Skip to content

[Bug]: Kafka CR with strimzi.io/network-policy: none annotation still triggers NetworkPolicy creation in Strimzi 0.50.0 #12350

New issue
New issue
Closed
Closed
[Bug]: Kafka CR with strimzi.io/network-policy: none annotation still triggers NetworkPolicy creation in Strimzi 0.50.0#12350
Labels
bugneeds-triage
@indritix

Description

@indritix
indritix
opened on Jan 26, 2026

Bug Description

We are running Strimzi 0.50.0 on AKS with Kyverno enforcing egress rules. Our Kafka custom resource includes the annotation:
metadata: annotations: strimzi.io/network-policy: "none"
Despite this, Strimzi continues to attempt to create the strimzi-kafka-network-policy-kafka NetworkPolicy, which is blocked by Kyverno (audit mode is not respected, webhook blocks on missing to field in egress). The Kafka CR remains in a NotReady state with the following status message:
resource NetworkPolicy/kaf-strimzi-cluster-service/strimzi-kafka-network-policy-kafka was blocked due to the following policies check-netpol-open-egress: block-missing-to-in-egress: 'validation error: Egress rules must include at least one ''to'' field (this includes that it can not be {}. rule block-missing-to-in-egress failed at path /spec/egress/'
The annotation is present in both the manifest and the live resource.
There is no existing NetworkPolicy in the namespace.
Restarting the Strimzi operator and Kyverno controllers does not resolve the issue.
All Kyverno and Gatekeeper policies are set to audit or dryrun.
No Azure Policy with Deny effect is assigned.

Steps to reproduce

  1. Deploy Strimzi 0.50.0 on AKS with Kyverno enforcing egress rules.
  2. Create a Kafka CR with the annotation strimzi.io/network-policy: "none".
  3. Observe that Strimzi still tries to create the NetworkPolicy and the CR remains NotReady.

Expected behavior

With the annotation set, Strimzi should not attempt to create any NetworkPolicy for the Kafka resource.

Strimzi version

0.50.0

Kubernetes version

1.33.5

Installation method

We are deploying the Strimzi operator using the official Helm chart (version 0.50.0), managed via kustomize and ArgoCD. Strimzi CRDs and Kafka resources are applied using kustomize.

Infrastructure

Kubernetes: AKS

Configuration files and logs

strimzi-report-sanitized.zip

Additional context

Kyverno: audit mode, but webhook blocks on missing to field
No duplicate Kafka CRs or old manifests.
No other admission controllers enforcing egress found.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugneeds-triage

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions