diff --git a/docs/features/network-mapping-network-policies/reference/Network-Policies-Deep-Dive.mdx b/docs/features/network-mapping-network-policies/reference/Network-Policies-Deep-Dive.mdx
index a45cd725c..a4637a0d4 100644
--- a/docs/features/network-mapping-network-policies/reference/Network-Policies-Deep-Dive.mdx
+++ b/docs/features/network-mapping-network-policies/reference/Network-Policies-Deep-Dive.mdx
@@ -178,6 +178,51 @@ would block existing traffic like **loadgenerator** -> **frontend**.
+## Auto-generating network policies for Prometheus server
+When an intent generates a network policy that can block Prometheus from querying metrics, the intents operator by default
+will automatically generate network policies to enable Prometheus to access the metrics port on this workload.
+
+The way Otterize identifies that a workloads (pods, services) would be blocked from Prometheus is composed of 2 conditions:
+ 1. The workload has the `prometheus.io/scrape` annotation set to `true`
+ 2. `prometheusServerConfigs` is set in the intents operator configuration to identify the Prometheus server, as [documented in the intents operator](/reference/intents-operator).
+
+To disable this feature, consult the [documentation for the intents operator](/reference/intents-operator).
+
+
+Let's look at an example.
+In our cluster we have client, server and Prometheus server.
+The server has the annotations `prometheus.io/scrape: "true"` and `prometheus.io/port: "8080"`.
+
+By applying the following intents file:
+```yaml
+apiVersion: k8s.otterize.com/v2beta1
+kind: ClientIntents
+metadata:
+ name: client
+ namespace: prometheus-test
+spec:
+ workload:
+ name: client
+ targets:
+ - service:
+ name: server
+```
+
+Otterize will generate a network policy allowing access from the **client** workload to the **server** service.
+Once a network policy matches a pod, other traffic not allowed by existing network policies to the **server** will be blocked.
+In our case, this means that the Prometheus server will not be able to communicate with the server and scrape its metrics.
+
+To resolve this, Otterize will automatically generate a network policy allowing traffic from the **Prometheus server** to the **server**.
+This is based on the presence of the `prometheus.io/scrape: "true"` annotation in the **server** and the `prometheusServerConfigs` configuration
+that identifies the Prometheus server.
+
+Important note:
+If the **server** does not have the `prometheus.io/port` annotation, the network policy generated by Otterize will allow communication between the
+**Prometheus server** and the **server** on all ports exposed by the server. This is not a best practice, so it's recommended to set the port explicitly
+if known.
+
+
+
## How intents translate to network policies
Let's follow an example scenario and track how Otterize configures network policies when we apply intents.
### Deploy example
diff --git a/docs/reference/intents-operator/README.mdx b/docs/reference/intents-operator/README.mdx
index 9c4d13280..ec37a63d3 100644
--- a/docs/reference/intents-operator/README.mdx
+++ b/docs/reference/intents-operator/README.mdx
@@ -41,6 +41,11 @@ to access the server. This label is used as the selector to determine which clie
pod.
Learn more: [Network policies deep dive](/features/network-mapping-network-policies/reference/Network-Policies-Deep-Dive)
+
+### Handling Third Party or Infrastructure traffic
+Otterize automates network policies that enables third party or infrastructure traffic.
+Otterize can currently automatically handle [external traffic](#Handling external traffic) as well as [Prometheus monitoring traffic](#Handling Prometheus traffic).
+
#### Handling external traffic
The intents operator has automatic behavior for allowing external traffic for pods which have indicated that they are supposed to accept external traffic, such as by creating a `Service` of type `NodePort` or `LoadBalancer`, or an `Ingress` resource.
@@ -50,7 +55,23 @@ As the intents operator creates network policies, and the semantics of network p
This meant that if you had no network policies on a pod, and created ClientIntents for that pod, then external traffic would be blocked. To make it easy to enable pod-to-pod traffic without affecting expected external traffic, the intents operator automatically detects resources of kind `Service` of type `NodePort` or `LoadBalancer`, or an `Ingress` resource, and if it creates the first network policy to affect those pods, it also creates a network policy that allows external traffic to those pods, as specified by the external `Service`/`Ingress` - for example, it only allows traffic to the specified ports, not all traffic.
-This behavior can be disabled using the Helm chart's values.
+This behavior can be disabled using the Helm chart's values - `automateThirdPartyNetworkPolicies`.
+
+#### Handling Prometheus traffic
+The intents operator has automatic behavior for allowing Prometheus traffic to pods which have indicated that they are supposed to accept Prometheus traffic, by adding the `prometheus.io/scrape: "true"` annotation to the pod or service.
