strimzi-kafka-operator icon indicating copy to clipboard operation
strimzi-kafka-operator copied to clipboard

Published 20 hours ago verified publisher icon strimzi

[Enhancement]: Add support for allowing addition of custom ports on network policies when generated

Open NotAndD opened this issue 1 month ago • 1 comments

Related problem

When generateNetworkPolicy: true, the operator will create precise network policies listing allowed ports and restricting traffic incoming for certain ports. If the cluster is deployed in Istio network mesh in ambient mode (its namespace is annotated with istio.io/dataplane-mode=ambient), Istio ztunnel will make use of HBONE port 15008 targeting Kafka and ZK pods as part of its mesh routing.

Since network policies are in place, this fails and as a result an installation made with the operator will not work with Istio in ambient mode, unless network policies generation is disabled (also, it seems that the operator does not remove the network policies if it generated them and later on the config is changed to false).

Suggested solution

Add a way to configure additional ports for the network policies. These custom ports are simply added to the list of allowed ports with no additional checks.

Alternatives

No response

Additional context

No response

NotAndD avatar Jan 13 '25 08:01 NotAndD