Install of operator isn't possible, because of a wrong configured network policy #3669
Description
Bug Report
What did you do?
After updating OLM to the current version (0.34.0), I want to install the OpenTelemetry operator in an Azure Kubernetes cluster.
What did you expect to see?
The running OpenTelemetry operator.
What did you see instead? Under which circumstances?
Every time I apply the yaml file with the subscription for the OpenTelemetry operator, I get a failed unpack job.
The console output of the job execution shows the following error:
'/bin/cpb' -> '/util/cpb'
skipping a dir without errors: /
skipping a dir without errors: /bundle
skipping all files in the dir: /dev
skipping a dir without errors: /etc
skipping a dir without errors: /manifests
skipping a dir without errors: /metadata
skipping all files in the dir: /proc
skipping all files in the dir: /sys
skipping a dir without errors: /tests
skipping a dir without errors: /tests/scorecard
skipping a dir without errors: /util
skipping a dir without errors: /var
skipping a dir without errors: /var/run
skipping a dir without errors: /var/run/secrets
skipping a dir without errors: /var/run/secrets/kubernetes.io
skipping a dir without errors: /var/run/secrets/kubernetes.io/serviceaccount
skipping a dir without errors: /var/run/secrets/kubernetes.io/serviceaccount/..2025_10_09_08_42_00.1318974113
&{metadata/annotations.yaml manifests/}
time="2025-10-09T08:42:03Z" level=info msg="Using in-cluster kube client config"
Error: error loading manifests from directory: Get "https://192.168.0.1:443/api/v1/namespaces/olm/configmaps/d7b9ca0797f021fab94e0f7ef2ccef226f8ef73c26fd128de4b6799f0cc88f4": dial tcp 192.168.0.1:443: i/o timeout
Usage:
opm alpha bundle extract [flags]
Flags:
-c, --configmapname string name of configmap to write bundle data
-l, --datalimit uint maximum limit in bytes for total bundle data (default 1048576)
--debug enable debug logging
-z, --gzip enable gzip compression of configmap data
-h, --help help for extract
-k, --kubeconfig string absolute path to kubeconfig file
-m, --manifestsdir string path to directory containing manifests (default "/")
-n, --namespace string namespace to write configmap data (default "openshift-operator-lifecycle-manager")
Global Flags:
--skip-tls-verify skip TLS certificate verification for container image registries while pulling bundles
--use-http use plain HTTP for container image registries while pulling bundles
As you can see in the log, the opm tool attempts to connect via port 443 to kubeapi. This port is currently not allowed in the network policy.
The port couldn't be changed because the creation of the network policy is done by the operator.
See:
The other question is, why are all ports hardcoded and not configurable?
See too:
This behavior makes OLM in the current version totally useless.
Environment
- operator-lifecycle-manager version:
0.34.0
- Kubernetes version information:
1.32.4
- Kubernetes cluster kind:
Azure Kubernetes Service
Possible Solution
Add ports 443 and 6443 to the network policy
Additional context