fix(manifests): replace broken NetworkPolicy with proper platform ingress rules

[markturansky]

Summary

• Fixes outage on Stage and UAT clusters caused by allow-from-runner-namespaces NetworkPolicy (fix(manifests): add NetworkPolicy allowing runner pods to reach ambient-code namespace #1553)
• The original NP uses podSelector: {} (selects ALL pods in the namespace) but only allows ingress from app=ambient-code-runner pods — this blocks OpenShift router traffic to the frontend and all other services
• Replaces with allow-platform-ingress that permits:
  1. OpenShift router ingress via policy-group.network.openshift.io/ingress namespace label
  2. Intra-namespace pod-to-pod traffic (backend → frontend, operator → backend, etc.)
  3. Runner pod ingress from any namespace (preserves the original intent of fix(manifests): add NetworkPolicy allowing runner pods to reach ambient-code namespace #1553)

Root Cause

PR #1553 merged a NetworkPolicy into base/ that inadvertently blocked all ingress to the ambient-code namespace except from runner pods. On OpenShift, the ingress router runs in a separate namespace (openshift-ingress), so all external traffic to the frontend, backend routes, and API server was denied.

Test plan

• Verified kustomize build succeeds for base/, overlays/production/, and overlays/kind/
• Manually applied corrected NP to Stage and UAT — both clusters recovered immediately
• Verify frontend accessible after deployment on Stage/UAT
• Verify runner pods can still reach backend services

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated network policy to explicitly allow ingress from platform-designated namespaces, pods within the same namespace, and pods with specific labels across namespaces.
  • Tightened ingress rules to remove broad allowances and make permitted sources more explicit.

[netlify]

✅ Deploy Preview for cheerful-kitten-f556a0 canceled.

Name	Link
🔨 Latest commit	744567d
🔍 Latest deploy log	https://app.netlify.com/projects/cheerful-kitten-f556a0/deploys/6a05f6a171c42a0008c2c44b

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 34586a72-5d79-4386-873d-98941375e66d

📥 Commits

Reviewing files that changed from the base of the PR and between baa4ad7 and f416ffa.

📒 Files selected for processing (1)

• components/manifests/base/runner-networkpolicy.yaml

---

📝 Walkthrough

Walkthrough

The NetworkPolicy metadata.name was changed to allow-platform-ingress and its spec.ingress was rewritten: the prior empty (allow-all) ingress rule and single ambient-runner source were removed and replaced with three explicit ingress.from sources (namespaces labeled policy-group.network.openshift.io/ingress: "", all pods in the same namespace, and pods labeled app: ambient-code-runner from any namespace).

Changes

Runner NetworkPolicy ingress rewrite

Layer / File(s)

Summary

NetworkPolicy rename and ingress sources components/manifests/base/runner-networkpolicy.yaml

metadata.name changed to allow-platform-ingress. Replaced previous ingress rules (which included an empty allow-all rule and a single app: ambient-code-runner pod source) with three explicit spec.ingress.from entries: (1) pods in namespaces labeled policy-group.network.openshift.io/ingress: "", (2) all pods within the same namespace (podSelector: {}), and (3) pods labeled app: ambient-code-runner from any namespace (namespaceSelector + podSelector.matchLabels).

Possibly related PRs

• ambient-code/platform#1553: Prior change to the same NetworkPolicy manifest that added an allow-from-runner-namespaces style policy; this PR renames and rewrites that policy's ingress sources.

🚥 Pre-merge checks | ✅ 8

✅ Passed checks (8 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	Title follows Conventional Commits format (fix type, manifests scope) and accurately describes the main change: replacing a broken NetworkPolicy with corrected platform ingress rules.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Performance And Algorithmic Complexity	✅ Passed	PR contains only Kubernetes manifest changes (runner-networkpolicy.yaml). No application code modifications. Performance check not applicable to declarative infrastructure configuration.
Security And Secret Handling	✅ Passed	NetworkPolicy file contains no plaintext secrets, hardcoded credentials, base64-encoded sensitive data, or K8s Secret references missing OwnerReferences. Rules use standard label selectors only.
Kubernetes Resource Safety	✅ Passed	NetworkPolicy resource is properly namespace-scoped via kustomize overlays. Child resources, container limits, RBAC, and pod security context checks are not applicable to NetworkPolicy manifests.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/platform-ingress-netpol-base

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch fix/platform-ingress-netpol-base

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}