+
+As the intents operator creates network policies, and the semantics of network policies dictate that:
+1. if no network policies apply to a pod, then all traffic is allowed.
+2. once any network policy applies to a pod, only the traffic explicitly allowed in the policy is allowed
+
+This meant that if you had no network policies on a pod, and created ClientIntents for that pod, then Prometheus scraping would be blocked. To make it easy to enable traffic for Prometheus metrics scraping, the intents operator automatically detects resources with `prometheus.io/scrape: "true"` annotation, and if it creates the first network policy to affect those pods, it also creates a network policy that allows Prometheus scraping.
+
+You must set `prometheusServerConfigs` in the Helm chart, so Otterize would be able to identify the Prometheus server in the cluster and restrict the network policy to only allow traffic from Prometheus.
+
+This behavior can be disabled using the Helm chart's values - `automateThirdPartyNetworkPolicies`, or to only disable Prometheus, make sure `prometheusServerConfigs` is not set.
+
+**Note**: If you haven't specified `prometheus.io/port` in the pod or service, Otterize will match Prometheus' behavior by allowing all ports.
+To improve security, specify `prometheus.io/port` to require Prometheus to only connect to that port. Otterize will the only allow access to that port.
### AWS IAM
The intents operator enables automatic management of AWS IAM roles and policies according to the
diff --git a/docs/reference/intents-operator/helm-chart.mdx b/docs/reference/intents-operator/helm-chart.mdx
index 3023fd03e..858d98a03 100644
--- a/docs/reference/intents-operator/helm-chart.mdx
+++ b/docs/reference/intents-operator/helm-chart.mdx
@@ -17,44 +17,45 @@ If you would like to deploy it on its own, add the Otterize Helm chart repositor
# Parameters
## Global parameters
-| Key | Description | Default |
-|:---------------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------|---------|
-| `global.allowGetAllResources` | If defined overrides `allowGetAllResources`. | |
-| `global.telemetry.enabled` | If set to `false`, anonymous telemetries collection will be disabled. | `true` |
-| `global.commonAnnotations` | Annotations to add to all deployed objects. | {} |
-| `global.commonLabels` | Labels to add to all deployed objects. | {} |
-| `global.podAnnotations` | Annotations to add to all deployed pods. | {} |
-| `global.podLabels` | Labels to add to all deployed pods. | {} |
+| Key | Description | Default |
+|:-------------------------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------|---------|
+| `global.allowGetAllResources` | If defined overrides `allowGetAllResources`. | |
+| `global.telemetry.enabled` | If set to `false`, anonymous telemetries collection will be disabled. | `true` |
+| `global.commonAnnotations` | Annotations to add to all deployed objects. | {} |
+| `global.commonLabels` | Labels to add to all deployed objects. | {} |
+| `global.podAnnotations` | Annotations to add to all deployed pods. | {} |
+| `global.podLabels` | Labels to add to all deployed pods. | {} |
| `global.serviceNameOverrideAnnotationName` | Which annotation to use (in the [service name resolution algorithm](/reference/workload-identities#kubernetes-service-identity-resolution)) for setting a pod's service name, if not the default. Use this if you already have annotations on your pods that provide the correct service name. | `intents.otterize.com/service-name` |
| `global.aws.enabled` | Enable or disable AWS integration | `false` |
| `global.aws.eksClusterNameOverride` | EKS cluster name (overrides auto-detection) | `(none)` |
## Operator parameters
-| Key | Description | Default |
-|----------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------|
-| `operator.repository` | Intents Operator image repository. | `otterize` |
-| `operator.image` | Intents Operator image. | `intents-operator` |
-| `operator.tag` | Intents Operator image tag. | `(pinned to latest version as of this Helm chart version's publish)` |
-| `operator.pullPolicy` | Intents Operator image pull policy. | `(none)` |
-| `operator.pullSecrets` | Intents Operator image pull secrets. | `(none)` |
-| `operator.autoGenerateTLSUsingCredentialsOperator` | If set to true, adds the necessary pod annotations in order to integrate with credentials-operator, and gets the TLS certificate. | `false` |
-| `operator.mode` | `defaultActive` or `defaultShadow`.
When `defaultActive` is set, enforcement is enabled by default.
