CNTRLPLANE-2905: add network policies

[dusk125]

Adds NetworkPolicy resources for both operator and operand namespaces

Summary by CodeRabbit

• New Features
  • Added Network Policies for enhanced cluster security, implementing default-deny rules that block all traffic by default while explicitly permitting essential communication paths for controller managers and operators.

[openshift-ci-robot]

@dusk125: This pull request references CNTRLPLANE-2905 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Adds NetworkPolicy resources for both operator and operand namespaces

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dusk125
Once this PR has been reviewed and has the lgtm label, please assign adambkaplan for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[dusk125]

/retest-required

[dusk125]

/retest-required

[coderabbitai]

Walkthrough

This PR adds Kubernetes NetworkPolicy resources implementing default-deny and explicit allow-ingress traffic patterns for openshift-controller-manager, route-controller-manager, and openshift-controller-manager-operator components. The changes also register these policies in the operator's static resource reconciliation configuration.

Changes

Cohort / File(s)	Summary
Network Policies - Controller Manager bindata/assets/openshift-controller-manager/networkpolicy-allow.yaml, bindata/assets/openshift-controller-manager/networkpolicy-default-deny.yaml	Adds default-deny and allow policies for openshift-controller-manager pods. Allow policy permits ingress on TCP port 8443 and unrestricted egress for API server communication and metrics scraping.
Network Policies - Route Controller Manager bindata/assets/openshift-controller-manager/route-controller-manager-networkpolicy-allow.yaml, bindata/assets/openshift-controller-manager/route-controller-manager-networkpolicy-default-deny.yaml	Adds default-deny and allow policies for route-controller-manager pods. Allow policy permits ingress on TCP port 8443 and unrestricted egress.
Network Policies - Operator manifests/0000_25_openshift-controller-manager-operator_01_network-policy-default-deny.yaml, manifests/0000_25_openshift-controller-manager-operator_01_network-policy-operator.yaml	Adds default-deny and allow policies for openshift-controller-manager-operator. Allow policy selects operator pods and permits ingress on TCP port 8443 with unrestricted egress, including HA and single-node developer annotations.
Operator Configuration pkg/operator/starter.go	Registers four NetworkPolicy assets (controller-manager and route-controller-manager policies) in the StaticResourceController reconciliation list.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly describes the main change: adding network policies. It accurately summarizes the primary objective and is directly related to all the changeset modifications.
Stable And Deterministic Test Names	✅ Passed	This PR does not contain any Ginkgo test files or test name modifications. All changed files are YAML resource definitions and a Go source file with no test code.
Test Structure And Quality	✅ Passed	PR contains only YAML manifest files and a minimal Go change; no Ginkgo test code is added or modified.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@dusk125: This pull request references CNTRLPLANE-2905 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Adds NetworkPolicy resources for both operator and operand namespaces

Summary by CodeRabbit

• New Features
• Added Network Policies for enhanced cluster security, implementing default-deny rules that block all traffic by default while explicitly permitting essential communication paths for controller managers and operators.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@bindata/assets/openshift-controller-manager/networkpolicy-allow.yaml`:
- Around line 8-24: The NetworkPolicy named allow-controller-manager currently
permits ingress on port 8443 but lacks a source restriction; update the
spec.ingress of the allow-controller-manager NetworkPolicy to include a from
clause that limits traffic to the openshift-monitoring namespace (e.g., add a
from: - namespaceSelector with an appropriate label selector matching the
monitoring namespace) so only pods from openshift-monitoring can reach port 8443
on pods selected by spec.podSelector (app: openshift-controller-manager-a,
controller-manager: "true").

In
`@bindata/assets/openshift-controller-manager/route-controller-manager-networkpolicy-allow.yaml`:
- Around line 8-24: The NetworkPolicy named allow-route-controller-manager in
namespace openshift-route-controller-manager currently permits ingress to pods
matching labels app: route-controller-manager and route-controller-manager:
"true" on TCP port 8443 from any source; update the spec.ingress entry to
include a from block that restricts sources to the openshift-monitoring
namespace (use namespaceSelector with matchLabels or metadata.name selector for
the monitoring namespace) so Prometheus alone can scrape metrics, or if open
access is intended, change the comment above to say it allows ingress from any
source rather than from openshift-monitoring.

In
`@manifests/0000_25_openshift-controller-manager-operator_01_network-policy-operator.yaml`:
- Around line 8-26: The doc/comment claims ingress is limited "from
openshift-monitoring" but the NetworkPolicy allow-operator (namespace
openshift-controller-manager-operator, podSelector app:
openshift-controller-manager-operator) currently has no from block and therefore
allows all sources; fix by adding a from block to the spec.ingress that
restricts traffic to the openshift-monitoring namespace (e.g., add a from: -
namespaceSelector: matchLabels: kubernetes.io/metadata.name:
openshift-monitoring) so the port: 8443 rule truly only allows Prometheus from
that namespace, or alternatively update the comment to accurately state that the
rule allows all sources—choose one and make the change in the NetworkPolicy
manifest.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 2eea60ce-ba75-46c4-9a24-3663c5f3bbdd

📥 Commits

Reviewing files that changed from the base of the PR and between ec06b68 and dd09c2f.

