deckhouse · nervgh · Feb 20, 2026 · Feb 11, 2026 · Feb 17, 2026 · Feb 18, 2026
diff --git a/cmd/werf/build/main.go b/cmd/werf/build/main.go
@@ -117,6 +117,7 @@ func NewCmd(ctx context.Context) *cobra.Command {
 	common.SetupProjectName(&commonCmdData, cmd, false)
 
 	commonCmdData.SetupPlatform(cmd)
+	commonCmdData.SetupBackendNetwork(cmd)
 
 	commonCmdData.SetupSkipImageSpecStage(cmd)
 	commonCmdData.SetupDebugTemplates(cmd)

diff --git a/cmd/werf/bundle/publish/publish.go b/cmd/werf/bundle/publish/publish.go
@@ -134,6 +134,7 @@ func NewCmd(ctx context.Context) *cobra.Command {
 
 	common.SetupRequireBuiltImages(&commonCmdData, cmd)
 	commonCmdData.SetupPlatform(cmd)
+	commonCmdData.SetupBackendNetwork(cmd)
 
 	commonCmdData.SetupSkipImageSpecStage(cmd)
 	commonCmdData.SetupDebugTemplates(cmd)

diff --git a/cmd/werf/common/cmd_data.go b/cmd/werf/common/cmd_data.go
@@ -53,6 +53,7 @@ type CmdData struct {
 	UseCustomTag *string
 
 	Synchronization    *string
+	BackendNetwork     *string
 	Parallel           *bool
 	ParallelTasksLimit *int64
 
@@ -246,6 +247,15 @@ func (cmdData *CmdData) SetupAllowIncludesUpdate(cmd *cobra.Command) {
 	cmd.Flags().BoolVarP(&cmdData.AllowIncludesUpdate, "allow-includes-update", "", util.GetBoolEnvironmentDefaultFalse("WERF_ALLOW_INCLUDES_UPDATE"), `Allow use includes latest versions (default $WERF_ALLOW_INCLUDES_UPDATE or false)`)
 }
 
+func (cmdData *CmdData) SetupBackendNetwork(cmd *cobra.Command) {
+	cmdData.BackendNetwork = new(string)
+	cmd.Flags().StringVarP(cmdData.BackendNetwork, "backend-network", "", os.Getenv("WERF_BACKEND_NETWORK"), "Network mode for the build containers ($WERF_BACKEND_NETWORK or nothing by default)")
+}
+
+func (cmdData *CmdData) GetBackendNetwork() string {
+	return option.PtrValueOrDefault(cmdData.BackendNetwork, "")
+}
+
 func (cmdData *CmdData) SetupIncludesLsFilter(cmd *cobra.Command) {
 	cmdData.IncludesLsFilter = new(string)
 	cmd.Flags().StringVar(cmdData.IncludesLsFilter, "filter", os.Getenv("WERF_INCLUDES_LIST_FILTER"), "Filter by source, e.g. --filter=source=local,remoteRepo (default $WERF_INCLUDES_LIST_FILTER or all sources).")

diff --git a/cmd/werf/common/conveyor_options.go b/cmd/werf/common/conveyor_options.go
@@ -150,6 +150,7 @@ func GetBuildOptions(ctx context.Context, commonCmdData *CmdData, werfConfig *co
 		ImageBuildOptions: container_backend.BuildOptions{
 			IntrospectAfterError:  GetIntrospectAfterError(commonCmdData),
 			IntrospectBeforeError: GetIntrospectBeforeError(commonCmdData),
+			Network:               commonCmdData.GetBackendNetwork(),
 		},
 		IntrospectOptions:       introspectOptions,
 		ManifestSigningOptions:  manifestSigningOptions,

diff --git a/cmd/werf/compose/main.go b/cmd/werf/compose/main.go
@@ -340,6 +340,7 @@ func newCmd(ctx context.Context, composeCmdName string, options *newCmdOptions)
 	common.SetupProjectName(&commonCmdData, cmd, false)
 
 	commonCmdData.SetupPlatform(cmd)
+	commonCmdData.SetupBackendNetwork(cmd)
 	commonCmdData.SetupDebugTemplates(cmd)
 
