Extra network policy required

[plagerweij]

The layer7 controller is unable to update a Gateway with a new Repository commit:

{
  "level": "info",
  "ts": "2025-04-25T04:52:21.590505746Z",
  "logger": "controllers.Gateway",
  "msg": "failed to apply latest commit",
  "gateway": {
    "name": "ssg",
    "namespace": "XXX"
  },
  "repo": "local-reference-repository",
  "directory": "/",
  "commit": "6a3f679c70743f193e67a9cc063fe796cd19d0f4",
  "pod": "ssg-6775569689-mtk5n",
  "name": "ssg",
  "namespace": "XXX"
}
{
  "level": "info",
  "ts": "2025-04-25T04:52:21.590644847Z",
  "logger": "controllers.Gateway",
  "msg": "failed to apply commit",
  "gateway": {
    "name": "ssg",
    "namespace": "XXX"
  },
  "name": "ssg",
  "namespace": "XXX",
  "error": "Post \"https://10.131.26.74:9443/graphman\": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)"
}

We figured out the issue, it is because in our cluster all application namespaces have a default-deny ingress policy (required by our organisation). Is it possible for the layer7-operator to automatically create an allow policy? For example, the people behind the Istio operator have this automated, which works in our setup.

An example policy could be:

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-layer7
  namespace: <NAMESPACE-OF-GATEWAY>
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/managed-by: layer7-operator
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: <NAMESPACE-OF-LAYER7-OPERATOR>
  policyTypes:
    - Ingress

The above networkpolicy fixes our issue, but it would be great if this is built-in to the operator.

[Gazza7205]

Thanks @plagerweij - we will consider this for v1.2.1