From bc870dc2aec41c8d18365e967420e18d30d29547 Mon Sep 17 00:00:00 2001
From: user <u@example.com>
Date: Mon, 11 May 2026 14:56:01 -0400
Subject: [PATCH] fix(manifests): add NetworkPolicy allowing runner pods to
 reach ambient-code namespace
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Runner pods in user namespaces were unable to reach backend-service due to
default-deny NetworkPolicies in the ambient-code namespace. This caused
INITIAL_PROMPT TimeoutError during session startup.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 components/manifests/base/kustomization.yaml       |  1 +
 .../manifests/base/runner-networkpolicy.yaml       | 14 ++++++++++++++
 2 files changed, 15 insertions(+)
 create mode 100644 components/manifests/base/runner-networkpolicy.yaml

diff --git a/components/manifests/base/kustomization.yaml b/components/manifests/base/kustomization.yaml
index 226d5d126..9b5b6a9e8 100644
--- a/components/manifests/base/kustomization.yaml
+++ b/components/manifests/base/kustomization.yaml
@@ -10,6 +10,7 @@ resources:
 - platform
 - ambient-control-plane-service.yml
 - ambient-control-plane-token-svc.yaml
+- runner-networkpolicy.yaml
 
 # Default images (can be overridden by overlays)
 images:
diff --git a/components/manifests/base/runner-networkpolicy.yaml b/components/manifests/base/runner-networkpolicy.yaml
new file mode 100644
index 000000000..5ba3395a1
--- /dev/null
+++ b/components/manifests/base/runner-networkpolicy.yaml
@@ -0,0 +1,14 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-from-runner-namespaces
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - namespaceSelector: {}
+      podSelector:
+        matchLabels:
+          app: ambient-code-runner