Skip to content

fix(manifests): add NetworkPolicy allowing runner pods to reach CP token server#1215

Merged
markturansky merged 1 commit intoalphafrom
fix/cp-token-server-netpol
Apr 5, 2026
Merged

fix(manifests): add NetworkPolicy allowing runner pods to reach CP token server#1215
markturansky merged 1 commit intoalphafrom
fix/cp-token-server-netpol

Conversation

@markturansky
Copy link
Copy Markdown
Contributor

@markturansky markturansky commented Apr 5, 2026
edited by coderabbitai bot
Loading

Summary

  • Adds ambient-cp-token-netpol.yaml: NetworkPolicy in the CP namespace allowing runner pods (any namespace with tenant.paas.redhat.com/tenant: ambient-code) to call the CP token server on port 8080
  • Namespace placeholder is ambient-code--runtime-int; actual spoke namespace is patched by the GitOps config repo

Context

Runner pods were crashing with CP token endpoint unreachable after 3 attempts because the internal-1 NetworkPolicy in the CP namespace blocks cross-namespace ingress by default. This NetworkPolicy was applied manually as a hotfix and this PR adds it to the manifests.

Test plan

  • Deploy to spoke and confirm runner pods can reach CP_TOKEN_URL on startup
  • Confirm acpctl session events $id streams without 502

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Infrastructure
    • Implemented network security policies for control plane components to enforce strict access controls, restricting inbound traffic to authorized namespaces on designated ports.

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Apr 5, 2026
edited
Loading

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: f9fa0794-d4d1-4a4b-9d88-498a6248b223

📥 Commits

Reviewing files that changed from the base of the PR and between 68f239c and 57510c5.

📒 Files selected for processing (2)
  • components/manifests/overlays/mpp-openshift/ambient-cp-token-netpol.yaml
  • components/manifests/overlays/mpp-openshift/kustomization.yaml

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📝 Walkthrough

Walkthrough

Added a NetworkPolicy manifest controlling ingress traffic to the ambient control plane pod, restricting access to TCP port 8080 from tenant-labeled namespaces. Registered the new manifest in the kustomization overlay resources list.

Changes

Cohort / File(s) Summary
NetworkPolicy Manifest
components/manifests/overlays/mpp-openshift/ambient-cp-token-netpol.yaml		 New allow-runner-token-fetch NetworkPolicy in ambient-code--runtime-int namespace restricting ingress on port 8080 to pods from tenant-labeled namespaces.
Kustomization Config
components/manifests/overlays/mpp-openshift/kustomization.yaml		 Added ambient-cp-token-netpol.yaml to resources list for overlay inclusion.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/cp-token-server-netpol
✨ Simplify code
  • Create PR with simplified code
  • Commit simplified code in branch fix/cp-token-server-netpol

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@markturansky markturansky merged commit f5f7516 into alpha Apr 5, 2026
26 checks passed
@markturansky markturansky deleted the fix/cp-token-server-netpol branch April 5, 2026 00:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@markturansky