 	cmd.Flags().StringVarP(&cmdData.RawComposeOptions, "docker-compose-options", "", os.Getenv("WERF_DOCKER_COMPOSE_OPTIONS"), "Define docker-compose options (default $WERF_DOCKER_COMPOSE_OPTIONS)")
@@ -502,7 +503,12 @@ func run(ctx context.Context, containerBackend container_backend.ContainerBacken
 						return err
 					}
 				} else {
-					if _, err := c.Build(ctx, build.BuildOptions{SkipImageMetadataPublication: *commonCmdData.Dev}); err != nil {
+					buildOptions, err := common.GetBuildOptions(ctx, &commonCmdData, werfConfig, imagesToProcess)
+					if err != nil {
+						return err
+					}
+
+					if _, err := c.Build(ctx, buildOptions); err != nil {
 						return err
 					}
 				}

diff --git a/cmd/werf/converge/converge.go b/cmd/werf/converge/converge.go
@@ -139,6 +139,7 @@ werf converge --repo registry.mydomain.com/web --env production`,
 	common.SetupParallelOptions(&commonCmdData, cmd, common.DefaultBuildParallelTasksLimit)
 	common.SetupRequireBuiltImages(&commonCmdData, cmd)
 	commonCmdData.SetupPlatform(cmd)
+	commonCmdData.SetupBackendNetwork(cmd)
 	common.SetupFollow(&commonCmdData, cmd)
 
 	common.SetupDisableAutoHostCleanup(&commonCmdData, cmd)

diff --git a/cmd/werf/export/export.go b/cmd/werf/export/export.go
@@ -130,6 +130,7 @@ func NewExportCmd(ctx context.Context) *cobra.Command {
 	common.SetupVirtualMerge(&commonCmdData, cmd)
 
 	commonCmdData.SetupPlatform(cmd)
+	commonCmdData.SetupBackendNetwork(cmd)
 	commonCmdData.SetupDebugTemplates(cmd)
 	commonCmdData.SetupFinalImagesOnly(cmd, true)
 	commonCmdData.SetupAllowIncludesUpdate(cmd)
@@ -261,7 +262,7 @@ func run(ctx context.Context, imageNameListFromArgs, tagTemplateList []string, e
 					return err
 				}
 			} else {
-				if _, err := c.Build(ctx, build.BuildOptions{SkipImageMetadataPublication: *commonCmdData.Dev}); err != nil {
+				if _, err := c.Build(ctx, buildOptions); err != nil {
 					return err
 				}
 			}

diff --git a/cmd/werf/helm/get_autogenerated_values.go b/cmd/werf/helm/get_autogenerated_values.go
@@ -108,6 +108,7 @@ func NewGetAutogeneratedValuesCmd(ctx context.Context) *cobra.Command {
 
 	common.SetupRequireBuiltImages(&commonCmdData, cmd)
 	commonCmdData.SetupPlatform(cmd)
+	commonCmdData.SetupBackendNetwork(cmd)
 
 	commonCmdData.SetupSkipImageSpecStage(cmd)
 	commonCmdData.SetupDebugTemplates(cmd)

diff --git a/cmd/werf/kube_run/kube_run.go b/cmd/werf/kube_run/kube_run.go
@@ -193,6 +193,7 @@ func NewCmd(ctx context.Context) *cobra.Command {
 	common.SetupVirtualMerge(&commonCmdData, cmd)
 
 	commonCmdData.SetupPlatform(cmd)
+	commonCmdData.SetupBackendNetwork(cmd)
 
 	cmd.Flags().StringVarP(&cmdData.Pod, "pod", "", os.Getenv("WERF_POD"), "Set created pod name (default $WERF_POD or autogenerated if not specified)")
 	cmd.Flags().StringVarP(&cmdData.Overrides, "overrides", "", os.Getenv("WERF_OVERRIDES"), "Inline JSON to override/extend any fields in created Pod, e.g. to add imagePullSecrets field (default $WERF_OVERRIDES). %pod_name%, %container_name%, and %container_image% will be replaced with the names of the created pod, container, and container image, respectively.")
@@ -384,12 +385,17 @@ func run(ctx context.Context, pod, secret, namespace string, werfConfig *config.
 				return fmt.Errorf("unable to get full name for image %q: %w", imageName, err)
 			}
 		} else {
+			buildOptions, err := common.GetBuildOptions(ctx, &commonCmdData, werfConfig, imagesToProcess)
+			if err != nil {
+				return err
+			}
+
 			if common.GetRequireBuiltImages(&commonCmdData) {
 				if _, err := c.ShouldBeBuilt(ctx, build.ShouldBeBuiltOptions{}); err != nil {
 					return err
 				}
 			} else {
-				if _, err := c.Build(ctx, build.BuildOptions{}); err != nil {
+				if _, err := c.Build(ctx, buildOptions); err != nil {
 					return err
 				}
 			}

