Skip to content

Commit 132edf3

Browse files
Amos Mastbaumclaude
andcommitted
fix(openshift): add NetworkPolicy for webhook access in mesh-enrolled namespaces
When ServiceMesh enrolls knative-serving via SMMR, it creates a deny-all NetworkPolicy that blocks API server -> webhook traffic on multi-node clusters. This causes KnativeServing install to fail with webhook timeout errors. On SNC this was masked because all traffic is node-local. Add a NetworkPolicy allowing ingress to webhook pods on port 8443 before creating the Knative CR, so admission webhooks remain reachable regardless of mesh network policies. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 parent 360527f commit 132edf3

1 file changed

Lines changed: 31 additions & 0 deletions

File tree

pkg/provider/openshift/profile/serverless.go

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@ import (
55
"time"
66

77
"github.com/pulumi/pulumi-kubernetes/sdk/v4/go/kubernetes/apiextensions"
8+
networkingv1 "github.com/pulumi/pulumi-kubernetes/sdk/v4/go/kubernetes/networking/v1"
89
metav1 "github.com/pulumi/pulumi-kubernetes/sdk/v4/go/kubernetes/meta/v1"
910
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
1011
"k8s.io/apimachinery/pkg/runtime/schema"
@@ -100,6 +101,36 @@ func deployKnativeCR(ctx *pulumi.Context, args *DeployArgs, operatorReady pulumi
100101
return nil, pulumi.StringOutput{}, err
101102
}
102103

104+
// When ServiceMesh enrolls this namespace, it creates a deny-all
105+
// NetworkPolicy that blocks API server → webhook traffic on multi-node
106+
// clusters. Allow ingress to webhook pods so admission webhooks work.
107+
if _, err := networkingv1.NewNetworkPolicy(ctx, rn(cr.suffix+"-webhook-np"),
108+
&networkingv1.NetworkPolicyArgs{
109+
Metadata: &metav1.ObjectMetaArgs{
110+
Name: pulumi.Sprintf("allow-webhook-%s", cr.suffix),
111+
Namespace: pulumi.String(cr.namespace),
112+
},
113+
Spec: &networkingv1.NetworkPolicySpecArgs{
114+
PodSelector: &metav1.LabelSelectorArgs{
115+
MatchLabels: pulumi.StringMap{"app": pulumi.String("webhook")},
116+
},
117+
Ingress: networkingv1.NetworkPolicyIngressRuleArray{
118+
&networkingv1.NetworkPolicyIngressRuleArgs{
119+
Ports: networkingv1.NetworkPolicyPortArray{
120+
&networkingv1.NetworkPolicyPortArgs{
121+
Port: pulumi.Int(8443),
122+
Protocol: pulumi.String("TCP"),
123+
},
124+
},
125+
},
126+
},
127+
PolicyTypes: pulumi.StringArray{pulumi.String("Ingress")},
128+
},
129+
},
130+
args.k8sOpts(pulumi.DependsOn([]pulumi.Resource{ns}))...); err != nil {
131+
return nil, pulumi.StringOutput{}, err
132+
}
133+
103134
// Create the Knative CR
104135
res, err := apiextensions.NewCustomResource(ctx, rn(cr.suffix),
105136
&apiextensions.CustomResourceArgs{

0 commit comments

Comments
 (0)