diff --git a/charts/cryostat/README.md b/charts/cryostat/README.md index 64438b6..9e01506 100644 --- a/charts/cryostat/README.md +++ b/charts/cryostat/README.md @@ -210,7 +210,7 @@ helm install cryostat ./charts/cryostat | `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | `""` | | `podAnnotations` | Annotations to be applied to the Cryostat Pod | `{}` | | `podSecurityContext` | Security Context for the Cryostat Pod. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [PodSecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context) | `{}` | -| `networkPolicy.ingress.enabled` | whether a NetworkPolicy for restricting Cryostat component Services' traffic is installed. | `true` | +| `networkPolicy.ingress.enabled` | whether a NetworkPolicy for restricting Cryostat component Pods' traffic is installed. This prevents other Pods from sending unwanted traffic to Cryostat's Pods. Traffic should flow via the Service (or Route, or other Ingress) only, not by directly targeting Pods. | `true` | | `nodeSelector` | Node Selector for the Cryostat Pod. See: [NodeSelector](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) | `{}` | | `tolerations` | Tolerations for the Cryostat Pod. See: [Tolerations](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) | `[]` | | `affinity` | Affinity for the Cryostat Pod. See: [Affinity](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) | `{}` | diff --git a/charts/cryostat/values.schema.json b/charts/cryostat/values.schema.json index 306ccf6..7cc9a84 100644 --- a/charts/cryostat/values.schema.json +++ b/charts/cryostat/values.schema.json @@ -995,7 +995,7 @@ "properties": { "enabled": { "type": "boolean", - "description": "whether a NetworkPolicy for restricting Cryostat component Services' traffic is installed.", + "description": "whether a NetworkPolicy for restricting Cryostat component Pods' traffic is installed. This prevents other Pods from sending unwanted traffic to Cryostat's Pods. Traffic should flow via the Service (or Route, or other Ingress) only, not by directly targeting Pods.", "default": true } } diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index f6ed41b..afbf7d5 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -358,7 +358,7 @@ podSecurityContext: networkPolicy: ingress: - ## @param networkPolicy.ingress.enabled whether a NetworkPolicy for restricting Cryostat component Services' traffic is installed. + ## @param networkPolicy.ingress.enabled whether a NetworkPolicy for restricting Cryostat component Pods' traffic is installed. This prevents other Pods from sending unwanted traffic to Cryostat's Pods. Traffic should flow via the Service (or Route, or other Ingress) only, not by directly targeting Pods. enabled: true ## @param nodeSelector [object] Node Selector for the Cryostat Pod. See: [NodeSelector](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling)