Architecture overview

          Netskope tenant ( *.goskope.com )
                  ▲
                  │  outbound 443 + DTLS to stitchers
                  │
┌─────────────────┴─────────────────┐
│             Pod (publisher)        │
│                                    │
│  init: npa-bootstrap               │
│    - resolves tenant URL           │
│    - mints/looks up Publisher via  │
│      Netskope REST API             │
│    - writes /etc/npa registration  │
│                                    │
│  container: publisher              │
│    - configures pod/host netns     │
│    - configures iptables + sysctl  │
│    - creates tun0                  │
│    - runs npa_publisher binary     │
│                                    │
│  sidecar: local-dns (pod mode)     │
│    - dnsmasq -> cluster DNS        │
└────────────────────────────────────┘

What the chart deploys

Object	Purpose
DaemonSet or StatefulSet	Hosts the Publisher pod(s). Choice via workload.type.
Headless Service	Stable network identity for StatefulSet members.
ConfigMap	Optional override of settings.json (customSettings.enabled).
Secret	Receives the registration token in mode: token. In mode: api you bring your own API-token Secret.
PersistentVolumeClaim	Optional, when persistence.enabled: true.
ServiceAccount	For API-mode pods to call kube API if needed (currently no in-cluster RBAC required).

Container layout

A single pod contains:

1. init container (npa-bootstrap) — performs enrollment exactly
   once per pod start, then exits.
2. publisher container — runs the long-lived npa_publisher binary.
3. local-dns sidecar in pod network mode — runs dnsmasq as a thin
   127.0.0.1:53 proxy to Kubernetes cluster DNS.

The publisher binary owns the tun0 interface inside the pod (or the
host, depending on networking.mode).

What it does not do

• Run any controller pod.
• Mutate cluster-wide resources outside the install namespace.
• Provide a CRD. Configuration is plain Helm values.