carverauto/serviceradar

Fork 0

Chore/k8s network policy demo #2857

Merged

mfreeman451 merged 3 commits from refs/pull/2857/head into staging

2026-02-05 06:53:59 +00:00

mfreeman451 commented

2026-02-05 06:51:50 +00:00

(Migrated from github.com)

Owner

Imported from GitHub pull request.

Original GitHub pull request: #2710
Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/pull/2710
Original created: 2026-02-05T06:51:50Z
Original updated: 2026-02-05T06:54:28Z
Original head: carverauto/serviceradar:chore/k8s-network-policy-demo
Original base: staging
Original merged: 2026-02-05T06:53:59Z by @mfreeman451

User description

IMPORTANT: Please sign the Developer Certificate of Origin

Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include
a DCO sign-off statement indicating the DCO acceptance in one commit message. Here
is an example DCO Signed-off-by line in a commit message:

Signed-off-by: J. Doe <j.doe@domain.com>

Describe your changes

Issue ticket number and link

Code checklist before requesting a review

I have signed the DCO?
The build completes without errors?
All tests are passing when running make test?

PR Type

Enhancement

Description

Add optional Kubernetes NetworkPolicy for egress controls with configurable allow lists
Add optional Calico NetworkPolicy for deny logging and enforcement
Enable network policies in demo values with sensible defaults
Document new networkPolicy Helm chart values and configuration options

Diagram Walkthrough

flowchart LR
  HelmValues["Helm Values<br/>networkPolicy config"]
  K8sTemplate["K8s NetworkPolicy<br/>Template"]
  CalicoTemplate["Calico NetworkPolicy<br/>Template"]
  DemoValues["Demo Values<br/>Enable policies"]
  Spec["OpenSpec<br/>Requirements"]
  
  HelmValues -- "egress allow rules" --> K8sTemplate
  HelmValues -- "egress allow rules" --> CalicoTemplate
  DemoValues -- "enable & configure" --> K8sTemplate
  DemoValues -- "enable & configure" --> CalicoTemplate
  K8sTemplate -- "enforces" --> Spec
  CalicoTemplate -- "logs & enforces" --> Spec

File Walkthrough

Relevant files

Documentation

6 files

README.md `Document networkPolicy Helm configuration options`	+10/-0
proposal.md `Document network policy change proposal`	+13/-0
design.md `Document network policy design decisions`	+27/-0
spec.md `Define kubernetes-network-policy requirements`	+33/-0
tasks.md `Track network policy implementation tasks`	+8/-0
spec.md `Archive kubernetes-network-policy specification`	+38/-0

Enhancement

2 files

network-policy.yaml `Add Kubernetes NetworkPolicy egress template`	+84/-0
calico-network-policy.yaml `Add Calico NetworkPolicy deny logging template`	+85/-0

Configuration changes

2 files

values.yaml `Add networkPolicy configuration values`	+16/-0
values-demo.yaml `Enable network policies in demo environment`	+13/-0

