Skip to content

Make metrics-access network policy configurable#789

Merged
lalitadithya merged 1 commit into
NVIDIA:mainfrom
yuanchen8911:fix/network-policy-configurable
Feb 4, 2026
Merged

Make metrics-access network policy configurable#789
lalitadithya merged 1 commit into
NVIDIA:mainfrom
yuanchen8911:fix/network-policy-configurable

Conversation

@yuanchen8911

@yuanchen8911 yuanchen8911 commented Feb 4, 2026

Copy link
Copy Markdown
Contributor

Summary

Add networkPolicy.enabled flag to allow users to disable the metrics-access network policy.

Problem

The current metrics-access network policy only allows ingress on ports:

  • 2112 (metrics)
  • 9216 (MongoDB metrics)

This blocks all other ingress traffic, which causes issues when NVSentinel is deployed in the same namespace as other services. For example:

  • cert-manager webhook (port 443) is blocked, causing startupapicheck to fail
  • Any service requiring ingress on non-metrics ports will be affected

Error example from cert-manager startupapicheck:

failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.eidos-stack.svc:443/mutate": context deadline exceeded

Solution

Add a configurable flag networkPolicy.enabled (default: true) that allows users to disable the network policy when needed:

networkPolicy:
  enabled: false

This maintains backward compatibility (enabled by default) while giving users control over the network policy.

Changes

  • templates/networkpolicy.yaml: Wrap with {{- if .Values.networkPolicy.enabled }}
  • values.yaml: Add networkPolicy.enabled: true with documentation

Test plan

  • Deploy with networkPolicy.enabled: true (default) - verify policy is created
  • Deploy with networkPolicy.enabled: false - verify policy is not created
  • Deploy alongside cert-manager in same namespace with policy disabled - verify webhook works

🤖 Generated with Claude Code

Summary by CodeRabbit

  • New Features
    • Network policies are now optional and configurable, allowing operators to enable or disable them based on deployment requirements
    • Network policies are enabled by default to restrict access to metrics ports, with an option to disable in environments where conflicts may arise with other services

Add networkPolicy.enabled flag (default: true) to allow users to disable
the metrics-access network policy when it conflicts with other services.

The current network policy only allows ingress on ports 2112 (metrics)
and 9216 (MongoDB metrics), which blocks other services like cert-manager
webhook (port 443) when deployed in the same namespace.

Users can now disable it by setting:
  networkPolicy:
    enabled: false

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@coderabbitai

coderabbitai Bot commented Feb 4, 2026

Copy link
Copy Markdown
Contributor
📝 Walkthrough

Walkthrough

Kubernetes Helm chart enhanced with conditional NetworkPolicy rendering. The NetworkPolicy template is now wrapped with a configuration flag that defaults to enabled, allowing operators to control whether the network policy resource is deployed alongside the nvsentinel application.

Changes

Cohort / File(s) Summary
NetworkPolicy Template
distros/kubernetes/nvsentinel/templates/networkpolicy.yaml
Added conditional rendering using {{- if .Values.networkPolicy.enabled }} to make the entire NetworkPolicy resource optional based on configuration.
Helm Values Configuration
distros/kubernetes/nvsentinel/values.yaml
Introduced new networkPolicy.enabled configuration parameter (default: true) with documentation noting that it restricts ingress to metrics ports and may conflict with other services in the same namespace.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A policy wrapped in conditional grace,
With values default to their rightful place,
Network gates now open or sealed,
Metrics access gently revealed! 🔐

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and accurately summarizes the main change: making the metrics-access network policy configurable through a Helm value flag.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Important

Action Needed: IP Allowlist Update

If your organization protects your Git platform with IP whitelisting, please add the new CodeRabbit IP address to your allowlist:

  • 136.113.208.247/32 (new)
  • 34.170.211.100/32
  • 35.222.179.152/32

Reviews will stop working after February 8, 2026 if the new IP is not added to your allowlist.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@yuanchen8911

Copy link
Copy Markdown
Contributor Author

/cc @lalitadithya

@mchmarny mchmarny left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@lalitadithya lalitadithya merged commit e2ff1cb into NVIDIA:main Feb 4, 2026
39 checks passed
@github-actions

Copy link
Copy Markdown
Contributor

This pull request has been automatically locked since it has been closed for 90 days with no further activity. Please open a new pull request for related changes.

@github-actions github-actions Bot locked as resolved and limited conversation to collaborators May 27, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants