fix(vd): allow ingress from virtualization namespace to importer pods (#2356)

When a namespace has a restrictive NetworkPolicy (e.g. project isolation),
the CDI controller from d8-virtualization cannot reach importer pods to
fetch progress metrics via HTTP. As a result, DataVolume.Status.Progress
stays N/A and VirtualDisk shows no intermediate progress.

Add an Ingress rule to the NetworkPolicy created for importer/DVCR pods,
allowing incoming traffic from the namespace labeled module=virtualization.
This enables the CDI controller to scrape progress metrics from importer
pods even in isolated namespaces.

Signed-off-by: Pavel Tishkov <pavel.tishkov@flant.com>

Author: fl64

images/virtualization-artifact/pkg/common/network_policy/network_policy.go

@@ -52,8 +52,21 @@ func CreateNetworkPolicy(ctx context.Context, c client.Client, obj metav1.Object
 					},
 				},
 			},
+			Ingress: []netv1.NetworkPolicyIngressRule{
+				{
+					From: []netv1.NetworkPolicyPeer{
+						{
+							NamespaceSelector: &metav1.LabelSelector{
+								MatchLabels: map[string]string{
+									"module": "virtualization",
+								},
+							},
+						},
+					},
+				},
+			},
 			Egress:      []netv1.NetworkPolicyEgressRule{{}},
-			PolicyTypes: []netv1.PolicyType{netv1.PolicyTypeEgress},
+			PolicyTypes: []netv1.PolicyType{netv1.PolicyTypeIngress, netv1.PolicyTypeEgress},
 		},
 	}