From 4c423768d6b927eb4789c75d9fedfe1c15266844 Mon Sep 17 00:00:00 2001 From: Pavel Tishkov Date: Sat, 16 May 2026 14:22:36 +0300 Subject: [PATCH] fix(vd): allow ingress from virtualization namespace to importer pods When a namespace has a restrictive NetworkPolicy (e.g. project isolation), the CDI controller from d8-virtualization cannot reach importer pods to fetch progress metrics via HTTP. As a result, DataVolume.Status.Progress stays N/A and VirtualDisk shows no intermediate progress. Add an Ingress rule to the NetworkPolicy created for importer/DVCR pods, allowing incoming traffic from the namespace labeled module=virtualization. This enables the CDI controller to scrape progress metrics from importer pods even in isolated namespaces. Signed-off-by: Pavel Tishkov --- .../pkg/common/network_policy/network_policy.go | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/images/virtualization-artifact/pkg/common/network_policy/network_policy.go b/images/virtualization-artifact/pkg/common/network_policy/network_policy.go index 43834c7318..702df20d24 100644 --- a/images/virtualization-artifact/pkg/common/network_policy/network_policy.go +++ b/images/virtualization-artifact/pkg/common/network_policy/network_policy.go @@ -52,8 +52,21 @@ func CreateNetworkPolicy(ctx context.Context, c client.Client, obj metav1.Object }, }, }, + Ingress: []netv1.NetworkPolicyIngressRule{ + { + From: []netv1.NetworkPolicyPeer{ + { + NamespaceSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "module": "virtualization", + }, + }, + }, + }, + }, + }, Egress: []netv1.NetworkPolicyEgressRule{{}}, - PolicyTypes: []netv1.PolicyType{netv1.PolicyTypeEgress}, + PolicyTypes: []netv1.PolicyType{netv1.PolicyTypeIngress, netv1.PolicyTypeEgress}, }, }