diff --git a/cmd/werf/lint/lint.go b/cmd/werf/lint/lint.go
@@ -113,6 +113,7 @@ func NewCmd(ctx context.Context) *cobra.Command {
 
 	common.SetupRequireBuiltImages(&commonCmdData, cmd)
 	commonCmdData.SetupPlatform(cmd)
+	commonCmdData.SetupBackendNetwork(cmd)
 
 	commonCmdData.SetupSkipImageSpecStage(cmd)
 	commonCmdData.SetupDebugTemplates(cmd)

diff --git a/cmd/werf/plan/plan.go b/cmd/werf/plan/plan.go
@@ -143,6 +143,7 @@ werf plan --repo registry.mydomain.com/web --env production`,
 	common.SetupParallelOptions(&commonCmdData, cmd, common.DefaultBuildParallelTasksLimit)
 	common.SetupRequireBuiltImages(&commonCmdData, cmd)
 	commonCmdData.SetupPlatform(cmd)
+	commonCmdData.SetupBackendNetwork(cmd)
 	common.SetupFollow(&commonCmdData, cmd)
 
 	common.SetupAnnotateLayersWithDmVerityRootHash(&commonCmdData, cmd)

diff --git a/cmd/werf/render/render.go b/cmd/werf/render/render.go
@@ -124,6 +124,7 @@ func NewCmd(ctx context.Context) *cobra.Command {
 	common.SetupELFSigningOptions(&commonCmdData, cmd)
 	common.SetupRequireBuiltImages(&commonCmdData, cmd)
 	commonCmdData.SetupPlatform(cmd)
+	commonCmdData.SetupBackendNetwork(cmd)
 
 	commonCmdData.SetupSkipImageSpecStage(cmd)
 	commonCmdData.SetupDebugTemplates(cmd)

diff --git a/cmd/werf/run/run.go b/cmd/werf/run/run.go
@@ -161,6 +161,7 @@ func NewCmd(ctx context.Context) *cobra.Command {
 	common.SetupVirtualMerge(&commonCmdData, cmd)
 
 	commonCmdData.SetupPlatform(cmd)
+	commonCmdData.SetupBackendNetwork(cmd)
 
 	cmd.Flags().BoolVarP(&cmdData.Shell, "shell", "", false, "Use predefined docker options and command for debug")
 	cmd.Flags().BoolVarP(&cmdData.Bash, "bash", "", false, "Use predefined docker options and command for debug")
@@ -387,7 +388,12 @@ func run(ctx context.Context, containerBackend container_backend.ContainerBacken
 					return err
 				}
 			} else {
-				if _, err := c.Build(ctx, build.BuildOptions{SkipImageMetadataPublication: *commonCmdData.Dev}); err != nil {
+				buildOptions, err := common.GetBuildOptions(ctx, &commonCmdData, werfConfig, imagesToProcess)
+				if err != nil {
+					return err
+				}
+
+				if _, err := c.Build(ctx, buildOptions); err != nil {
 					return err
 				}
 			}

diff --git a/docs/_includes/reference/cli/werf_build.md b/docs/_includes/reference/cli/werf_build.md
@@ -72,6 +72,8 @@ werf build [IMAGE_NAME...] [options]
       --annotate-layers-with-dm-verity-root-hash=false
             Enable annotation of image layers with dm-verity root hash (default                     
             $WERF_ANNOTATE_LAYERS_WITH_DM_VERITY_ROOT_HASH)
+      --backend-network=""
+            Network mode for the build containers ($WERF_BACKEND_NETWORK or nothing by default)
       --backend-storage-path=""
             Use specified path to the local backend (Docker or Buildah) storage to check backend    
             storage volume usage while performing garbage collection of local backend images        

