Networking

This page describes the network requirements for Kannika Armory.

Cross-namespace communication

When the platform is installed in a different namespace than the resources (e.g. kannika-system and kannika-data), backup and restore pods need to communicate with the API server and vice versa.

If you are using Kubernetes NetworkPolicies or a service mesh that restricts cross-namespace traffic, the following ports must be open between the two namespaces.

Port overview

Port	Direction	Source	Target	Purpose
9000	Resource → System	Backup/Restore pods	API server	Prometheus metrics scraping
8082	Resource → System	Backup/Restore pods	API Event Gateway	Push metrics and events

Metrics port (9000)

Every backup pod and restore job exposes a /metrics endpoint on port 9000 in the Prometheus format. The API server scrapes this endpoint to track progress.

When pods run in a separate resource namespace, the API server in the system namespace must be able to reach port 9000 on the pods.

See Metrics for more details.

Event Gateway port (8082)

Backup and restore pods push status events (started, stopped) to the API’s Event Gateway service on port 8082. The Armory console uses these events to display real-time progress.

When pods run in a separate resource namespace, they must be able to reach the event-gateway service in the system namespace on port 8082.

See Push metrics for more details on the Event Gateway configuration.

Example NetworkPolicy

The following NetworkPolicy allows backup and restore pods in the resource namespace to communicate with the API server in the system namespace:

network-policy.yaml

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-armory-cross-namespace
  namespace: kannika-data
spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
    - to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: kannika-system
      ports:
        - protocol: TCP
          port: 8082
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-armory-metrics-scraping
  namespace: kannika-data
spec:
  podSelector: {}
  policyTypes:
    - Ingress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: kannika-system
      ports:
        - protocol: TCP
          port: 9000

Note

The exact labels and selectors depend on your cluster configuration. Adjust the namespaceSelector and podSelector to match your setup.