Add Calico Ingress Gateway to calico system networkpolicy#4581
Draft
alexh-tigera wants to merge 4 commits intotigera:masterfrom
Draft
Add Calico Ingress Gateway to calico system networkpolicy#4581alexh-tigera wants to merge 4 commits intotigera:masterfrom
alexh-tigera wants to merge 4 commits intotigera:masterfrom
Conversation
nelljerram
requested changes
Apr 14, 2026
Member
nelljerram
left a comment
nelljerram
left a comment
There was a problem hiding this comment.
Looking good, except
- I don't think operator should unconditionally install default-deny policy for tigera-gateway namespace
- I do think we should have an FV test that does that, and then checks CIG can be successfully deployed.
| objs = append(objs, | ||
| pr.gatewayCertgenAllowTigeraPolicy(), | ||
| pr.gatewayControllerAllowTigeraPolicy(), | ||
| networkpolicy.CalicoSystemDefaultDeny(common.TigeraGatewayNamespace), |
Member
There was a problem hiding this comment.
I don't think the operator should unconditionally install this default deny, right? Were you only doing this for testing? Instead I think we should have an FV test that applies the default-deny policy and then verifies that CIG can still be successfully deployed.
Member
Author
There was a problem hiding this comment.
Yes, I missed that after removing the other changes I made. While doing that I also realized that it needs a watch for the network policies, so I've fix the default deny and added the watches in 48a0ab8.
Where do FV tests like that live? I see some similar things in Nevermind, I thought that the felix/fv/ ?test/ dir was unit tests in this repo.
Member
There was a problem hiding this comment.
Yes, that's the one, test/*.go in this repo. Also see the fv target in the Makefile.
Member
There was a problem hiding this comment.
Please do LMK when the PR is ready for another review.
Member
Author
There was a problem hiding this comment.
Ok, it took me a while to understand how to implement the FV, but I'm happy with it now. Please have a look.
alexh-tigera
force-pushed
the
ev-6476-add-gateway-to-calico-system-networkpolicy
branch
9 times, most recently
from
2f7336c to
35a7a8f
Compare
The certgen job in the tigera-gateway namespace needs DNS and kube-apiserver egress to create TLS secrets. Under a global default-deny policy, this traffic is blocked causing the job to fail with i/o timeout reaching the API server. Add a NetworkPolicy in the calico-system tier that allows the certgen pods (app == 'certgen') DNS and kube-apiserver egress, plus a default-deny policy for the tigera-gateway namespace, matching the pattern used by other components. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The envoy-gateway controller needs DNS and kube-apiserver egress to function. Under a global default-deny policy, the controller fails with i/o timeout reaching the API server. Add a NetworkPolicy in the calico-system tier that allows the controller pods (k8s-app == 'gateway-api-controller') DNS egress, kube-apiserver egress, and ingress on its serving ports (xDS gRPC, ratelimit, wasm, metrics, webhook). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add WaitToAddTierWatch and WaitToAddNetworkPolicyWatches for the gateway controller's allow policies, matching the pattern used by other controllers. Add tier existence check during reconciliation. Remove the namespace-scoped default deny from tigera-gateway because Gateway resources dynamically create Envoy proxy pods whose traffic patterns are determined by the customer's Gateway and HTTPRoute configuration. Keep the controller-access and certgen-access allow policies so control plane pods still function under a customer's global default deny. Add FV test verifying the allow policies are created. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Covers the scenario the calico-system tier allow policies were added to support: a default-tier v3 NetworkPolicy with selector all() is applied to tigera-gateway, then a GatewayAPI CR is created. The test asserts the envoy-gateway-certgen Job reaches Succeeded and the envoy-gateway Deployment becomes Ready despite the default-deny, which is only possible if gateway-api-certgen-access and gateway-api-controller-access in the higher-precedence calico-system tier correctly permit the traffic those workloads need. Also exercises the v3.NetworkPolicy watch by deleting each allow policy and asserting it's re-created, guarding against regressions in WaitToAddNetworkPolicyWatches. Adds calico/envoy-gateway to the FV kind cluster image load list so the gateway Deployment's image is available. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
alexh-tigera
force-pushed
the
ev-6476-add-gateway-to-calico-system-networkpolicy
branch
from
5dbd768 to
cba4016
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Fixed an issue where the Calico Ingress Gateway failed to deploy when the recommended default deny policy was applied.
This adds:
Release Note
For PR author
make gen-files~~make gen-versions~~For PR reviewers
A note for code reviewers - all pull requests must have the following:
kind/bugif this is a bugfix.kind/enhancementif this is a a new feature.enterpriseif this PR applies to Calico Enterprise only.