diff --git a/docs/_includes/reference/cli/werf_bundle_publish.md b/docs/_includes/reference/cli/werf_bundle_publish.md
@@ -59,6 +59,8 @@ werf bundle publish [IMAGE_NAME...] [options]
       --annotate-layers-with-dm-verity-root-hash=false
             Enable annotation of image layers with dm-verity root hash (default                     
             $WERF_ANNOTATE_LAYERS_WITH_DM_VERITY_ROOT_HASH)
+      --backend-network=""
+            Network mode for the build containers ($WERF_BACKEND_NETWORK or nothing by default)
       --backend-storage-path=""
             Use specified path to the local backend (Docker or Buildah) storage to check backend    
             storage volume usage while performing garbage collection of local backend images        

diff --git a/docs/_includes/reference/cli/werf_compose_config.md b/docs/_includes/reference/cli/werf_compose_config.md
@@ -91,6 +91,8 @@ werf compose config [IMAGE_NAME...] [options] [--docker-compose-options="OPTIONS
       --annotate-layers-with-dm-verity-root-hash=false
             Enable annotation of image layers with dm-verity root hash (default                     
             $WERF_ANNOTATE_LAYERS_WITH_DM_VERITY_ROOT_HASH)
+      --backend-network=""
+            Network mode for the build containers ($WERF_BACKEND_NETWORK or nothing by default)
       --backend-storage-path=""
             Use specified path to the local backend (Docker or Buildah) storage to check backend    
             storage volume usage while performing garbage collection of local backend images        

diff --git a/docs/_includes/reference/cli/werf_compose_down.md b/docs/_includes/reference/cli/werf_compose_down.md
@@ -84,6 +84,8 @@ werf compose down [IMAGE_NAME...] [options] [--docker-compose-options="OPTIONS"]
       --annotate-layers-with-dm-verity-root-hash=false
             Enable annotation of image layers with dm-verity root hash (default                     
             $WERF_ANNOTATE_LAYERS_WITH_DM_VERITY_ROOT_HASH)
+      --backend-network=""
+            Network mode for the build containers ($WERF_BACKEND_NETWORK or nothing by default)
       --backend-storage-path=""
             Use specified path to the local backend (Docker or Buildah) storage to check backend    
             storage volume usage while performing garbage collection of local backend images        

diff --git a/docs/_includes/reference/cli/werf_compose_run.md b/docs/_includes/reference/cli/werf_compose_run.md
@@ -81,6 +81,8 @@ werf compose run [IMAGE_NAME...] [options] [--docker-compose-options="OPTIONS"]
       --annotate-layers-with-dm-verity-root-hash=false
             Enable annotation of image layers with dm-verity root hash (default                     
             $WERF_ANNOTATE_LAYERS_WITH_DM_VERITY_ROOT_HASH)
+      --backend-network=""
+            Network mode for the build containers ($WERF_BACKEND_NETWORK or nothing by default)
       --backend-storage-path=""
             Use specified path to the local backend (Docker or Buildah) storage to check backend    
             storage volume usage while performing garbage collection of local backend images        

diff --git a/docs/_includes/reference/cli/werf_compose_up.md b/docs/_includes/reference/cli/werf_compose_up.md
@@ -87,6 +87,8 @@ werf compose up [IMAGE_NAME...] [options] [--docker-compose-options="OPTIONS"] [
       --annotate-layers-with-dm-verity-root-hash=false
             Enable annotation of image layers with dm-verity root hash (default                     
             $WERF_ANNOTATE_LAYERS_WITH_DM_VERITY_ROOT_HASH)
+      --backend-network=""
+            Network mode for the build containers ($WERF_BACKEND_NETWORK or nothing by default)
       --backend-storage-path=""
             Use specified path to the local backend (Docker or Buildah) storage to check backend    
             storage volume usage while performing garbage collection of local backend images        

