ClusterRole cluster-admin and NetworkPolicies

When a deployment is associated with a ServiceAccount and the cluster-admin ClusterRole, can this deployment access a Pod under a Deployment in a different namespace, which contains an active NetworkPolicy, that prevents incoming network access from outside this namespace?

Currently, I can reach the Pod in question through their PodIP and FQDN from its own namespace, however I fail to achieve the same with the deployment that has the cluster-admin ClusterRole associated with itself.
This deployment is able to e.g. change any container’s image tag in that cluster, but it can neither access a Pod through its PodIP nor through its FQDN.

Do I need to make an exception in the NetworkPolicy for the access to be allowed? (Not preferred)
Or can I modify the cluster-admin associated deployment to bypass the NetworkPolicy? (Preferred)

Akito
September 22

When a deployment is associated with a ServiceAccount and the cluster-admin ClusterRole, can this deployment access a Pod under a Deployment in a different namespace, which contains an active NetworkPolicy, that prevents incoming network access from outside this namespace?

RBAC governs access to API resources (control plane) but not the pods themselves (data-plane)

Currently, I can reach the Pod in question through their PodIP and FQDN from its own namespace, however I fail to achieve the same with the deployment that has the cluster-admin ClusterRole associated with itself.
This deployment is able to e.g. change any container’s image tag in that cluster, but it can neither access a Pod through its PodIP nor through its FQDN.

Do I need to make an exception in the NetworkPolicy for the access to be allowed? (Not preferred)

Yes, e.g. allow from namespaces labelled as “admin” or similar

Or can I modify the cluster-admin associated deployment to bypass the NetworkPolicy? (Preferred)

Nope, sorry

I see, thank you. Meanwhile I have come up with the same solution you proposed and have implemented that.