Imported from GitHub pull request. Original GitHub pull request: #2710 Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/pull/2710 Original created: 2026-02-05T06:51:50Z Original updated: 2026-02-05T06:54:28Z Original head: carverauto/serviceradar:chore/k8s-network-policy-demo Original base: staging Original merged: 2026-02-05T06:53:59Z by @mfreeman451 --- ### **User description** ## IMPORTANT: Please sign the Developer Certificate of Origin Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include a [DCO sign-off statement]( https://developercertificate.org/) indicating the DCO acceptance in one commit message. Here is an example DCO Signed-off-by line in a commit message: ``` Signed-off-by: J. Doe <j.doe@domain.com> ``` ## Describe your changes ## Issue ticket number and link ## Code checklist before requesting a review - [ ] I have signed the DCO? - [ ] The build completes without errors? - [ ] All tests are passing when running make test? ___ ### **PR Type** Enhancement ___ ### **Description** - Add optional Kubernetes NetworkPolicy for egress controls with configurable allow lists - Add optional Calico NetworkPolicy for deny logging and enforcement - Enable network policies in demo values with sensible defaults - Document new networkPolicy Helm chart values and configuration options ___ ### Diagram Walkthrough ```mermaid flowchart LR HelmValues["Helm Values<br/>networkPolicy config"] K8sTemplate["K8s NetworkPolicy<br/>Template"] CalicoTemplate["Calico NetworkPolicy<br/>Template"] DemoValues["Demo Values<br/>Enable policies"] Spec["OpenSpec<br/>Requirements"] HelmValues -- "egress allow rules" --> K8sTemplate HelmValues -- "egress allow rules" --> CalicoTemplate DemoValues -- "enable & configure" --> K8sTemplate DemoValues -- "enable & configure" --> CalicoTemplate K8sTemplate -- "enforces" --> Spec CalicoTemplate -- "logs & enforces" --> Spec ``` <details><summary><h3>File Walkthrough</h3></summary> <table><thead><tr><th></th><th align="left">Relevant files</th></tr></thead><tbody><tr><td><strong>Documentation</strong></td><td><details><summary>6 files</summary><table> <tr> <td><strong>README.md</strong><dd><code>Document networkPolicy Helm configuration options</code>                </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2710/files#diff-c8e7e7621289da2f10b4ffd1c0ca4fd7321a19a4f18d01cc84b5fd3d06dea105">+10/-0</a>    </td> </tr> <tr> <td><strong>proposal.md</strong><dd><code>Document network policy change proposal</code>                                    </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2710/files#diff-3506c41822b6e4b1afe866b3cbabd5a37dea4bcece12249da725c8d3dc4e9eed">+13/-0</a>    </td> </tr> <tr> <td><strong>design.md</strong><dd><code>Document network policy design decisions</code>                                  </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2710/files#diff-2a374b0d5d3e9d6a7c7bb47d156e1204d98799eb79600f50f30c3140827bf7e8">+27/-0</a>    </td> </tr> <tr> <td><strong>spec.md</strong><dd><code>Define kubernetes-network-policy requirements</code>                        </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2710/files#diff-03eb401c0ecf30d98b8be78ca8bb525025dcb4ba32cc6bd24c213a44d886455f">+33/-0</a>    </td> </tr> <tr> <td><strong>tasks.md</strong><dd><code>Track network policy implementation tasks</code>                                </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2710/files#diff-a2f756d085e0996b9f9f325e4b171ec929434dfe230e8573fe1a60553e907853">+8/-0</a>      </td> </tr> <tr> <td><strong>spec.md</strong><dd><code>Archive kubernetes-network-policy specification</code>                    </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2710/files#diff-7313dbfe74ecaa9ebdb06f61f3fb0423995797c398ee215de477fc24c70d82f2">+38/-0</a>    </td> </tr> </table></details></td></tr><tr><td><strong>Enhancement</strong></td><td><details><summary>2 files</summary><table> <tr> <td><strong>network-policy.yaml</strong><dd><code>Add Kubernetes NetworkPolicy egress template</code>                          </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2710/files#diff-692536e6daed1080e7022edcbc1eb4c335cbf89aa4b974710528bbbe032fb0f4">+84/-0</a>    </td> </tr> <tr> <td><strong>calico-network-policy.yaml</strong><dd><code>Add Calico NetworkPolicy deny logging template</code>                      </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2710/files#diff-5762ff3f7028ed0ff8dfb54112d05a80142cea0d14095d32a5cf410db2ed4107">+85/-0</a>    </td> </tr> </table></details></td></tr><tr><td><strong>Configuration changes</strong></td><td><details><summary>2 files</summary><table> <tr> <td><strong>values.yaml</strong><dd><code>Add networkPolicy configuration values</code>                                      </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2710/files#diff-d4449c7cb70362554b274f81eae5a4b81a8e81df494282e383d1b7ea3871c452">+16/-0</a>    </td> </tr> <tr> <td><strong>values-demo.yaml</strong><dd><code>Enable network policies in demo environment</code>                            </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2710/files#diff-3a2c6c76ca4d5e8a336cd917d39b1704c03ea94a5cba4da1eb20629c63a5b914">+13/-0</a>    </td> </tr> </table></details></td></tr></tbody></table> </details> ___

qodo-code-review[bot] commented

2026-02-05 06:52:30 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2710#issuecomment-3851401082
Original created: 2026-02-05T06:52:30Z

