Skip to content

fix(gateway): [3.4] add egress rules to kube-auth-proxy NetworkPolicy for OCP 4.22#32266

Open
ugiordan wants to merge 1 commit into
rhoai-3.4from
cherry-pick/rhoai-3.4/kube-auth-proxy-np-egress
Open

fix(gateway): [3.4] add egress rules to kube-auth-proxy NetworkPolicy for OCP 4.22#32266
ugiordan wants to merge 1 commit into
rhoai-3.4from
cherry-pick/rhoai-3.4/kube-auth-proxy-np-egress

Conversation

@ugiordan

@ugiordan ugiordan commented Jun 23, 2026
edited
Loading

Copy link
Copy Markdown

Description

Jira: RHOAIENG-70137

Cherry-pick of opendatahub-io/opendatahub-operator#3682 for rhoai-3.4 backport.

OCP 4.22 introduced a default-deny NetworkPolicy in the openshift-ingress namespace (NE-2501). The kube-auth-proxy NetworkPolicy only defined ingress rules, so egress is blocked, preventing oauth-proxy from reaching the Kubernetes API server for OAuth discovery. Every RHOAI deployment from 3.0 onward returns 403 Forbidden on OCP 4.22.

Fix: add Egress to policyTypes and allow-all egress rule to the kube-auth-proxy NetworkPolicy template.

Related PRs

@ugiordan @claude
fix(gateway): add egress rules to kube-auth-proxy NetworkPolicy for O…
e9a5f4b 
…CP 4.22

OCP 4.22 introduced a deny-all NetworkPolicy (NE-2501) in the
openshift-ingress namespace that blocks both ingress and egress by
default. The kube-auth-proxy NetworkPolicy only defined ingress rules,
so egress was blocked, preventing the oauth-proxy from reaching the
Kubernetes API server for OAuth discovery. This caused RHOAI dashboards
to return 403 Forbidden on any OCP 4.22 cluster.

Add Egress to policyTypes and allow-all egress rule, matching the
pattern used by OCP's own components in the same namespace
(router-default, data-science-gateway-allow, istiod-allow). Allow-all
egress is required because kube-auth-proxy needs to reach the API
server, DNS, and in OIDC mode, arbitrary external identity providers.

Jira: RHOAIENG-70137

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This was referenced Jun 23, 2026
Open
Open
Merged
grdryn
grdryn approved these changes Jun 23, 2026
View reviewed changes

@grdryn grdryn left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

Approving from core platform team perspective. I guess this can be merged if/when it's an approved blocker in Jira.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@grdryn grdryn grdryn approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ugiordan @grdryn