Skip to content

Networking & Monitoring

Requires Gateway API CRDs installed on the cluster. Gateway API is not included in Kubernetes and must be installed separately. If the CRDs are absent, the operator logs a message and skips HTTPRoute management.

spec:
  networking:
    gateway:
      gatewayRef:
        name: my-gateway
        namespace: gateway-system
      hostnames:
        - superset.example.com

The operator creates an HTTPRoute with path-based routing:

Priority Path Target Condition
1 (most specific) /ws websocket-server Service websocketServer enabled
2 /mcp mcp-server Service mcpServer enabled
3 /flower celery-flower Service celeryFlower enabled
4 (catch-all) / web-server Service webServer enabled

More specific paths are listed first to ensure correct routing priority. Paths are configurable via service.gatewayPath on each component spec.

For example, to serve Celery Flower under /monitoring:

spec:
  celeryFlower:
    service:
      gatewayPath: /monitoring

Ingress (Legacy)

Gateway API and Ingress are mutually exclusive — set one or the other, not both.

spec:
  networking:
    ingress:
      className: nginx
      annotations:
        nginx.ingress.kubernetes.io/proxy-body-size: "100m"
      hosts:
        - host: superset.example.com
          paths:
            - path: /
              pathType: Prefix
      tls:
        - secretName: superset-tls
          hosts:
            - superset.example.com

Graceful CRD Handling

If Gateway API CRDs are not present, the controller skips HTTPRoute watch registration and catches meta.IsNoMatchError at reconciliation time. The operator runs with reduced functionality rather than failing.

Prometheus ServiceMonitor

Requires prometheus-operator CRDs. The operator gracefully skips if they are not installed.

spec:
  monitoring:
    serviceMonitor:
      interval: 30s
      labels:
        release: prometheus

The controller creates a Prometheus ServiceMonitor targeting the web-server component using unstructured objects (because the ServiceMonitor CRD is external: monitoring.coreos.com/v1). Default scrape interval is 30s (configurable). Targets pods with app.kubernetes.io/component: web-server.

Network Policies

spec:
  networkPolicy:
    extraIngress: []
    extraEgress: []

Creates per-component NetworkPolicies that:

  • Allow ingress from other components of the same Superset instance (matched by app.kubernetes.io/name: superset + superset.apache.org/parent labels — multiple Superset instances in the same namespace are isolated from each other)
  • Allow ingress on the service port from any source for externally-facing components (web server, Celery Flower, websocket server, MCP server) — this is necessary because ingress controllers and load balancers typically reside outside the namespace and cannot be matched with a pod selector
  • Allow all egress (for database/cache access)
  • Support custom extraIngress and extraEgress rules

Per-component rules:

Component Ingress from Superset pods Ingress from external Egress
WebServer port 8088 port 8088 all
CeleryWorker any port all
CeleryBeat any port all
CeleryFlower port 5555 port 5555 all
WebsocketServer port 8080 port 8080 all
McpServer port 8088 port 8088 all

If you need to restrict external ingress to specific sources, disable the built-in network policy and create your own NetworkPolicy resources with the desired from selectors.