026
Closed
@smira
Copy link
Member

smira commented Jan 14, 2026

Thank you, this looks really interesting, couple of thoughts (not something that I would force on this PR, but some thoughts in general):

  • we need e2e test to verify that network policies work
  • should we deploy some network policies by default? (is there any default component that would benefit from it?)
  • probably it makes sense to split the CNI config into its own multi-doc instead of modifying the monolith config (?)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

Planning
Status: To Do

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Feature request: NetworkPolicy support by default

2 participants

@smasset-orange @smira