diff --git a/pkg/cmd/options/network.go b/pkg/cmd/options/network.go
index 5ba6d055..fe0f8ea7 100644
--- a/pkg/cmd/options/network.go
+++ b/pkg/cmd/options/network.go
@@ -35,6 +35,7 @@ type NetworkOptions struct {
 	ClientCertPath    string
 	ClientCertKeyPath string
 	Concurrency       int
+	Proxy             string
 }
 
 func (o *NetworkOptions) AddNetworkFlags(cmd *cobra.Command) {
@@ -45,6 +46,7 @@ func (o *NetworkOptions) AddNetworkFlags(cmd *cobra.Command) {
 	cmd.Flags().StringVar(&o.ClientCertKeyPath, "key", "",
 		fmt.Sprintf("Path to client certificate key used for authentication (can also be set via environment variable %s)", constants.ClientCertKeyEnvVar))
 	cmd.Flags().IntVar(&o.Concurrency, "concurrency", 5, "Maximum number of simultaneous uploads/downloads")
+	cmd.Flags().StringVar(&o.Proxy, "proxy", "", "Proxy to use for connections (overrides proxy set by environment)")
 }
 
 func (o *NetworkOptions) Complete(ctx context.Context, args []string) error {
diff --git a/pkg/lib/network/auth.go b/pkg/lib/network/auth.go
index 6202c607..1329bb24 100644
--- a/pkg/lib/network/auth.go
+++ b/pkg/lib/network/auth.go
@@ -20,6 +20,7 @@ import (
 	"crypto/tls"
 	"fmt"
 	"net/http"
+	"net/url"
 
 	"kitops/pkg/cmd/options"
 	"kitops/pkg/lib/constants"
@@ -53,6 +54,13 @@ func ClientWithAuth(store credentials.Store, opts *options.NetworkOptions) (*aut
 func DefaultClient(opts *options.NetworkOptions) (*auth.Client, error) {
 	transport := http.DefaultTransport.(*http.Transport).Clone()
 	transport.TLSClientConfig.InsecureSkipVerify = !opts.TLSVerify
+	if opts.Proxy != "" {
+		proxyURL, err := url.Parse(opts.Proxy)
+		if err != nil {
+			return nil, fmt.Errorf("invalid proxy URL: %w", err)
+		}
+		transport.Proxy = http.ProxyURL(proxyURL)
+	}
 	if opts.ClientCertKeyPath != "" && opts.ClientCertPath != "" {
 		cert, err := tls.LoadX509KeyPair(opts.ClientCertPath, opts.ClientCertKeyPath)
 		if err != nil {