From f416ffaa577011533058655dcf98efc17129f9bd Mon Sep 17 00:00:00 2001
From: user <u@example.com>
Date: Tue, 12 May 2026 10:55:08 -0400
Subject: [PATCH] fix(manifests): replace broken NetworkPolicy with proper
 platform ingress rules
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The allow-from-runner-namespaces NP (#1553) uses podSelector: {} (all pods)
but only permits ingress from runner pods, blocking OpenShift router traffic
to the frontend and all other services. This caused outages on both Stage
and UAT clusters.

Replace with allow-platform-ingress that permits:
- OpenShift router ingress (policy-group.network.openshift.io/ingress label)
- Intra-namespace pod-to-pod traffic
- Runner pod ingress from any namespace (original intent of #1553)

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .../manifests/base/runner-networkpolicy.yaml  | 21 ++++++++++++-------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/components/manifests/base/runner-networkpolicy.yaml b/components/manifests/base/runner-networkpolicy.yaml
index a873bd697..5b9e19485 100644
--- a/components/manifests/base/runner-networkpolicy.yaml
+++ b/components/manifests/base/runner-networkpolicy.yaml
@@ -1,15 +1,20 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: allow-from-runner-namespaces
+  name: allow-platform-ingress
 spec:
   podSelector: {}
   policyTypes:
-  - Ingress
+    - Ingress
   ingress:
-  - {}
-  - from:
-    - namespaceSelector: {}
-      podSelector:
-        matchLabels:
-          app: ambient-code-runner
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              policy-group.network.openshift.io/ingress: ""
+    - from:
+        - podSelector: {}
+    - from:
+        - namespaceSelector: {}
+          podSelector:
+            matchLabels:
+              app: ambient-code-runner