Skip to content

Commit c8080eb

Browse files
VaishnaviHireVaishnaviHire
authored
docs: Add documentation for feature flag (#197)
Approved-by: rhuss Approved-by: nathan-weinberg
1 parent e834c57 commit c8080eb

File tree

1 file changed

+31
-0
lines changed

1 file changed

+31
-0
lines changed

README.md

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ This repo hosts a kubernetes operator that is responsible for creating and manag
1515
- [Quick Start](#quick-start)
1616
- [Installation](#installation)
1717
- [Deploying Llama Stack Server](#deploying-the-llama-stack-server)
18+
- [Enabling Network Policies](#enabling-network-policies)
1819
- [Developer Guide](#developer-guide)
1920
- [Prerequisites](#prerequisites)
2021
- [Building the Operator](#building-the-operator)
@@ -103,6 +104,36 @@ Example to create a run.yaml ConfigMap, and a LlamaStackDistribution that refere
103104
kubectl apply -f config/samples/example-with-configmap.yaml
104105
```
105106

107+
## Enabling Network Policies
108+
109+
The operator can create an ingress-only `NetworkPolicy` for every `LlamaStackDistribution` to ensure traffic is limited to:
110+
- Other pods in the same namespace that are part of the Llama Stack deployment (`app.kubernetes.io/part-of: llama-stack`)
111+
- Components that run inside the operator namespace (default: `llama-stack-k8s-operator-system`)
112+
113+
This behavior is guarded by a feature flag and is disabled by default to avoid interfering with existing cluster-level policies. To enable it:
114+
115+
1. Identify the namespace where the operator is running. If you used the provided manifests, it is `llama-stack-k8s-operator-system`.
116+
2. Create or update the `llama-stack-operator-config` ConfigMap in that namespace so the `featureFlags` entry enables the network policy flag.
117+
118+
```bash
119+
cat <<'EOF' > feature-flags.yaml
120+
apiVersion: v1
121+
kind: ConfigMap
122+
metadata:
123+
name: llama-stack-operator-config
124+
namespace: llama-stack-k8s-operator-system
125+
data:
126+
featureFlags: |
127+
enableNetworkPolicy:
128+
enabled: true
129+
EOF
130+
131+
kubectl apply -f feature-flags.yaml
132+
```
133+
134+
Within the next reconciliation loop the operator will begin creating a `<name>-network-policy` resource for each distribution.
135+
Set `enabled: false` (or remove the block) to turn the feature back off; the operator will delete the previously managed policies.
136+
106137
## Developer Guide
107138

108139
### Prerequisites

0 commit comments

Comments
 (0)