When ksvc is created under with ServiceMesh, it god the following error.

$ kn service create hello-example --image=gcr.io/knative-samples/helloworld-go
Error: Internal error occurred: failed calling webhook "webhook.serving.knative.dev": Post "https://webhook.knative-serving.svc:443/defaulting?timeout=10s": context deadline exceeded
Run 'kn --help' for usage

We need to add NetworkPolicy for the webhook.

NOTE

This issue does not happen when we include "default" namespace in SMMR.
The kube-apiserver uses hostNetwork*1.

$ oc get pod -n openshift-kube-apiserver kube-apiserver-ip-10-0-189-152.ap-southeast-1.compute.internal -o jsonpath="{.spec.hostNetwork}"
true

According to the doc, the traffic from host network pod gets netid:0 VNID and the default namespace is assigned netid:0. So when default namespace is in SMMR, ServiceMesh adds maistra.io/member-of=istio-system label to the namespace, which means the traffic from apiserver was allowed.

OpenShift docs[1] explains about it for Ingress Controller, but apiserver also uses HostNetwork and so it happens the same.

[1]
https://docs.openshift.com/container-platform/4.7/networking/network_policy/about-network-policy.html#nw-networkpolicy-about_about-network-policy

When running on the host network, the traffic from the Ingress Controller is assigned the netid:0 Virtual Network ID (VNID).

Ingress Controller. With OpenShift SDN, the default namespace is assigned the netid:0 VNID and you can allow traffic from the default Ingress Controller by labeling your default namespace with network.openshift.io/policy-group: ingress.