From 5d119d0af71efd12de0d711692c72d81d7ffac7f Mon Sep 17 00:00:00 2001 From: ian-flores Date: Tue, 3 Feb 2026 17:59:14 -0800 Subject: [PATCH] Fix flightdeck Calico NetworkPolicy for SAMESITE network trust Add missing ingress rules (traefik and alloy on port 8080) and egress rule to Kubernetes API server (port 443) for flightdeck pods. Fixes pod failures in clusters with restrictive network policies like duplicado03-staging. --- .../ptd/pulumi_resources/network_policies.py | 37 ++++++++++++++++++- 1 file changed, 36 insertions(+), 1 deletion(-) diff --git a/python-pulumi/src/ptd/pulumi_resources/network_policies.py b/python-pulumi/src/ptd/pulumi_resources/network_policies.py index 7b0e13e..1cb3021 100644 --- a/python-pulumi/src/ptd/pulumi_resources/network_policies.py +++ b/python-pulumi/src/ptd/pulumi_resources/network_policies.py @@ -214,11 +214,46 @@ def _define_flightdeck_policy(self) -> None: }, "spec": { "selector": "app.kubernetes.io/managed-by == 'team-operator' && app.kubernetes.io/name == 'flightdeck'", + "types": ["Ingress", "Egress"], + "ingress": [ + # Allow ingress from Traefik (web traffic) + { + "action": "Allow", + "protocol": "TCP", + "source": { + "namespaceSelector": "projectcalico.org/name == 'traefik'", + }, + "destination": { + "ports": [8080], + }, + }, + # Allow ingress from Alloy (metrics/monitoring) + { + "action": "Allow", + "protocol": "TCP", + "source": { + "namespaceSelector": "projectcalico.org/name == 'alloy'", + }, + "destination": { + "ports": [8080], + }, + }, + ], "egress": [ + # Allow access to Kubernetes API server (service CIDR and VPC endpoints) + { + "action": "Allow", + "protocol": "TCP", + "destination": { + "nets": ["10.0.0.0/8", "172.16.0.0/12"], + "ports": [443], + }, + }, + # Allow access to kube-system for DNS and other cluster services { "action": "Allow", "destination": {"namespaceSelector": "projectcalico.org/name == 'kube-system'"}, - } + }, ], }, }