fix(manifests): replace broken NetworkPolicy with proper platform ingress rules

[markturansky]

Summary

• Fixes outage on Stage and UAT clusters caused by allow-from-runner-namespaces NetworkPolicy (fix(manifests): add NetworkPolicy allowing runner pods to reach ambient-code namespace #1553)
• The original NP uses podSelector: {} (selects ALL pods in the namespace) but only allows ingress from app=ambient-code-runner pods — this blocks OpenShift router traffic to the frontend and all other services
• Replaces with allow-platform-ingress that permits:
  1. OpenShift router ingress via policy-group.network.openshift.io/ingress namespace label
  2. Intra-namespace pod-to-pod traffic (backend → frontend, operator → backend, etc.)
  3. Runner pod ingress from any namespace (preserves the original intent of fix(manifests): add NetworkPolicy allowing runner pods to reach ambient-code namespace #1553)

Root Cause

PR #1553 merged a NetworkPolicy into base/ that inadvertently blocked all ingress to the ambient-code namespace except from runner pods. On OpenShift, the ingress router runs in a separate namespace (openshift-ingress), so all external traffic to the frontend, backend routes, and API server was denied.

Test plan

• Verified kustomize build succeeds for base/, overlays/production/, and overlays/kind/
• Manually applied corrected NP to Stage and UAT — both clusters recovered immediately
• Verify frontend accessible after deployment on Stage/UAT
• Verify runner pods can still reach backend services

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated network policy to allow ingress from multiple explicit sources: platform-designated namespaces, pods within the same namespace, and pods with specific labels across namespaces.
  • Renamed and refined selectors to make ingress sources explicit and tighten rule definitions while preserving interoperability.

[netlify]

✅ Deploy Preview for cheerful-kitten-f556a0 canceled.

Name	Link
🔨 Latest commit	c05f5e2
🔍 Latest deploy log	https://app.netlify.com/projects/cheerful-kitten-f556a0/deploys/6a038753110ab7000873b89e

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 0f2f754e-dc31-4948-9443-9f439a95a9ab

📥 Commits

Reviewing files that changed from the base of the PR and between 5f1d48a and baa4ad7.

📒 Files selected for processing (1)

• components/manifests/base/runner-networkpolicy.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• components/manifests/base/runner-networkpolicy.yaml

---

📝 Walkthrough

Walkthrough

The NetworkPolicy metadata.name was changed to allow-platform-ingress and its spec.ingress was rewritten: the prior empty (allow-all) ingress rule and single ambient-runner source were removed and replaced with three explicit ingress.from sources (namespaces labeled policy-group.network.openshift.io/ingress: "", all pods in the same namespace, and pods labeled app: ambient-code-runner from any namespace).

Changes

Runner NetworkPolicy ingress rewrite

Layer / File(s)

Summary

NetworkPolicy rename and ingress sources components/manifests/base/runner-networkpolicy.yaml

metadata.name changed to allow-platform-ingress. Replaced previous ingress rules (which included an empty allow-all rule and a single app: ambient-code-runner pod source) with three explicit spec.ingress.from entries: (1) pods in namespaces labeled policy-group.network.openshift.io/ingress: "", (2) all pods within the same namespace (podSelector: {}), and (3) pods labeled app: ambient-code-runner from any namespace (namespaceSelector + podSelector.matchLabels).

Possibly related PRs

• ambient-code/platform#1553: Prior change to the same NetworkPolicy manifest that added an allow-from-runner-namespaces style policy; this PR renames and rewrites that policy's ingress sources.

🚥 Pre-merge checks | ✅ 8

✅ Passed checks (8 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	Title follows Conventional Commits format (fix type, manifests scope) and clearly describes the main change: replacing a broken NetworkPolicy with proper platform ingress rules.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Performance And Algorithmic Complexity	✅ Passed	Only Kubernetes NetworkPolicy manifest modified. No algorithmic code, caching, N+1 patterns, or performance logic. Change is restrictive, improving efficiency.
Security And Secret Handling	✅ Passed	PR modifies only Kubernetes NetworkPolicy manifest with no code changes, no credentials, and no K8s Secret issues. Not applicable to security check.
Kubernetes Resource Safety	✅ Passed	NetworkPolicy resource complies with safety checks. No child resources or RBAC wildcards present. Namespace scoping provided by Kustomize overlay injection. Ingress rules are targeted and intentional.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/platform-ingress-netpol-base

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch fix/platform-ingress-netpol-base

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}