Today, if you install OpenShift Serverless on a cluster with a restrictive NetworkPolicy in user namespaces then those user namespaces will likely not be able to route traffic into their Knative Services.

We need to figure out the minimal NetworkPolicy required in user namespaces to allow Knative Service to receive traffic. I suspect we'll need to add a new label to our knative-serving-ingress (and perhaps knative-serving) namespaces and a NetworkPolicy that allows traffic into the user namespace from namespaces with this new label.

In scope is adding a test that deploys a Knative Service into a namespace with a deny-all policy, verifying the Knative Service cannot receive traffic, installing the proper NetworkPolicy into that namespace, and verifying the Knative Service can now receive traffic.

Out of scope is automatically creating this NetworkPolicy in user namespaces from our operator. For now, let's take the findings from here and document for our users how to do this.