[Bug]: Kafka CR with strimzi.io/network-policy: none annotation still triggers NetworkPolicy creation in Strimzi 0.50.0

[indritix]

Bug Description

We are running Strimzi 0.50.0 on AKS with Kyverno enforcing egress rules. Our Kafka custom resource includes the annotation:
metadata: annotations: strimzi.io/network-policy: "none"
Despite this, Strimzi continues to attempt to create the strimzi-kafka-network-policy-kafka NetworkPolicy, which is blocked by Kyverno (audit mode is not respected, webhook blocks on missing to field in egress). The Kafka CR remains in a NotReady state with the following status message:
resource NetworkPolicy/kaf-strimzi-cluster-service/strimzi-kafka-network-policy-kafka was blocked due to the following policies check-netpol-open-egress: block-missing-to-in-egress: 'validation error: Egress rules must include at least one ''to'' field (this includes that it can not be {}. rule block-missing-to-in-egress failed at path /spec/egress/'
The annotation is present in both the manifest and the live resource.
There is no existing NetworkPolicy in the namespace.
Restarting the Strimzi operator and Kyverno controllers does not resolve the issue.
All Kyverno and Gatekeeper policies are set to audit or dryrun.
No Azure Policy with Deny effect is assigned.

Steps to reproduce

1. Deploy Strimzi 0.50.0 on AKS with Kyverno enforcing egress rules.
2. Create a Kafka CR with the annotation strimzi.io/network-policy: "none".
3. Observe that Strimzi still tries to create the NetworkPolicy and the CR remains NotReady.

Expected behavior

With the annotation set, Strimzi should not attempt to create any NetworkPolicy for the Kafka resource.

Strimzi version

0.50.0

Kubernetes version

1.33.5

Installation method

We are deploying the Strimzi operator using the official Helm chart (version 0.50.0), managed via kustomize and ArgoCD. Strimzi CRDs and Kafka resources are applied using kustomize.

Infrastructure

Kubernetes: AKS

Configuration files and logs

strimzi-report-sanitized.zip

Additional context

Kyverno: audit mode, but webhook blocks on missing to field
No duplicate Kafka CRs or old manifests.
No other admission controllers enforcing egress found.

[ppatierno]

Unless I am missing something, there is no such annotation in Strimzi to avoid the NetworkPolicy generation.
You can use the STRIMZI_NETWORK_POLICY_GENERATION env var and set it to false to stop the operator to generate the NetworkPolicy. From where did you get that a strimzi.io/network-policy: "none" annotation should be used? Documentation? Articles/Blog posts? I am really curious about the source for this.

[indritix]

Sorry for that, it works now! I can't remember anymore, but it was a Blog post. Thanks a lot for the prompt clarification!

[ppatierno]

It would be great to get on which blog post it was written to fix it ... because it looks like more an AI hallucination :-D