Install of operator isn't possible, because of a wrong configured network policy #3669
Description
Bug Report
What did you do?
After updating OLM to the current version (0.34.0), I want to install the OpenTelemetry operator in an Azure Kubernetes cluster.
What did you expect to see?
The running OpenTelemetry operator.
What did you see instead? Under which circumstances?
Every time I apply the yaml file with the subscription for the OpenTelemetry operator, I get a failed unpack job.
The console output of the job execution shows the following error:
'/bin/cpb' -> '/util/cpb' skipping a dir without errors: / skipping a dir without errors: /bundle skipping all files in the dir: /dev skipping a dir without errors: /etc skipping a dir without errors: /manifests skipping a dir without errors: /metadata skipping all files in the dir: /proc skipping all files in the dir: /sys skipping a dir without errors: /tests skipping a dir without errors: /tests/scorecard skipping a dir without errors: /util skipping a dir without errors: /var skipping a dir without errors: /var/run skipping a dir without errors: /var/run/secrets skipping a dir without errors: /var/run/secrets/kubernetes.io skipping a dir without errors: /var/run/secrets/kubernetes.io/serviceaccount skipping a dir without errors: /var/run/secrets/kubernetes.io/serviceaccount/..2025_10_09_08_42_00.1318974113 &{metadata/annotations.yaml manifests/} time="2025-10-09T08:42:03Z" level=info msg="Using in-cluster kube client config" Error: error loading manifests from directory: Get "https://192.168.0.1:443/api/v1/namespaces/olm/configmaps/d7b9ca0797f021fab94e0f7ef2ccef226f8ef73c26fd128de4b6799f0cc88f4": dial tcp 192.168.0.1:443: i/o timeout Usage: opm alpha bundle extract [flags] Flags: -c, --configmapname string name of configmap to write bundle data -l, --datalimit uint maximum limit in bytes for total bundle data (default 1048576) --debug enable debug logging -z, --gzip enable gzip compression of configmap data -h, --help help for extract -k, --kubeconfig string absolute path to kubeconfig file -m, --manifestsdir string path to directory containing manifests (default "/") -n, --namespace string namespace to write configmap data (default "openshift-operator-lifecycle-manager") Global Flags: --skip-tls-verify skip TLS certificate verification for container image registries while pulling bundles --use-http use plain HTTP for container image registries while pulling bundles As you can see in the log, the opm tool attempts to connect via port 443 to kubeapi. This port is currently not allowed in the network policy.
The port couldn't be changed because the creation of the network policy is done by the operator.
See:
The other question is, why are all ports hardcoded and not configurable?
See too:
This behavior makes OLM in the current version totally useless.
Environment
- operator-lifecycle-manager version:
0.34.0
- Kubernetes version information:
1.32.4
- Kubernetes cluster kind:
Azure Kubernetes Service
Possible Solution
Add ports 443 and 6443 to the network policy
Additional context