Extra network policy required #78
Description
The layer7 controller is unable to update a Gateway with a new Repository commit:
{
"level": "info",
"ts": "2025-04-25T04:52:21.590505746Z",
"logger": "controllers.Gateway",
"msg": "failed to apply latest commit",
"gateway": {
"name": "ssg",
"namespace": "XXX"
},
"repo": "local-reference-repository",
"directory": "/",
"commit": "6a3f679c70743f193e67a9cc063fe796cd19d0f4",
"pod": "ssg-6775569689-mtk5n",
"name": "ssg",
"namespace": "XXX"
}
{
"level": "info",
"ts": "2025-04-25T04:52:21.590644847Z",
"logger": "controllers.Gateway",
"msg": "failed to apply commit",
"gateway": {
"name": "ssg",
"namespace": "XXX"
},
"name": "ssg",
"namespace": "XXX",
"error": "Post \"https://10.131.26.74:9443/graphman\": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)"
}We figured out the issue, it is because in our cluster all application namespaces have a default-deny ingress policy (required by our organisation). Is it possible for the layer7-operator to automatically create an allow policy? For example, the people behind the Istio operator have this automated, which works in our setup.
An example policy could be:
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-layer7
namespace: <NAMESPACE-OF-GATEWAY>
spec:
podSelector:
matchLabels:
app.kubernetes.io/managed-by: layer7-operator
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: <NAMESPACE-OF-LAYER7-OPERATOR>
policyTypes:
- IngressThe above networkpolicy fixes our issue, but it would be great if this is built-in to the operator.