📒 Files selected for processing (7)

• bindata/assets/openshift-controller-manager/networkpolicy-allow.yaml
• bindata/assets/openshift-controller-manager/networkpolicy-default-deny.yaml
• bindata/assets/openshift-controller-manager/route-controller-manager-networkpolicy-allow.yaml
• bindata/assets/openshift-controller-manager/route-controller-manager-networkpolicy-default-deny.yaml
• manifests/0000_25_openshift-controller-manager-operator_01_network-policy-default-deny.yaml
• manifests/0000_25_openshift-controller-manager-operator_01_network-policy-operator.yaml
• pkg/operator/starter.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Same issue: comment mentions restricted source but ingress allows all.

Lines 8-10 claim ingress is "from the openshift-monitoring namespace", but the ingress rule has no from selector. This allows any source to connect to port 8443. Same fix as the route-controller-manager policy if restriction is intended.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@bindata/assets/openshift-controller-manager/networkpolicy-allow.yaml` around
lines 8 - 24, The NetworkPolicy named allow-controller-manager currently permits
ingress on port 8443 but lacks a source restriction; update the spec.ingress of
the allow-controller-manager NetworkPolicy to include a from clause that limits
traffic to the openshift-monitoring namespace (e.g., add a from: -
namespaceSelector with an appropriate label selector matching the monitoring
namespace) so only pods from openshift-monitoring can reach port 8443 on pods
selected by spec.podSelector (app: openshift-controller-manager-a,
controller-manager: "true").

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Comment claims restricted source but ingress rule allows all sources.

The comment on lines 8-10 states ingress is allowed "from the openshift-monitoring namespace", but the ingress rule at lines 21-24 has no from selector, meaning it allows TCP 8443 from any source in the cluster.

If the intent is to restrict to Prometheus only, add a namespace selector:

🔒 Proposed fix to restrict ingress source

   ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: openshift-monitoring
     ports:
     - protocol: TCP
       port: 8443

If allowing from all sources is intentional, update the comment to reflect that.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# Ingress:
	# - Allow ingress on port 8443 (metrics) from the openshift-monitoring namespace
	# so that Prometheus can scrape metrics from the route-controller-manager pods.
	apiVersion: networking.k8s.io/v1
	kind: NetworkPolicy
	metadata:
	name: allow-route-controller-manager
	namespace: openshift-route-controller-manager
	spec:
	podSelector:
	matchLabels:
	app: route-controller-manager
	route-controller-manager: "true"
	ingress:
	- ports:
	- protocol: TCP
	port: 8443
	# Ingress:
	# - Allow ingress on port 8443 (metrics) from the openshift-monitoring namespace
	# so that Prometheus can scrape metrics from the route-controller-manager pods.
	apiVersion: networking.k8s.io/v1
	kind: NetworkPolicy
	metadata:
	name: allow-route-controller-manager
	namespace: openshift-route-controller-manager
	spec:
	podSelector:
	matchLabels:
	app: route-controller-manager
	route-controller-manager: "true"
	ingress:
	- from:
	- namespaceSelector:
	matchLabels:
	kubernetes.io/metadata.name: openshift-monitoring
	ports:
	- protocol: TCP
	port: 8443

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@bindata/assets/openshift-controller-manager/route-controller-manager-networkpolicy-allow.yaml`
around lines 8 - 24, The NetworkPolicy named allow-route-controller-manager in
namespace openshift-route-controller-manager currently permits ingress to pods
matching labels app: route-controller-manager and route-controller-manager:
"true" on TCP port 8443 from any source; update the spec.ingress entry to
include a from block that restricts sources to the openshift-monitoring
namespace (use namespaceSelector with matchLabels or metadata.name selector for
the monitoring namespace) so Prometheus alone can scrape metrics, or if open
access is intended, change the comment above to say it allows ingress from any
source rather than from openshift-monitoring.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Same documentation inconsistency: comment says "from openshift-monitoring" but rule allows all sources.

The comment claims ingress is restricted to the openshift-monitoring namespace, but the ingress rule at lines 23-26 has no from selector. This is consistent with the other allow policies but the documentation should match the implementation.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@manifests/0000_25_openshift-controller-manager-operator_01_network-policy-operator.yaml`
around lines 8 - 26, The doc/comment claims ingress is limited "from
openshift-monitoring" but the NetworkPolicy allow-operator (namespace
openshift-controller-manager-operator, podSelector app:
openshift-controller-manager-operator) currently has no from block and therefore
allows all sources; fix by adding a from block to the spec.ingress that
restricts traffic to the openshift-monitoring namespace (e.g., add a from: -
namespaceSelector: matchLabels: kubernetes.io/metadata.name:
openshift-monitoring) so the port: 8443 rule truly only allows Prometheus from
that namespace, or alternatively update the comment to accurately state that the
rule allows all sources—choose one and make the change in the NetworkPolicy
manifest.

[openshift-ci]

@dusk125: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.