From 6deb39dc737ae768e2f3f05ba252d5358b867e55 Mon Sep 17 00:00:00 2001
From: Markus Wennrich <markus.wennrich@f-i-ts.de>
Date: Fri, 9 Jan 2026 13:48:36 +0100
Subject: [PATCH] Add gardener network-policy labels to controller

gardener v1.22 adds a deny-all rule to kube-system for clusters >= k8s 1.33, which requires all pods to have the appropriate networking labels.
---
 controllers/resources.go | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/controllers/resources.go b/controllers/resources.go
index 111ea3b..ea77921 100644
--- a/controllers/resources.go
+++ b/controllers/resources.go
@@ -966,7 +966,13 @@ func (r *DurosReconciler) deployCSI(ctx context.Context, projectID string, scs [
 		},
 	}
 	op, err := controllerutil.CreateOrUpdate(ctx, r.Shoot, sts, func() error {
-		controllerRoleLabels := map[string]string{"app": "lb-csi-plugin", "role": "controller", "gardener.cloud/role": "system-component"}
+		controllerRoleLabels := map[string]string{
+			"app":                                    "lb-csi-plugin",
+			"role":                                   "controller",
+			"gardener.cloud/role":                    "system-component",
+			"networking.gardener.cloud/to-apiserver": "allowed",
+			"networking.gardener.cloud/to-dns":       "allowed",
+		}
 		containers := []corev1.Container{
 			csiPluginContainer,
 			csiProvisionerContainer,