Make metrics-access network policy configurable#789
Conversation
Add networkPolicy.enabled flag (default: true) to allow users to disable
the metrics-access network policy when it conflicts with other services.
The current network policy only allows ingress on ports 2112 (metrics)
and 9216 (MongoDB metrics), which blocks other services like cert-manager
webhook (port 443) when deployed in the same namespace.
Users can now disable it by setting:
networkPolicy:
enabled: false
Co-Authored-By: Claude Opus 4.5 <[email protected]>
📝 WalkthroughWalkthroughKubernetes Helm chart enhanced with conditional NetworkPolicy rendering. The NetworkPolicy template is now wrapped with a configuration flag that defaults to enabled, allowing operators to control whether the network policy resource is deployed alongside the nvsentinel application. Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches🧪 Generate unit tests (beta)
Important Action Needed: IP Allowlist UpdateIf your organization protects your Git platform with IP whitelisting, please add the new CodeRabbit IP address to your allowlist:
Reviews will stop working after February 8, 2026 if the new IP is not added to your allowlist. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
/cc @lalitadithya |
|
This pull request has been automatically locked since it has been closed for 90 days with no further activity. Please open a new pull request for related changes. |
Summary
Add
networkPolicy.enabledflag to allow users to disable the metrics-access network policy.Problem
The current
metrics-accessnetwork policy only allows ingress on ports:This blocks all other ingress traffic, which causes issues when NVSentinel is deployed in the same namespace as other services. For example:
startupapicheckto failError example from cert-manager startupapicheck:
Solution
Add a configurable flag
networkPolicy.enabled(default:true) that allows users to disable the network policy when needed:This maintains backward compatibility (enabled by default) while giving users control over the network policy.
Changes
templates/networkpolicy.yaml: Wrap with{{- if .Values.networkPolicy.enabled }}values.yaml: AddnetworkPolicy.enabled: truewith documentationTest plan
networkPolicy.enabled: true(default) - verify policy is creatednetworkPolicy.enabled: false- verify policy is not created🤖 Generated with Claude Code
Summary by CodeRabbit