Skip to content

feat: Add NetworkPolicy for flightdeck component#68

Merged
ian-flores merged 1 commit intomainfrom
add-flightdeck-network-policy
Feb 4, 2026
Merged

feat: Add NetworkPolicy for flightdeck component#68
ian-flores merged 1 commit intomainfrom
add-flightdeck-network-policy

Conversation

@ian-flores
Copy link
Collaborator

@ian-flores ian-flores commented Feb 4, 2026

Summary

Add flightdeck to the list of components that get NetworkPolicies created by the site controller.

Previously, flightdeck was the only component without a NetworkPolicy, which caused issues in environments with default-deny network policies.

Changes

  • Add DefaultPortFlightdeckHTTP constant (8080)
  • Add reconcileFlightdeckNetworkPolicy() function
  • Add flightdeck to cleanup function
  • Policy allows ingress from traefik/alloy on port 8080, egress to all

Test plan

  • Deploy to test cluster
  • Verify NetworkPolicy is created for flightdeck
  • Verify flightdeck UI accessible through traefik

@ian-flores
Add NetworkPolicy for flightdeck component
be08d98 
Add flightdeck to the list of components that get NetworkPolicies
created by the site controller. This ensures flightdeck has consistent
network isolation like other components (connect, workbench, home, etc).

The policy allows:
- Ingress from traefik namespace on port 8080 (web traffic)
- Ingress from alloy namespace on port 8080 (metrics)
- Egress to all destinations (same as other components)
@claude
Copy link

claude bot commented Feb 4, 2026
edited
Loading

Claude finished @ian-flores's task —— View job

Review Complete

  • Read review guidelines
  • Create pending review
  • Get diff and analyze changes
  • Add inline review comments (submitted as general review - inline comments not permitted)
  • Submit review

Submitted a non-blocking review with feedback on the implementation. The PR follows established patterns well - main verification items are around label matching during testing.

@ian-flores ian-flores marked this pull request as ready for review February 4, 2026 02:00
@ian-flores ian-flores changed the title Add NetworkPolicy for flightdeck component feat: Add NetworkPolicy for flightdeck component Feb 4, 2026
claude[bot]
claude bot reviewed Feb 4, 2026
View reviewed changes
Copy link

@claude claude bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review Summary

The implementation follows established patterns and addresses a real gap - flightdeck was the only component without a NetworkPolicy.

What looks good

  • Follows existing patterns: The reconcileFlightdeckNetworkPolicy function mirrors the structure of reconcileHomeNetworkPolicy - using KubernetesInstanceLabelKey for pod selection and allowing all egress with restricted ingress.
  • Cleanup properly handled: flightdeck added to the cleanup list in alphabetical order.
  • Port constant: DefaultPortFlightdeckHTTP (8080) added correctly in tcpport.go.
  • Correct reconciliation order: The flightdeck reconcile call is placed at the end of the chain, which is fine.

Items to verify during testing

  1. Label matching (site_controller_networkpolicies.go:746-749): The pod selector uses KubernetesInstanceLabelKey (app.kubernetes.io/instance). Verify the flightdeck deployment has this label set to <site-name>-flightdeck. Some components use ComponentLabelKey instead (like workbench-session), so confirm this matches how flightdeck pods are labeled.

  2. All-egress policy (site_controller_networkpolicies.go:755-757): The empty egress rule {} allows all egress, which matches home and packagemanager. This seems appropriate for a dashboard component, but worth confirming flightdeck doesn't need more restricted egress.

Minor observations

  • No unit tests added, but I notice there are no existing unit tests for other network policy reconcilers either, so this is consistent with the current test coverage.

Overall, this is a clean, well-structured addition that follows existing conventions.

@ian-flores ian-flores merged commit fbdf600 into main Feb 4, 2026
3 checks passed
@ian-flores ian-flores deleted the add-flightdeck-network-policy branch February 4, 2026 17:59
ian-flores pushed a commit that referenced this pull request Feb 4, 2026
@semantic-release-bot
chore(release): 1.6.0 [skip ci]
83f98f3 
# [1.6.0](v1.5.0...v1.6.0) (2026-02-04)

### Features

* Add NetworkPolicy for flightdeck component ([#68](#68)) ([fbdf600](fbdf600))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claude claude[bot] claude[bot] left review comments

@stevenolen stevenolen stevenolen approved these changes

@Lytol Lytol Awaiting requested review from Lytol

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ian-flores @stevenolen