ⓘ You are approaching your monthly quota for Qodo. Upgrade your plan

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Deny logging exposure: The Calico policy enables `Log` on denied egress which may emit potentially sensitive network metadata (destinations/ports) depending on cluster logging configuration and should be reviewed for data exposure and retention. Referred Code `- action: Log - action: Deny` Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Unvalidated CIDR input: User-provided Helm values (e.g., `networkPolicy.egress.allowedCIDRs` and optional `networkPolicy.podSelector`) are rendered without validation, so malformed or overly broad inputs could weaken egress restrictions or cause deploy-time failures. Referred Code {{- $podSelector := dict "matchLabels" (dict "app.kubernetes.io/part-of" "serviceradar") -}} {{- if $np.podSelectorMatchAll -}} {{- $podSelector = dict -}} {{- else if hasKey $np "podSelector" -}} {{- $podSelector = $np.podSelector -}} {{- end -}} --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: {{ include "serviceradar.fullname" . }}-egress labels: app.kubernetes.io/part-of: serviceradar spec: podSelector: {{- toYaml $podSelector \| nindent 4 }} policyTypes: - Egress egress: {{- if or $allowDNS $allowKubeAPI $allowDefaultNs $allowSameNs $hasCIDRs $hasKubeAPICIDRs }} {{- if $allowDNS }} ... (clipped 34 lines) Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/2710#issuecomment-3851401082 Original created: 2026-02-05T06:52:30Z --- <pre>ⓘ You are approaching your monthly quota for Qodo. <a href="https://www.qodo.ai/pricing">Upgrade your plan</a></pre> ## PR Compliance Guide 🔍  Below is a summary of compliance checks for this PR:<br> <table><tbody><tr><td colspan='2'><strong>Security Compliance</strong></td></tr> <tr><td>🟢</td><td><details><summary><strong>No security concerns identified</strong></summary> No security vulnerabilities detected by AI analysis. Human verification advised for critical code. </details></td></tr> <tr><td colspan='2'><strong>Ticket Compliance</strong></td></tr> <tr><td>⚪</td><td><details><summary>🎫 <strong>No ticket provided </strong></summary> - [ ] Create ticket/issue  </details></td></tr> <tr><td colspan='2'><strong>Codebase Duplication Compliance</strong></td></tr> <tr><td>⚪</td><td><details><summary><strong>Codebase context is not defined </strong></summary> Follow the <a href='https://qodo-merge-docs.qodo.ai/core-abilities/rag_context_enrichment/'>guide</a> to enable codebase context checks. </details></td></tr> <tr><td colspan='2'><strong>Custom Compliance</strong></td></tr> <tr><td rowspan=4>🟢</td><td> <details><summary><strong>Generic: Comprehensive Audit Trails</strong></summary><br> **Objective:** To create a detailed and reliable record of critical system actions for security analysis <br>and compliance.<br> **Status:** Passed<br> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary><strong>Generic: Meaningful Naming and Self-Documenting Code</strong></summary><br> **Objective:** Ensure all identifiers clearly express their purpose and intent, making code <br>self-documenting<br> **Status:** Passed<br> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary><strong>Generic: Robust Error Handling and Edge Case Management</strong></summary><br> **Objective:** Ensure comprehensive error handling that provides meaningful context and graceful <br>degradation<br> **Status:** Passed<br> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary><strong>Generic: Secure Error Handling</strong></summary><br> **Objective:** To prevent the leakage of sensitive system information through error messages while <br>providing sufficient detail for internal debugging.<br> **Status:** Passed<br> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td rowspan=2>⚪</td> <td><details> <summary><strong>Generic: Secure Logging Practices</strong></summary><br> **Objective:** To ensure logs are useful for debugging and auditing without exposing sensitive <br>information like PII, PHI, or cardholder data.<br> **Status:** <br><a href='https://github.com/carverauto/serviceradar/pull/2710/files#diff-5762ff3f7028ed0ff8dfb54112d05a80142cea0d14095d32a5cf410db2ed4107R83-R84'><strong>Deny logging exposure</strong></a>: The Calico policy enables <code>Log</code> on denied egress which may emit potentially sensitive <br>network metadata (destinations/ports) depending on cluster logging configuration and <br>should be reviewed for data exposure and retention.<br> <details open><summary>Referred Code</summary> ```yaml - action: Log - action: Deny ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td><details> <summary><strong>Generic: Security-First Input Validation and Data Handling</strong></summary><br> **Objective:** Ensure all data inputs are validated, sanitized, and handled securely to prevent <br>vulnerabilities<br> **Status:** <br><a href='https://github.com/carverauto/serviceradar/pull/2710/files#diff-692536e6daed1080e7022edcbc1eb4c335cbf89aa4b974710528bbbe032fb0f4R26-R80'><strong>Unvalidated CIDR input</strong></a>: User-provided Helm values (e.g., <code>networkPolicy.egress.allowedCIDRs</code> and optional <br><code>networkPolicy.podSelector</code>) are rendered without validation, so malformed or overly broad <br>inputs could weaken egress restrictions or cause deploy-time failures.<br> <details open><summary>Referred Code</summary> ```yaml {{- $podSelector := dict "matchLabels" (dict "app.kubernetes.io/part-of" "serviceradar") -}} {{- if $np.podSelectorMatchAll -}} {{- $podSelector = dict -}} {{- else if hasKey $np "podSelector" -}} {{- $podSelector = $np.podSelector -}} {{- end -}} --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: {{ include "serviceradar.fullname" . }}-egress labels: app.kubernetes.io/part-of: serviceradar spec: podSelector: {{- toYaml $podSelector | nindent 4 }} policyTypes: - Egress egress: {{- if or $allowDNS $allowKubeAPI $allowDefaultNs $allowSameNs $hasCIDRs $hasKubeAPICIDRs }} {{- if $allowDNS }} ... (clipped 34 lines) ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td align="center" colspan="2">   </td></tr></tbody></table> <details><summary>Compliance status legend</summary> 🟢 - Fully Compliant<br> 🟡 - Partial Compliant<br> 🔴 - Not Compliant<br> ⚪ - Requires Further Human Verification<br> 🏷️ - Compliance label<br> </details>

