From 9ac404ce7ad063054d552fbdc5445eadce3c828e Mon Sep 17 00:00:00 2001
From: Rafael Poyiadzi <rafael@futuresearch.ai>
Date: Wed, 25 Feb 2026 15:12:22 +0000
Subject: [PATCH] Fix network policy: add GKE service CIDR for Redis

The Redis ClusterIP (34.118.226.16) is in GKE's service CIDR, not in
10.0.0.0/8. The network policy was blocking all Redis traffic because
the ipBlock rule only covered the pod network.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 everyrow-mcp/deploy/chart/values.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/everyrow-mcp/deploy/chart/values.yaml b/everyrow-mcp/deploy/chart/values.yaml
index 56c6b711..d84ef0cb 100644
--- a/everyrow-mcp/deploy/chart/values.yaml
+++ b/everyrow-mcp/deploy/chart/values.yaml
@@ -54,7 +54,8 @@ networkPolicy:
   redisPort: 6379
   redisSentinelPort: 26379
   redisCIDRs:
-    - 10.0.0.0/8  # TODO: narrow to actual Redis Sentinel IPs
+    - 10.0.0.0/8       # Pod network
+    - 34.118.224.0/20   # GKE service CIDR (covers ClusterIP 34.118.226.16)
 
 tolerations:
   - key: "hyperdiskonly"