From 5c6a9d3bfeef39eb13d743b69da19ab95f57d497 Mon Sep 17 00:00:00 2001
From: Matthew Knop <mknop@redhat.com>
Date: Mon, 11 May 2026 13:15:13 -0600
Subject: [PATCH] feat: add NetworkPolicy to allow runner pod ingress
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add NetworkPolicy to deploy templates allowing ingress traffic from
runner pods to backend-api. This resolves connectivity issues where
runner pods in user namespaces cannot reach backend-service due to
default-deny NetworkPolicies.

The NetworkPolicy:
- Targets backend-api pods specifically (vs. all pods)
- Allows ingress from ambient-code-runner pods across all namespaces
- Uses ${NAMESPACE} template parameter for proper scoping

Based on upstream PR: ambient-code/platform#1553

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .../manifests/templates/template-operator.yaml  | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/components/manifests/templates/template-operator.yaml b/components/manifests/templates/template-operator.yaml
index 415f426a1..f8e75c72d 100644
--- a/components/manifests/templates/template-operator.yaml
+++ b/components/manifests/templates/template-operator.yaml
@@ -1275,6 +1275,23 @@ objects:
       deployment-type: openshift
     name: operator-config
     namespace: ambient-code
+- apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: allow-from-runner-namespaces
+    namespace: ${NAMESPACE}
+  spec:
+    podSelector:
+      matchLabels:
+        app: backend-api
+    policyTypes:
+    - Ingress
+    ingress:
+    - from:
+      - namespaceSelector: {}
+        podSelector:
+          matchLabels:
+            app: ambient-code-runner
 - apiVersion: apps/v1
   kind: Deployment
   metadata: