From 1667e6d394c329c3f806783029abe3c5db78b448 Mon Sep 17 00:00:00 2001 From: Greg Sheremeta Date: Wed, 16 Oct 2024 18:41:23 -0400 Subject: [PATCH] fix: add NetworkPolicy for DSP apiserver pod self traffic The DSP apiserver implements TLS by relying on the OpenShift service cert signer. In order to get this to work nicely with our openshift-oauth sidecar, we set the Kubernetes service as the upstream for the oauth container. This means that all incoming traffic to DSP goes like this: `client -> DSP service -> DSP oauth -> DSP service -> DSP apiserver` DSP oauth and DSP apiserver are in the same pod. We haven't explicitly created a NetworkPolicy to allow that, but it works on AWS and OpenStack-based clusters. For some yet to be determined reason, it doesn't work on IBM / Calico / Secure-By-Default clusters. Add a NetworkPolicy entry to allow the DSP pod to talk to itself on 8888 and 8887. This fixes the issue where DSP(oauth) can't talk to DSP(apiserver) via the service (that fronts both containers / the pod). Fixes: https://issues.redhat.com/browse/RHOAIENG-14571 Signed-off-by: Greg Sheremeta --- config/internal/common/argo/policy.yaml.tmpl | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/config/internal/common/argo/policy.yaml.tmpl b/config/internal/common/argo/policy.yaml.tmpl index 5ee84d287..8478dd296 100644 --- a/config/internal/common/argo/policy.yaml.tmpl +++ b/config/internal/common/argo/policy.yaml.tmpl @@ -29,6 +29,10 @@ spec: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: redhat-ods-monitoring + - podSelector: + matchLabels: + app: ds-pipeline-{{.Name}} + component: data-science-pipelines - podSelector: matchLabels: app: mariadb-{{.Name}}