From 4ab5cc50a06435a471fa9a8be96e5d7354a9b31a Mon Sep 17 00:00:00 2001
From: Justin Tahara <105671973+justin-tahara@users.noreply.github.com>
Date: Wed, 8 Apr 2026 16:39:26 -0700
Subject: [PATCH] Revert "fix(k8s): Locking down networking"

---
 .../templates/networkpolicy.yaml              | 26 -------------------
 kubernetes/code-interpreter/values.yaml       |  2 +-
 2 files changed, 1 insertion(+), 27 deletions(-)

diff --git a/kubernetes/code-interpreter/templates/networkpolicy.yaml b/kubernetes/code-interpreter/templates/networkpolicy.yaml
index cb947ab..4e27e97 100644
--- a/kubernetes/code-interpreter/templates/networkpolicy.yaml
+++ b/kubernetes/code-interpreter/templates/networkpolicy.yaml
@@ -19,30 +19,4 @@ spec:
   egress:
     {{- toYaml . | nindent 4 }}
   {{- end }}
----
-# NetworkPolicy for ephemeral executor pods spawned by the code-interpreter.
-# These pods run user-submitted code and must be fully network-isolated
-# to prevent data exfiltration and SSRF attacks.
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: {{ include "code-interpreter.fullname" . }}-executor
-  labels:
-    {{- include "code-interpreter.labels" . | nindent 4 }}
-spec:
-  podSelector:
-    matchLabels:
-      app: code-interpreter
-      component: executor
-  policyTypes:
-    - Ingress
-    - Egress
-  ingress:
-    # Allow exec connections from the code-interpreter service pod
-    - from:
-        - podSelector:
-            matchLabels:
-              {{- include "code-interpreter.selectorLabels" . | nindent 14 }}
-  egress: []
-  # Deny all egress — executor pods must not have network access
 {{- end }}
\ No newline at end of file
diff --git a/kubernetes/code-interpreter/values.yaml b/kubernetes/code-interpreter/values.yaml
index 7b18763..973fce7 100644
--- a/kubernetes/code-interpreter/values.yaml
+++ b/kubernetes/code-interpreter/values.yaml
@@ -164,7 +164,7 @@ readinessProbe:
 
 # Network Policy
 networkPolicy:
-  enabled: true
+  enabled: false
   policyTypes:
     - Ingress
     - Egress