Recommended values

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
workload:
  type: statefulset    # HA across AZs
  replicas: 2

networking:
  mode: pod
  disableIPv6: true

tunDevice:
  enabled: true


# Spread replicas across AZs
affinity:
  podAntiAffinity:
    requiredDuringSchedulingIgnoredDuringExecution:
      - labelSelector:
          matchLabels:
            app.kubernetes.io/name: kubernetes-netskope-publisher
        topologyKey: topology.kubernetes.io/zone

Pod Security Admission

The Publisher needs privileged. On clusters where the namespace
enforces PSA baseline or restricted, label the install namespace:

1
2
3
kubectl label namespace npa-publisher \
  pod-security.kubernetes.io/enforce=privileged \
  --overwrite

NAT gateway

Place worker nodes behind a NAT gateway with a stable Elastic IP so the
Publisher’s egress address is predictable for Netskope policy.

IRSA

The chart’s ServiceAccount doesn’t need AWS permissions; the Publisher
makes no AWS API calls. Don’t attach an IRSA role unless you have
other reasons to.

Quirks

  • Bottlerocket nodes: /dev/net/tun is present but PSA defaults
    are stricter — label the namespace as above.
  • Fargate is unsupported. Fargate disallows privileged pods, so the
    Publisher cannot run there. Use EC2 node groups.
  • EKS Auto Mode: still requires privileged pod allowance in the
    namespace; otherwise compatible.