Maistra operator creates NetworkPolicies in control plane and member namespaces to whitelist traffic between them. The problem is that we implicitly change OCP networking behaviour from allow-all to deny-by-default if we create the first NetworkPolicy resource in a namespace. Because of this, services previously exposed through an OpenShift Route might become unaccessible.

We have to document that

• traffic into the mesh must always go through the ingress-gateway for Istio to work properly
• services external to the mesh should, if possible, always be deployed in separate namespaces that are not in any mesh
• if services that are outside the mesh must reside in a namespace that is part of a mesh, users can label the Pods with maistra.io/expose-route: "true", which will make sure OpenShift Routes to these services still work