qodo-code-review[bot] commented

2026-02-05 06:54:28 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2710#issuecomment-3851407005
Original created: 2026-02-05T06:54:28Z

ⓘ You are approaching your monthly quota for Qodo. Upgrade your plan

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Only render rules with real CIDRs In the `egress` rule condition, replace `$allowKubeAPI` with `$hasKubeAPICIDRs` to prevent rendering an empty block if no API server CIDRs are found. helm/serviceradar/templates/network-policy.yaml [45] `-{{- if or $allowDNS $allowKubeAPI $allowDefaultNs $allowSameNs $hasCIDRs $hasKubeAPICIDRs }} +{{- if or $allowDNS $hasKubeAPICIDRs $allowDefaultNs $allowSameNs $hasCIDRs }}` Apply / Chat Suggestion importance[1-10]: 8 __ Why: This change correctly identifies and fixes a potential template rendering error where an empty `egress` block could be generated, leading to an invalid Kubernetes manifest.	Medium
High-level	Consolidate duplicated Helm template logic Refactor the duplicated logic for generating egress allow-lists from the new Kubernetes and Calico network policy templates into a shared Helm helper template. This will improve maintainability and reduce the risk of future inconsistencies. Examples: helm/serviceradar/templates/calico-network-policy.yaml [11-26] `{{- $kubeAPICIDRs := list -}} {{- if $allowKubeAPI -}} {{- $kubeSvc := (lookup "v1" "Service" "default" "kubernetes") -}} {{- if and $kubeSvc $kubeSvc.spec.clusterIP -}} {{- $kubeAPICIDRs = append $kubeAPICIDRs (printf "%s/32" $kubeSvc.spec.clusterIP) -}} {{- end -}} {{- $kubeEps := (lookup "v1" "Endpoints" "default" "kubernetes") -}} {{- if $kubeEps -}} {{- range $subset := $kubeEps.subsets -}} {{- range $addr := $subset.addresses -}} ... (clipped 6 lines)` helm/serviceradar/templates/network-policy.yaml [10-25] `{{- $kubeAPICIDRs := list -}} {{- if $allowKubeAPI -}} {{- $kubeSvc := (lookup "v1" "Service" "default" "kubernetes") -}} {{- if and $kubeSvc $kubeSvc.spec.clusterIP -}} {{- $kubeAPICIDRs = append $kubeAPICIDRs (printf "%s/32" $kubeSvc.spec.clusterIP) -}} {{- end -}} {{- $kubeEps := (lookup "v1" "Endpoints" "default" "kubernetes") -}} {{- if $kubeEps -}} {{- range $subset := $kubeEps.subsets -}} {{- range $addr := $subset.addresses -}} ... (clipped 6 lines)` Solution Walkthrough: Before: # In helm/serviceradar/templates/calico-network-policy.yaml {{- $kubeAPICIDRs := list -}} {{- if $allowKubeAPI -}} {{- $kubeSvc := (lookup "v1" "Service" "default" "kubernetes") -}} {{- if and $kubeSvc $kubeSvc.spec.clusterIP -}} {{- $kubeAPICIDRs = append $kubeAPICIDRs (printf "%s/32" $kubeSvc.spec.clusterIP) -}} {{- end -}} {{- $kubeEps := (lookup "v1" "Endpoints" "default" "kubernetes") -}} ... (loop over endpoints and append to $kubeAPICIDRs) {{- end -}} # In helm/serviceradar/templates/network-policy.yaml {{- $kubeAPICIDRs := list -}} {{- if $allowKubeAPI -}} {{- $kubeSvc := (lookup "v1" "Service" "default" "kubernetes") -}} {{- if and $kubeSvc $kubeSvc.spec.clusterIP -}} {{- $kubeAPICIDRs = append $kubeAPICIDRs (printf "%s/32" $kubeSvc.spec.clusterIP) -}} {{- end -}} {{- $kubeEps := (lookup "v1" "Endpoints" "default" "kubernetes") -}} ... (loop over endpoints and append to $kubeAPICIDRs) {{- end -}} After: # In a new file, e.g., helm/serviceradar/templates/_helpers.tpl {{- define "serviceradar.networkpolicy.kubeAPICIDRs" -}} {{- $kubeAPICIDRs := list -}} {{- $kubeSvc := (lookup "v1" "Service" "default" "kubernetes") -}} {{- if and $kubeSvc $kubeSvc.spec.clusterIP -}} {{- $kubeAPICIDRs = append $kubeAPICIDRs (printf "%s/32" $kubeSvc.spec.clusterIP) -}} {{- end -}} {{- $kubeEps := (lookup "v1" "Endpoints" "default" "kubernetes") -}} ... (loop over endpoints and append to $kubeAPICIDRs) {{- range $cidr := $kubeAPICIDRs -}} - {{ . \| quote }} {{- end -}} {{- end -}} # In both calico-network-policy.yaml and network-policy.yaml {{- if and $allowKubeAPI $hasKubeAPICIDRs }} ... {{- include "serviceradar.networkpolicy.kubeAPICIDRs" . \| nindent <indent> }} ... {{- end }} Suggestion importance[1-10]: 7 __ Why: The suggestion correctly identifies significant code duplication in the Helm templating logic for Kube API server discovery between the new `calico-network-policy.yaml` and `network-policy.yaml` files, which improves long-term maintainability and reduces the risk of configuration drift.	Medium
General	Guard Calico policy on networkPolicy.enabled Ensure the Calico policy is only rendered when both `networkPolicy.enabled` and `networkPolicy.calicoLogDenied.enabled` are true to avoid creating an orphaned policy. helm/serviceradar/templates/calico-network-policy.yaml [1-3] `{{- $np := default (dict) .Values.networkPolicy -}} {{- $calico := default (dict) $np.calicoLogDenied -}} -{{- if $calico.enabled -}} +{{- if and $np.enabled $calico.enabled -}}` Apply / Chat Suggestion importance[1-10]: 7 __ Why: The suggestion correctly prevents the Calico policy from being rendered when the main network policy feature is disabled, improving the chart's logical consistency.	Medium
General	Use a more robust selector To allow egress to the same namespace, replace the `namespaceSelector` with an empty `podSelector: {}`, which selects all pods in the current namespace. helm/serviceradar/templates/network-policy.yaml [70-75] `{{- if $allowSameNs }} - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: {{ .Release.Namespace \| quote }} + - podSelector: {} {{- end }}` Apply / Chat Suggestion importance[1-10]: 2 __ Why: The suggestion's premise that the `kubernetes.io/metadata.name` label is not guaranteed on namespaces is incorrect, making the proposed change a stylistic preference rather than a required robustness fix.	Low
More

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/2710#issuecomment-3851407005 Original created: 2026-02-05T06:54:28Z --- <pre>ⓘ You are approaching your monthly quota for Qodo. <a href="https://www.qodo.ai/pricing">Upgrade your plan</a></pre> ## PR Code Suggestions ✨  Explore these optional code suggestions: <table><thead><tr><td><strong>Category</strong></td><td align=left><strong>Suggestion                                                                                                                                    </strong></td><td align=center><strong>Impact</strong></td></tr><tbody><tr><td rowspan=1>Possible issue</td> <td> <details><summary>Only render rules with real CIDRs</summary> ___ **In the <code>egress</code> rule condition, replace <code>$allowKubeAPI</code> with <code>$hasKubeAPICIDRs</code> to <br>prevent rendering an empty block if no API server CIDRs are found.** [helm/serviceradar/templates/network-policy.yaml [45]](https://github.com/carverauto/serviceradar/pull/2710/files#diff-692536e6daed1080e7022edcbc1eb4c335cbf89aa4b974710528bbbe032fb0f4R45-R45) ```diff -{{- if or $allowDNS $allowKubeAPI $allowDefaultNs $allowSameNs $hasCIDRs $hasKubeAPICIDRs }} +{{- if or $allowDNS $hasKubeAPICIDRs $allowDefaultNs $allowSameNs $hasCIDRs }} ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 8</summary> __ Why: This change correctly identifies and fixes a potential template rendering error where an empty `egress` block could be generated, leading to an invalid Kubernetes manifest. </details></details></td><td align=center>Medium </td></tr><tr><td rowspan=1>High-level</td> <td> <details><summary>Consolidate duplicated Helm template logic</summary> ___ **Refactor the duplicated logic for generating egress allow-lists from the new <br>Kubernetes and Calico network policy templates into a shared Helm helper <br>template. This will improve maintainability and reduce the risk of future <br>inconsistencies.** ### Examples: <details> <summary> <a href="https://github.com/carverauto/serviceradar/pull/2710/files#diff-5762ff3f7028ed0ff8dfb54112d05a80142cea0d14095d32a5cf410db2ed4107R11-R26">helm/serviceradar/templates/calico-network-policy.yaml [11-26]</a> </summary> ```yaml {{- $kubeAPICIDRs := list -}} {{- if $allowKubeAPI -}} {{- $kubeSvc := (lookup "v1" "Service" "default" "kubernetes") -}} {{- if and $kubeSvc $kubeSvc.spec.clusterIP -}} {{- $kubeAPICIDRs = append $kubeAPICIDRs (printf "%s/32" $kubeSvc.spec.clusterIP) -}} {{- end -}} {{- $kubeEps := (lookup "v1" "Endpoints" "default" "kubernetes") -}} {{- if $kubeEps -}} {{- range $subset := $kubeEps.subsets -}} {{- range $addr := $subset.addresses -}} ... (clipped 6 lines) ``` </details> <details> <summary> <a href="https://github.com/carverauto/serviceradar/pull/2710/files#diff-692536e6daed1080e7022edcbc1eb4c335cbf89aa4b974710528bbbe032fb0f4R10-R25">helm/serviceradar/templates/network-policy.yaml [10-25]</a> </summary> ```yaml {{- $kubeAPICIDRs := list -}} {{- if $allowKubeAPI -}} {{- $kubeSvc := (lookup "v1" "Service" "default" "kubernetes") -}} {{- if and $kubeSvc $kubeSvc.spec.clusterIP -}} {{- $kubeAPICIDRs = append $kubeAPICIDRs (printf "%s/32" $kubeSvc.spec.clusterIP) -}} {{- end -}} {{- $kubeEps := (lookup "v1" "Endpoints" "default" "kubernetes") -}} {{- if $kubeEps -}} {{- range $subset := $kubeEps.subsets -}} {{- range $addr := $subset.addresses -}} ... (clipped 6 lines) ``` </details> ### Solution Walkthrough: #### Before: ```yaml # In helm/serviceradar/templates/calico-network-policy.yaml {{- $kubeAPICIDRs := list -}} {{- if $allowKubeAPI -}} {{- $kubeSvc := (lookup "v1" "Service" "default" "kubernetes") -}} {{- if and $kubeSvc $kubeSvc.spec.clusterIP -}} {{- $kubeAPICIDRs = append $kubeAPICIDRs (printf "%s/32" $kubeSvc.spec.clusterIP) -}} {{- end -}} {{- $kubeEps := (lookup "v1" "Endpoints" "default" "kubernetes") -}} ... (loop over endpoints and append to $kubeAPICIDRs) {{- end -}} # In helm/serviceradar/templates/network-policy.yaml {{- $kubeAPICIDRs := list -}} {{- if $allowKubeAPI -}} {{- $kubeSvc := (lookup "v1" "Service" "default" "kubernetes") -}} {{- if and $kubeSvc $kubeSvc.spec.clusterIP -}} {{- $kubeAPICIDRs = append $kubeAPICIDRs (printf "%s/32" $kubeSvc.spec.clusterIP) -}} {{- end -}} {{- $kubeEps := (lookup "v1" "Endpoints" "default" "kubernetes") -}} ... (loop over endpoints and append to $kubeAPICIDRs) {{- end -}} ``` #### After: ```yaml # In a new file, e.g., helm/serviceradar/templates/_helpers.tpl {{- define "serviceradar.networkpolicy.kubeAPICIDRs" -}} {{- $kubeAPICIDRs := list -}} {{- $kubeSvc := (lookup "v1" "Service" "default" "kubernetes") -}} {{- if and $kubeSvc $kubeSvc.spec.clusterIP -}} {{- $kubeAPICIDRs = append $kubeAPICIDRs (printf "%s/32" $kubeSvc.spec.clusterIP) -}} {{- end -}} {{- $kubeEps := (lookup "v1" "Endpoints" "default" "kubernetes") -}} ... (loop over endpoints and append to $kubeAPICIDRs) {{- range $cidr := $kubeAPICIDRs -}} - {{ . | quote }} {{- end -}} {{- end -}} # In both calico-network-policy.yaml and network-policy.yaml {{- if and $allowKubeAPI $hasKubeAPICIDRs }} ... {{- include "serviceradar.networkpolicy.kubeAPICIDRs" . | nindent <indent> }} ... {{- end }} ``` <details><summary>Suggestion importance[1-10]: 7</summary> __ Why: The suggestion correctly identifies significant code duplication in the Helm templating logic for Kube API server discovery between the new `calico-network-policy.yaml` and `network-policy.yaml` files, which improves long-term maintainability and reduces the risk of configuration drift. </details></details></td><td align=center>Medium </td></tr><tr><td rowspan=2>General</td> <td> <details><summary>Guard Calico policy on networkPolicy.enabled</summary> ___ **Ensure the Calico policy is only rendered when both <code>networkPolicy.enabled</code> and <br><code>networkPolicy.calicoLogDenied.enabled</code> are true to avoid creating an orphaned <br>policy.** [helm/serviceradar/templates/calico-network-policy.yaml [1-3]](https://github.com/carverauto/serviceradar/pull/2710/files#diff-5762ff3f7028ed0ff8dfb54112d05a80142cea0d14095d32a5cf410db2ed4107R1-R3) ```diff {{- $np := default (dict) .Values.networkPolicy -}} {{- $calico := default (dict) $np.calicoLogDenied -}} -{{- if $calico.enabled -}} +{{- if and $np.enabled $calico.enabled -}} ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 7</summary> __ Why: The suggestion correctly prevents the Calico policy from being rendered when the main network policy feature is disabled, improving the chart's logical consistency. </details></details></td><td align=center>Medium </td></tr><tr><td> <details><summary>Use a more robust selector</summary> ___ **To allow egress to the same namespace, replace the <code>namespaceSelector</code> with an <br>empty <code>podSelector: {}</code>, which selects all pods in the current namespace.** [helm/serviceradar/templates/network-policy.yaml [70-75]](https://github.com/carverauto/serviceradar/pull/2710/files#diff-692536e6daed1080e7022edcbc1eb4c335cbf89aa4b974710528bbbe032fb0f4R70-R75) ```diff {{- if $allowSameNs }} - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: {{ .Release.Namespace | quote }} + - podSelector: {} {{- end }} ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 2</summary> __ Why: The suggestion's premise that the `kubernetes.io/metadata.name` label is not guaranteed on namespaces is incorrect, making the proposed change a stylistic preference rather than a required robustness fix. </details></details></td><td align=center>Low </td></tr> <tr><td align="center" colspan="2"> - [ ] More  </td><td></td></tr></tbody></table>