As descried in https://maistra.io/docs/ossm-vs-community.html#ossm-mt-vs-clusterwide_ossm-vs-istio Maistra creates by default a NetworkPolicy called istio-mesh-full{-install} allowing ingress to all pods from the other members and the control plane.

This introduces an issue because it overrides any existing NetworkPolicies.

Imagine that we originally have two namespaces - A and B. Namespace A contains application X and namespace B applications Y,Z. Currently an existing NetworkPolicy allows traffic from A{X} to application B{Y} but not to B{Z}.

Once namespaces A and B both join the Service Mesh (and get the istio-mesh-full NetworkPolicy) this separation gets overridden and suddenly A{X} has unrestricted access to B{Z}.

A solution could be to make adding the istio-mesh-full NetworkPolicy optional (can be added by default but opt-out should be possible) so that the existing separation won't be altered. 

Acceptance Criteria:

• SMCP option that allows users to disable management of NetworkPolicy resources
  • if NetworkPolicy management is disabled,
    • all NetworkPolicy resources previously created by the operator are deleted,
    • the operator does not creates new NetworkPolicy resources
  • if NetworkPolicy management is enabled (this is the default),
    • the behavior will stay the same as it is today (operator creates NPs in member namespaces)
• Documentation that explains the potential problems disabling NetworkPolicy management might cause