diff --git a/docs/_includes/reference/cli/werf_converge.md b/docs/_includes/reference/cli/werf_converge.md
@@ -88,6 +88,8 @@ werf converge --repo registry.mydomain.com/web --env production
   -R, --auto-rollback=false
             Enable auto rollback of the failed release to the previous deployed release version     
             when current deploy process have failed ($WERF_AUTO_ROLLBACK by default)
+      --backend-network=""
+            Network mode for the build containers ($WERF_BACKEND_NETWORK or nothing by default)
       --backend-storage-path=""
             Use specified path to the local backend (Docker or Buildah) storage to check backend    
             storage volume usage while performing garbage collection of local backend images        

diff --git a/docs/_includes/reference/cli/werf_export.md b/docs/_includes/reference/cli/werf_export.md
@@ -50,6 +50,8 @@ werf export [IMAGE_NAME...] [options]
       --annotate-layers-with-dm-verity-root-hash=false
             Enable annotation of image layers with dm-verity root hash (default                     
             $WERF_ANNOTATE_LAYERS_WITH_DM_VERITY_ROOT_HASH)
+      --backend-network=""
+            Network mode for the build containers ($WERF_BACKEND_NETWORK or nothing by default)
       --bsign-elf-files=false
             Enable ELF files signing with bsign (default $WERF_BSIGN_ELF_FILES).
             When enabled, the private elf key must be specified with --elf-pgp-private-key-base64   

diff --git a/docs/_includes/reference/cli/werf_helm_get_autogenerated_values.md b/docs/_includes/reference/cli/werf_helm_get_autogenerated_values.md
@@ -29,6 +29,8 @@ werf helm get-autogenerated-values [IMAGE_NAME...] [options]
 ```shell
       --allow-includes-update=false
             Allow use includes latest versions (default $WERF_ALLOW_INCLUDES_UPDATE or false)
+      --backend-network=""
+            Network mode for the build containers ($WERF_BACKEND_NETWORK or nothing by default)
       --build-report-path=""
             Change build report path and format (by default $WERF_BUILD_REPORT_PATH or              
             ".werf-build-report.json" if not set). Extension must be either .json for JSON format   

diff --git a/docs/_includes/reference/cli/werf_kube_run.md b/docs/_includes/reference/cli/werf_kube_run.md
@@ -48,6 +48,8 @@ werf kube-run [options] [IMAGE_NAME] [-- COMMAND ARG...]
             Automatically create docker config secret in the namespace and plug it via pod`s        
             imagePullSecrets for private registry access (default $WERF_AUTO_PULL_SECRET or true if 
             not specified)
+      --backend-network=""
+            Network mode for the build containers ($WERF_BACKEND_NETWORK or nothing by default)
       --bsign-elf-files=false
             Enable ELF files signing with bsign (default $WERF_BSIGN_ELF_FILES).
             When enabled, the private elf key must be specified with --elf-pgp-private-key-base64   

diff --git a/docs/_includes/reference/cli/werf_lint.md b/docs/_includes/reference/cli/werf_lint.md
@@ -39,6 +39,8 @@ werf lint [IMAGE_NAME...] [options]
             $WERF_ADD_LABEL_1=labelName1=labelValue1, $WERF_ADD_LABEL_2=labelName2=labelValue2)
       --allow-includes-update=false
             Allow use includes latest versions (default $WERF_ALLOW_INCLUDES_UPDATE or false)
+      --backend-network=""
+            Network mode for the build containers ($WERF_BACKEND_NETWORK or nothing by default)
       --build-report-path=""
             Change build report path and format (by default $WERF_BUILD_REPORT_PATH or              
             ".werf-build-report.json" if not set). Extension must be either .json for JSON format   

diff --git a/docs/_includes/reference/cli/werf_plan.md b/docs/_includes/reference/cli/werf_plan.md
@@ -80,6 +80,8 @@ werf plan --repo registry.mydomain.com/web --env production
       --annotate-layers-with-dm-verity-root-hash=false
             Enable annotation of image layers with dm-verity root hash (default                     
             $WERF_ANNOTATE_LAYERS_WITH_DM_VERITY_ROOT_HASH)
+      --backend-network=""
+            Network mode for the build containers ($WERF_BACKEND_NETWORK or nothing by default)
       --backend-storage-path=""
             Use specified path to the local backend (Docker or Buildah) storage to check backend    
             storage volume usage while performing garbage collection of local backend images        

diff --git a/docs/_includes/reference/cli/werf_render.md b/docs/_includes/reference/cli/werf_render.md
@@ -42,6 +42,8 @@ werf render [IMAGE_NAME...] [options]
       --annotate-layers-with-dm-verity-root-hash=false
             Enable annotation of image layers with dm-verity root hash (default                     
             $WERF_ANNOTATE_LAYERS_WITH_DM_VERITY_ROOT_HASH)
+      --backend-network=""
+            Network mode for the build containers ($WERF_BACKEND_NETWORK or nothing by default)
       --bsign-elf-files=false
             Enable ELF files signing with bsign (default $WERF_BSIGN_ELF_FILES).
             When enabled, the private elf key must be specified with --elf-pgp-private-key-base64   

diff --git a/docs/_includes/reference/cli/werf_run.md b/docs/_includes/reference/cli/werf_run.md
@@ -36,6 +36,8 @@ werf run [options] [IMAGE_NAME] [-- COMMAND ARG...]
       --annotate-layers-with-dm-verity-root-hash=false
             Enable annotation of image layers with dm-verity root hash (default                     
             $WERF_ANNOTATE_LAYERS_WITH_DM_VERITY_ROOT_HASH)
+      --backend-network=""
+            Network mode for the build containers ($WERF_BACKEND_NETWORK or nothing by default)
       --bash=false
             Use predefined docker options and command for debug
       --bsign-elf-files=false

diff --git a/docs/pages_en/usage/build/process.md b/docs/pages_en/usage/build/process.md
@@ -237,6 +237,39 @@ In this case, werf will compose the following sets to build:
 └ Concurrent builds plan (no more than 5 images at the same time)
 ```
 
+## Network isolation
+
+werf supports configuring the networking mode for the build containers. This allows you to restrict network access during the build process, which can be useful for security or reproducibility.
+
+Network isolation is currently supported only when using the **Docker** container backend. It works for both **Dockerfile** and **Stapel** image syntaxes.
+
+### Configuration
+
+You can specify the network mode in the `werf.yaml` configuration for each image using the `network` parameter:
+
+```yaml
+project: my-project
+configVersion: 1
+---
+image: backend
+dockerfile: Dockerfile
+network: none # network is disabled during the build
+---
+image: frontend
+from: alpine:3.14
+network: host # use host's network
+```
+
+### CLI option
+
+You can also set the network mode globally for the build process using the `--backend-network` CLI option:
+
+```bash
+werf build --backend-network none
+```
+
+The `--backend-network` CLI option has **priority** over the `network` parameter defined in the `werf.yaml` configuration.
+
 ## Using the SSH agent
 
 werf allows using the SSH agent for authentication when accessing remote Git repositories or executing commands in build containers.

diff --git a/docs/pages_ru/usage/build/process.md b/docs/pages_ru/usage/build/process.md
@@ -236,6 +236,39 @@ target: assets
 └ Concurrent builds plan (no more than 5 images at the same time)
 ```
 
+## Сетевая изоляция
+
+werf поддерживает настройку режима сети для сборочных контейнеров. Это позволяет ограничивать доступ к сети во время процесса сборки, что может быть полезно для безопасности или воспроизводимости.
+
+На текущий момент сетевая изоляция поддерживается только при использовании **Docker** в качестве сборочного бэкенда. Она работает как для **Dockerfile**, так и для **Stapel** синтаксисов.
+
+### Конфигурация
+
+Вы можете указать сетевой режим в конфигурации `werf.yaml` для каждого образа с помощью параметра `network`:
+
+```yaml
+project: my-project
+configVersion: 1
+---
+image: backend
+dockerfile: Dockerfile
+network: none # сеть отключена во время сборки
+---
+image: frontend
+from: alpine:3.14
+network: host # использовать сеть хоста
+```
+
+### Опция CLI
+
+Вы также можете установить сетевой режим глобально для процесса сборки с помощью опции CLI `--backend-network`:
+
+```bash
+werf build --backend-network none
+```
+
+Опция CLI `--backend-network` имеет **приоритет** над параметром `network`, определенным в конфигурации `werf.yaml`.
+
 ## Использование SSH-агента
 
 werf позволяет использовать SSH-агент для аутентификации при доступе к удалённым Git-репозиториям или выполнении команд в сборочных контейнерах.