From aa59d5a62f30312002525ecda46e409518f48677 Mon Sep 17 00:00:00 2001 From: Scot Wells Date: Tue, 5 May 2026 15:54:59 -0500 Subject: [PATCH] fix: remove ActivityPolicies for uninstalled route CRDs Remove ActivityPolicy resources for TCPRoute, TLSRoute, and UDPRoute from the milo activity policies. These CRDs are not installed on the project control plane, causing the activity controller to report InProgress status indefinitely. The missing CRDs prevent the network-services-operator core control plane resources kustomization from completing its health checks, blocking all downstream reconciliation. --- .../milo/activity/policies/kustomization.yaml | 3 -- .../activity/policies/tcproute-policy.yaml | 45 ------------------- .../activity/policies/tlsroute-policy.yaml | 45 ------------------- .../activity/policies/udproute-policy.yaml | 45 ------------------- 4 files changed, 138 deletions(-) delete mode 100644 config/milo/activity/policies/tcproute-policy.yaml delete mode 100644 config/milo/activity/policies/tlsroute-policy.yaml delete mode 100644 config/milo/activity/policies/udproute-policy.yaml diff --git a/config/milo/activity/policies/kustomization.yaml b/config/milo/activity/policies/kustomization.yaml index 7516c7f..e6a876f 100644 --- a/config/milo/activity/policies/kustomization.yaml +++ b/config/milo/activity/policies/kustomization.yaml @@ -11,7 +11,4 @@ resources: # gateway.networking.k8s.io kinds - gateway-policy.yaml - httproute-policy.yaml - - tcproute-policy.yaml - - udproute-policy.yaml - - tlsroute-policy.yaml - backendtlspolicy-policy.yaml diff --git a/config/milo/activity/policies/tcproute-policy.yaml b/config/milo/activity/policies/tcproute-policy.yaml deleted file mode 100644 index f3dfd73..0000000 --- a/config/milo/activity/policies/tcproute-policy.yaml +++ /dev/null @@ -1,45 +0,0 @@ -# ActivityPolicy for TCPRoute resources (gateway.networking.k8s.io). -# Defines how TCPRoute CRUD operations appear in activity timelines. -# -# TCPRoute resources route TCP traffic and have no user-facing display name field -# (spec.rules reference backend services). The resource name is used as the display -# string. All rules exclude system users to suppress reconciliation noise. -apiVersion: activity.miloapis.com/v1alpha1 -kind: ActivityPolicy -metadata: - name: gateway.networking.k8s.io-tcproute -spec: - resource: - apiGroup: gateway.networking.k8s.io - kind: TCPRoute - - auditRules: - # TCPRoute creation with spec available - - name: create - match: "!audit.user.username.startsWith('system:') && audit.verb == 'create' && has(audit.requestObject.spec)" - summary: "{{ actor }} created TCP route {{ link(audit.objectRef.name, audit.objectRef) }}" - - # TCPRoute creation fallback (no spec) - - name: create-fallback - match: "!audit.user.username.startsWith('system:') && audit.verb == 'create'" - summary: "{{ actor }} created {{ link('a TCP route', audit.objectRef) }}" - - # TCPRoute deletion with responseObject.spec available (response contains the deleted resource) - - name: delete - match: "!audit.user.username.startsWith('system:') && audit.verb == 'delete' && has(audit.responseObject.spec)" - summary: "{{ actor }} deleted TCP route {{ audit.objectRef.name }}" - - # TCPRoute deletion fallback (no spec on response) - - name: delete-fallback - match: "!audit.user.username.startsWith('system:') && audit.verb == 'delete'" - summary: "{{ actor }} deleted a TCP route" - - # TCPRoute update with spec available - excludes status subresource - - name: update - match: "!audit.user.username.startsWith('system:') && audit.verb in ['update', 'patch'] && !has(audit.objectRef.subresource) && has(audit.requestObject.spec)" - summary: "{{ actor }} updated TCP route {{ link(audit.objectRef.name, audit.objectRef) }}" - - # TCPRoute update fallback (no spec) - - name: update-fallback - match: "!audit.user.username.startsWith('system:') && audit.verb in ['update', 'patch'] && !has(audit.objectRef.subresource)" - summary: "{{ actor }} updated {{ link('a TCP route', audit.objectRef) }}" diff --git a/config/milo/activity/policies/tlsroute-policy.yaml b/config/milo/activity/policies/tlsroute-policy.yaml deleted file mode 100644 index aac1f67..0000000 --- a/config/milo/activity/policies/tlsroute-policy.yaml +++ /dev/null @@ -1,45 +0,0 @@ -# ActivityPolicy for TLSRoute resources (gateway.networking.k8s.io). -# Defines how TLSRoute CRUD operations appear in activity timelines. -# -# TLSRoute resources route TLS traffic based