From dbfd2e4cefb553b27a52ad7ca59ab825ca2109da Mon Sep 17 00:00:00 2001 From: Rafael Poyiadzi Date: Wed, 25 Feb 2026 14:53:18 +0000 Subject: [PATCH] Fix network policy: allow Redis Sentinel port 26379 The egress network policy only allowed port 6379 (Redis master) but blocked port 26379 (Redis Sentinel). The pod connects to Sentinel first to discover the master, so blocking 26379 caused redis.ping() to hang, health probes to timeout, and the pod to be killed by liveness checks. Co-Authored-By: Claude Opus 4.6 --- everyrow-mcp/deploy/chart/templates/networkpolicy.yaml | 4 +++- everyrow-mcp/deploy/chart/values.yaml | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/everyrow-mcp/deploy/chart/templates/networkpolicy.yaml b/everyrow-mcp/deploy/chart/templates/networkpolicy.yaml index c3f5a820..093ffcd5 100644 --- a/everyrow-mcp/deploy/chart/templates/networkpolicy.yaml +++ b/everyrow-mcp/deploy/chart/templates/networkpolicy.yaml @@ -64,7 +64,7 @@ spec: protocol: UDP - port: 53 protocol: TCP - # Redis (Sentinel — external/cross-namespace IPs) + # Redis (master + Sentinel — cross-namespace IPs) {{- range .Values.networkPolicy.redisCIDRs }} - to: - ipBlock: @@ -72,6 +72,8 @@ spec: ports: - port: {{ $.Values.networkPolicy.redisPort | default 6379 }} protocol: TCP + - port: {{ $.Values.networkPolicy.redisSentinelPort | default 26379 }} + protocol: TCP {{- end }} # External HTTPS (EveryRow API, Supabase, Google Sheets) - to: diff --git a/everyrow-mcp/deploy/chart/values.yaml b/everyrow-mcp/deploy/chart/values.yaml index 195329eb..56c6b711 100644 --- a/everyrow-mcp/deploy/chart/values.yaml +++ b/everyrow-mcp/deploy/chart/values.yaml @@ -52,6 +52,7 @@ networkPolicy: enabled: true gatewayNamespace: gke-managed-system redisPort: 6379 + redisSentinelPort: 26379 redisCIDRs: - 10.0.0.0/8 # TODO: narrow to actual Redis Sentinel IPs