When `defaultShadow` is set, enforcement is disabled by default, but can be enabled per-service using a `ProtectedService` resource. | `defaultActive` |
-| `operator.enableEnforcement` | (**Deprecated**; use `mode` instead) If set to false, enforcement is disabled globally (both for network policies and Kafka ACL). If true, you may use the other flags for more granular enforcement settings. | `true` |
-| `operator.enableNetworkPolicyCreation` | Whether the operator should create *ingress* network policies according to `ClientIntents`. | `true` |
-| `operator.enableEgressNetworkPolicyCreation` | Whether the operator should create *egress* network policies according to `ClientIntents`. | `false` |
-| `operator.enableKafkaACLCreation` | Whether the operator should create Kafka ACL rules according to `ClientIntents` of type Kafka. | `true` |
-| `operator.enableIstioPolicyCreation` | Whether the operator should create Istio authorization policies according to `ClientIntents`. | `true` |
-| `operator.allowExternalTraffic` | `ifBlockedByOtterize`, `off` or `always`. Specify how the operator handles external traffic for Ingress/Service resources: `ifBlockedByOtterize` automatically create network policies to enable internet traffic for services that would be blocked by Otterize network policies when protecting a server. Choosing `off` may necessitate manual network policy creation to allow external traffic, while `always` automatically creates policies for all such resource that are visible to the operator. | `ifBlockedByOtterize` |
-| `operator.ingressControllerConfigs` | Restricts the automatically created external traffic network policies to only allow access to an ingress controller within the cluster. Only relevant if you use an in-cluster ingress controller, such as nginx or HAProxy. A list of objects with keys `name`, `namespace` and `kind`, such as `ingress-nginx-controller`, `nginx` and `Deployment`. | `(none)` |
-| `operator.ingressControllerAWSALBExempt` | If set to true, the operator will allow all traffic if an Ingress is managed by the AWS ALB Ingress Controller. | `false` |
-| `operator.externallyManagedPolicyWorkloads` | Workloads for which the intents-operator should not manage network policies. These are assumed to have externally managed network policies, which will allow any traffic to/from them. | `(none)` |
-| `operator.resources` | Resources override. | |
-| `operator.enableDatabaseCredentialsCreation` | Enables support for database intents | `true` |
-| `operator.hostNetwork` | Use hostNetwork instead of pod networking | `false` |
-| `operator.metricsPort` | Specify metrics binding port | |
-| `enforcedNamespaces` | When using "shadow enforcement" mode, namespaces in this list will be treated as if the enforcement were active. | `(nil) ` |
-| `watchedNamespaces` | List of namespaces the intents operator should watch. The operator will be blind to any namespace not in this list. | `(nil) meaning watch all` |
-| `extraEnvVars` | Extra environment variables to pass to the intents operator pod. To set an environment variable: `"extraEnvVars[0].name=MY_ENV_VAR"`, to set its value: `"extraEnvVars[0].value=someValue"` | |
+|----------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------|
+| Key | Description | Default |
+| `operator.repository` | Intents Operator image repository. | `otterize` |
+| `operator.image` | Intents Operator image. | `intents-operator` |
+| `operator.tag` | Intents Operator image tag. | `(pinned to latest version as of this Helm chart version's publish)` |
+| `operator.pullPolicy` | Intents Operator image pull policy. | `(none)` |
+| `operator.pullSecrets` | Intents Operator image pull secrets. | `(none)` |
+| `operator.autoGenerateTLSUsingCredentialsOperator` | If set to true, adds the necessary pod annotations in order to integrate with credentials-operator, and gets the TLS certificate. | `false` |
+| `operator.mode` | `defaultActive` or `defaultShadow`.
When `defaultActive` is set, enforcement is enabled by default.