on SNI and have no user-facing -# display name field (spec.rules reference backend services). The resource name -# is used as the display string. All rules exclude system users to suppress noise. -apiVersion: activity.miloapis.com/v1alpha1 -kind: ActivityPolicy -metadata: - name: gateway.networking.k8s.io-tlsroute -spec: - resource: - apiGroup: gateway.networking.k8s.io - kind: TLSRoute - - auditRules: - # TLSRoute creation with spec available - - name: create - match: "!audit.user.username.startsWith('system:') && audit.verb == 'create' && has(audit.requestObject.spec)" - summary: "{{ actor }} created TLS route {{ link(audit.objectRef.name, audit.objectRef) }}" - - # TLSRoute creation fallback (no spec) - - name: create-fallback - match: "!audit.user.username.startsWith('system:') && audit.verb == 'create'" - summary: "{{ actor }} created {{ link('a TLS route', audit.objectRef) }}" - - # TLSRoute deletion with responseObject.spec available (response contains the deleted resource) - - name: delete - match: "!audit.user.username.startsWith('system:') && audit.verb == 'delete' && has(audit.responseObject.spec)" - summary: "{{ actor }} deleted TLS route {{ audit.objectRef.name }}" - - # TLSRoute deletion fallback (no spec on response) - - name: delete-fallback - match: "!audit.user.username.startsWith('system:') && audit.verb == 'delete'" - summary: "{{ actor }} deleted a TLS route" - - # TLSRoute update with spec available - excludes status subresource - - name: update - match: "!audit.user.username.startsWith('system:') && audit.verb in ['update', 'patch'] && !has(audit.objectRef.subresource) && has(audit.requestObject.spec)" - summary: "{{ actor }} updated TLS route {{ link(audit.objectRef.name, audit.objectRef) }}" - - # TLSRoute update fallback (no spec) - - name: update-fallback - match: "!audit.user.username.startsWith('system:') && audit.verb in ['update', 'patch'] && !has(audit.objectRef.subresource)" - summary: "{{ actor }} updated {{ link('a TLS route', audit.objectRef) }}" diff --git a/config/milo/activity/policies/udproute-policy.yaml b/config/milo/activity/policies/udproute-policy.yaml deleted file mode 100644 index 966a43f..0000000 --- a/config/milo/activity/policies/udproute-policy.yaml +++ /dev/null @@ -1,45 +0,0 @@ -# ActivityPolicy for UDPRoute resources (gateway.networking.k8s.io). -# Defines how UDPRoute CRUD operations appear in activity timelines. -# -# UDPRoute resources route UDP traffic and have no user-facing display name field -# (spec.rules reference backend services). The resource name is used as the display -# string. All rules exclude system users to suppress reconciliation noise. -apiVersion: activity.miloapis.com/v1alpha1 -kind: ActivityPolicy -metadata: - name: gateway.networking.k8s.io-udproute -spec: - resource: - apiGroup: gateway.networking.k8s.io - kind: UDPRoute - - auditRules: - # UDPRoute creation with spec available - - name: create - match: "!audit.user.username.startsWith('system:') && audit.verb == 'create' && has(audit.requestObject.spec)" - summary: "{{ actor }} created UDP route {{ link(audit.objectRef.name, audit.objectRef) }}" - - # UDPRoute creation fallback (no spec) - - name: create-fallback - match: "!audit.user.username.startsWith('system:') && audit.verb == 'create'" - summary: "{{ actor }} created {{ link('a UDP route', audit.objectRef) }}" - - # UDPRoute deletion with responseObject.spec available (response contains the deleted resource) - - name: delete - match: "!audit.user.username.startsWith('system:') && audit.verb == 'delete' && has(audit.responseObject.spec)" - summary: "{{ actor }} deleted UDP route {{ audit.objectRef.name }}" - - # UDPRoute deletion fallback (no spec on response) - - name: delete-fallback - match: "!audit.user.username.startsWith('system:') && audit.verb == 'delete'" - summary: "{{ actor }} deleted a UDP route" - - # UDPRoute update with spec available - excludes status subresource - - name: update - match: "!audit.user.username.startsWith('system:') && audit.verb in ['update', 'patch'] && !has(audit.objectRef.subresource) && has(audit.requestObject.spec)" - summary: "{{ actor }} updated UDP route {{ link(audit.objectRef.name, audit.objectRef) }}" - - # UDPRoute update fallback (no spec) - - name: update-fallback - match: "!audit.user.username.startsWith('system:') && audit.verb in ['update', 'patch'] && !has(audit.objectRef.subresource)" - summary: "{{ actor }} updated {{ link('a UDP route', audit.objectRef) }}"