From 6f3719ca9e5ca361327087ad8eb187ba91da95ac Mon Sep 17 00:00:00 2001 From: Pavel Tishkov Date: Fri, 22 May 2026 14:00:59 +0300 Subject: [PATCH] fix(upload): allow console access to uploaders Allow generated uploader NetworkPolicies to accept traffic from console and ingress namespaces so image uploads work in projects with default-deny policies. --- .../common/network_policy/network_policy.go | 27 ++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/images/virtualization-artifact/pkg/common/network_policy/network_policy.go b/images/virtualization-artifact/pkg/common/network_policy/network_policy.go index 43834c7318..f36107e54c 100644 --- a/images/virtualization-artifact/pkg/common/network_policy/network_policy.go +++ b/images/virtualization-artifact/pkg/common/network_policy/network_policy.go @@ -29,6 +29,10 @@ import ( "github.com/deckhouse/virtualization-controller/pkg/controller/supplements" ) +const ( + moduleNamespaceLabelName = "module" +) + func CreateNetworkPolicy(ctx context.Context, c client.Client, obj metav1.Object, sup supplements.DataVolumeSupplement, finalizer string) error { npName := sup.NetworkPolicy() networkPolicy := netv1.NetworkPolicy{ @@ -52,8 +56,29 @@ func CreateNetworkPolicy(ctx context.Context, c client.Client, obj metav1.Object }, }, }, + Ingress: []netv1.NetworkPolicyIngressRule{ + { + From: []netv1.NetworkPolicyPeer{ + { + NamespaceSelector: &metav1.LabelSelector{ + MatchExpressions: []metav1.LabelSelectorRequirement{ + { + Key: moduleNamespaceLabelName, + Operator: metav1.LabelSelectorOpIn, + Values: []string{ + "console", + "ingress-nginx", + "virtualization", + }, + }, + }, + }, + }, + }, + }, + }, Egress: []netv1.NetworkPolicyEgressRule{{}}, - PolicyTypes: []netv1.PolicyType{netv1.PolicyTypeEgress}, + PolicyTypes: []netv1.PolicyType{netv1.PolicyTypeIngress, netv1.PolicyTypeEgress}, }, }