When `defaultShadow` is set, enforcement is disabled by default, but can be enabled per-service using a `ProtectedService` resource. | `defaultActive` |
+| `operator.enableEnforcement` | (**Deprecated**; use `mode` instead) If set to false, enforcement is disabled globally (both for network policies and Kafka ACL). If true, you may use the other flags for more granular enforcement settings. | `true` |
+| `operator.enableNetworkPolicyCreation` | Whether the operator should create *ingress* network policies according to `ClientIntents`. | `true` |
+| `operator.enableEgressNetworkPolicyCreation` | Whether the operator should create *egress* network policies according to `ClientIntents`. | `false` |
+| `operator.enableKafkaACLCreation` | Whether the operator should create Kafka ACL rules according to `ClientIntents` of type Kafka. | `true` |
+| `operator.enableIstioPolicyCreation` | Whether the operator should create Istio authorization policies according to `ClientIntents`. | `true` |
+| `operator.automateThirdPartyNetworkPolicies` | Automatically creates network policies to allow required traffic from load balancers, reverse proxies, and Prometheus by tracking Service and Ingress resources, as well as Prometheus scrape annotations. To enable Prometheus metrics scraping traffic, `prometheusServerConfigs` must be set as well | `ifBlockedByOtterize` |
+| `operator.prometheusServerConfigs` | Restricts the automatically created network policies for Prometheus metrics scraping to only originate from Prometheus server. A list of objects with keys `name`, `namespace` and `kind`, such as `Deployment`. | `(none)` |
+| `operator.ingressControllerConfigs` | Restricts the automatically created external traffic network policies to only allow access to an ingress controller within the cluster. Only relevant if you use an in-cluster ingress controller, such as nginx or HAProxy. A list of objects with keys `name`, `namespace` and `kind`, such as `ingress-nginx-controller`, `nginx` and `Deployment`. | `(none)` |
+| `operator.ingressControllerAWSALBExempt` | If set to true, the operator will allow all traffic if an Ingress is managed by the AWS ALB Ingress Controller. | `false` |
+| `operator.externallyManagedPolicyWorkloads` | Workloads for which the intents-operator should not manage network policies. These are assumed to have externally managed network policies, which will allow any traffic to/from them. | `(none)` |
+| `operator.resources` | Resources override. | |
+| `operator.enableDatabaseCredentialsCreation` | Enables support for database intents | `true` |
+| `operator.hostNetwork` | Use hostNetwork instead of pod networking | `false` |
+| `operator.metricsPort` | Specify metrics binding port | |
+| `enforcedNamespaces` | When using "shadow enforcement" mode, namespaces in this list will be treated as if the enforcement were active. | `(nil) ` |
+| `watchedNamespaces` | List of namespaces the intents operator should watch. The operator will be blind to any namespace not in this list. | `(nil) meaning watch all` |
+| `extraEnvVars` | Extra environment variables to pass to the intents operator pod. To set an environment variable: `"extraEnvVars[0].name=MY_ENV_VAR"`, to set its value: `"extraEnvVars[0].value=someValue"` | |
## Cloud parameters
diff --git a/docs/reference/otterize-chart/README.mdx b/docs/reference/otterize-chart/README.mdx
index fb0ab3e9b..675c7df7f 100644
--- a/docs/reference/otterize-chart/README.mdx
+++ b/docs/reference/otterize-chart/README.mdx
@@ -71,7 +71,8 @@ Further information about intents-operator parameters can be found [in the inten
| `intentsOperator.operator.enableEgressNetworkPolicyCreation` | Whether the operator should create *egress* network policies according to `ClientIntents`. | `false` |
| `intentsOperator.operator.enableKafkaACLCreation` | Whether the operator should create Kafka ACL rules according to `ClientIntents` of type Kafka. | `true` |
| `intentsOperator.operator.enableIstioPolicyCreation` | Whether the operator should create Istio authorization policies according to `ClientIntents`. | `true` |
-| `intentsOperator.operator.allowExternalTraffic` | `ifBlockedByOtterize`, `off` or `always`. Specify how the operator handles external traffic for Ingress/Service resources: `ifBlockedByOtterize` automatically create network policies to enable internet traffic for services that would be blocked by Otterize network policies when protecting a server. Choosing `off` may necessitate manual network policy creation to allow external traffic, while `always` automatically creates policies for all such resource that are visible to the operator. | `ifBlockedByOtterize` |
+| `operator.automateThirdPartyNetworkPolicies` | Automatically creates network policies to allow required traffic from load balancers, reverse proxies, and Prometheus by tracking Service and Ingress resources, as well as `prometheus.io/scrape` annotations. To enable Prometheus metrics scraping traffic, `prometheusServerConfigs` must be set | `ifBlockedByOtterize` |
+| `operator.prometheusServerConfigs` | Specifies where the Prometheus pods are. Required for Otterize to automatically allow access for Prometheus to pods that request monitoring. A list of objects with keys `name`, `namespace` and `kind`, such as `Deployment`. | `(none)` |
| `intentsOperator.operator.ingressControllerConfigs` | Restricts the automatically created external traffic network policies to only allow access to an ingress controller within the cluster. Only relevant if you use an in-cluster ingress controller, such as nginx or HAProxy. A list of objects with keys `name`, `namespace` and `kind`, such as `ingress-nginx-controller`, `nginx` and `Deployment`. | `(none)` |
| `intentsOperator.operator.ingressControllerAWSALBExempt` | If set to true, the operator will allow all traffic if an Ingress is managed by the AWS ALB Ingress Controller. | `false` |
| `intentsOperator.operator.resources` | Resources override. | |