apply labels and required network policies

kwiatekus · kwiatekus · commit 5ea71e8e8ac3 · 2025-04-03T08:15:29.000+02:00
diff --git a/config/buildless-serverless/templates/deployment.yaml b/config/buildless-serverless/templates/deployment.yaml
@@ -21,6 +21,7 @@ spec:
       labels:
         control-plane: controller-manager
         networking.kyma-project.io/to-apiserver: allowed
+        networking.kyma-project.io/from-serverless: allowed
     spec:
       containers:
         - args:
diff --git a/config/serverless/templates/egress-network-policy.yaml b/config/serverless/templates/egress-network-policy.yaml
@@ -2,12 +2,12 @@ kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
 metadata:
   namespace: {{ .Release.Namespace }}
-  name: {{ template "fullname" . }}.kyma-project.io--allow-all-egress
+  name: {{ template "fullname" . }}.kyma-project.io--allow-all-egress-from-controllers
 spec:
   podSelector:
     matchLabels:
       kyma-project.io/module: serverless
-      app.kubernetes.io/name: serverless
+      networking.kyma-project.io/from-serverless: allowed
   policyTypes:
   - Egress
   egress:
diff --git a/config/serverless/templates/ingress-network-policy.yaml b/config/serverless/templates/ingress-network-policy.yaml
@@ -12,9 +12,9 @@ spec:
   - Ingress
   ingress:
   - from:
-    - podSelector:
-        matchLabels:
-          serverless.kyma-project.io/managed-by: function-controller
-  - ports:
+    # - podSelector:
+    #     matchLabels:
+    #       serverless.kyma-project.io/managed-by: function-controller
+    ports:
     - protocol: TCP
       port: {{ .Values.global.registryServicePort }}
diff --git a/config/serverless/values.yaml b/config/serverless/values.yaml
@@ -131,6 +131,7 @@ deployment:
 pod:
   labels: 
     networking.kyma-project.io/to-apiserver: allowed
+    networking.kyma-project.io/from-serverless: allowed
   annotations:
     sidecar.istio.io/inject: "false"
     prometheus.io/scrape: "false"
diff --git a/tests/serverless/internal/resources/runtimes/python.go b/tests/serverless/internal/resources/runtimes/python.go
@@ -153,6 +153,9 @@ def main(event, context):
 			},
 		},
 		Env: []v1.EnvVar{},
+		Labels: map[string]string{
+			"app.kubernetes.io/name": "eventing-publisher-proxy",
+		},
 		ResourceConfiguration: &serverlessv1alpha2.ResourceConfiguration{
 			Function: &serverlessv1alpha2.ResourceRequirements{
 				Profile: "L",
diff --git a/tests/serverless/internal/testsuite/cloud_events.go b/tests/serverless/internal/testsuite/cloud_events.go
@@ -79,3 +79,33 @@ func FunctionCloudEventsTest(restConfig *rest.Config, cfg internal.Config, logf
 		),
 	), nil
 }
+
+// Define those as part of this test:
+
+// kind: NetworkPolicy
+// apiVersion: networking.k8s.io/v1
+// metadata:
+//   namespace: kyma-system
+//   name: temp1
+// spec:
+//   podSelector:
+//     matchLabels:
+//       serverless.kyma-project.io/managed-by: function-controller
+//   policyTypes:
+//   - Egress
+//   egress:
+//   - {}
+// ---
+// apiVersion: networking.k8s.io/v1
+// kind: NetworkPolicy
+// metadata:
+//   namespace: kyma-system
+//   name: temp2
+// spec:
+//   podSelector:
+//     matchLabels:
+//       app.kubernetes.io/name: eventing-publisher-proxy
+//   policyTypes:
+//   - Ingress
+//   ingress:
+//   - {}
