From e62007abdf9e49d47a1db12aea259099abcf3636 Mon Sep 17 00:00:00 2001 From: Allen Ray Date: Wed, 4 Mar 2026 15:46:41 -0500 Subject: [PATCH 1/3] add network policies --- ...r-operator_01_network-policy-operator.yaml | 55 +++++++++++++++++++ ..._01_network-policy-controller-manager.yaml | 55 +++++++++++++++++++ ...twork-policy-route-controller-manager.yaml | 55 +++++++++++++++++++ 3 files changed, 165 insertions(+) create mode 100644 manifests/0000_25_openshift-controller-manager-operator_01_network-policy-operator.yaml create mode 100644 manifests/0000_25_openshift-controller-manager_01_network-policy-controller-manager.yaml create mode 100644 manifests/0000_25_openshift-route-controller-manager_01_network-policy-route-controller-manager.yaml diff --git a/manifests/0000_25_openshift-controller-manager-operator_01_network-policy-operator.yaml b/manifests/0000_25_openshift-controller-manager-operator_01_network-policy-operator.yaml new file mode 100644 index 000000000..a5bd5289c --- /dev/null +++ b/manifests/0000_25_openshift-controller-manager-operator_01_network-policy-operator.yaml @@ -0,0 +1,55 @@ +# Network policy for the openshift-controller-manager-operator pod. +# +# Egress: +# - Allow all egress to support communication with the Kubernetes API server, +# whose IP address and port are not known at manifest time. This implicitly +# covers DNS resolution as well. +# +# Ingress: +# - Allow ingress on port 8443 (metrics) from the openshift-monitoring namespace +# so that Prometheus can scrape metrics from the operator. +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-operator + namespace: openshift-controller-manager-operator + annotations: + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" +spec: + podSelector: {} # Core component - selects all pods in the namespace + ingress: + - ports: + - protocol: TCP + port: 8443 + egress: + - {} # Allow all egress for API server access + policyTypes: + - Ingress + - Egress +--- +# Default-deny network policy for the openshift-controller-manager-operator namespace. +# This policy selects all pods in the namespace and enables default-deny for both +# ingress and egress by specifying policyTypes without any allow rules. +# +# NetworkPolicies are additive (use OR logic): +# - This policy enables default-deny for all pods +# - Subsequent policies add specific allow rules +# - If any policy allows traffic, that traffic is permitted +# - Policies cannot override or block traffic allowed by other policies +# +# Without this policy, all pods would have unrestricted network access (allow-all). +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny + namespace: openshift-controller-manager-operator + annotations: + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" +spec: + podSelector: {} # Selects all pods in the namespace + policyTypes: + - Ingress + - Egress + # No ingress or egress rules - denies all traffic by default diff --git a/manifests/0000_25_openshift-controller-manager_01_network-policy-controller-manager.yaml b/manifests/0000_25_openshift-controller-manager_01_network-policy-controller-manager.yaml new file mode 100644 index 000000000..57dcb3308 --- /dev/null +++ b/manifests/0000_25_openshift-controller-manager_01_network-policy-controller-manager.yaml @@ -0,0 +1,55 @@ +# Network policy for the openshift-controller-manager pods. +# +# Egress: +# - Allow all egress to support communication with the Kubernetes API server, +# whose IP address and port are not known at manifest time. This implicitly +# covers DNS resolution as well. +# +# Ingress: +# - Allow ingress on port 8443 (metrics) from the openshift-monitoring namespace +# so that Prometheus can scrape metrics from the controller-manager pods. +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-controller-manager + namespace: openshift-controller-manager + annotations: + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" +spec: + podSelector: {} # Core component - selects all pods in the namespace + ingress: + - ports: + - protocol: TCP + port: 8443 + egress: + - {} # Allow all egress for API server access + policyTypes: + - Ingress + - Egress +--- +# Default-deny network policy for the openshift-controller-manager namespace. +# This policy selects all pods in the namespace and enables default-deny for both +# ingress and egress by specifying policyTypes without any allow rules. +# +# NetworkPolicies are additive (use OR logic): +# - This policy enables default-deny for all pods +# - Subsequent policies add specific allow rules +# - If any policy allows traffic, that traffic is permitted +# - Policies cannot override or block traffic allowed by other policies +# +# Without this policy, all pods would have unrestricted network access (allow-all). +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny + namespace: openshift-controller-manager + annotations: + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" +spec: + podSelector: {} # Selects all pods in the namespace + policyTypes: + - Ingress + - Egress + # No ingress or egress rules - denies all traffic by default diff --git a/manifests/0000_25_openshift-route-controller-manager_01_network-policy-route-controller-manager.yaml b/manifests/0000_25_openshift-route-controller-manager_01_network-policy-route-controller-manager.yaml new file mode 100644 index 000000000..74c29515a --- /dev/null +++ b/manifests/0000_25_openshift-route-controller-manager_01_network-policy-route-controller-manager.yaml @@ -0,0 +1,55 @@ +# Network policy for the route-controller-manager pods. +# +# Egress: +# - Allow all egress to support communication with the Kubernetes API server, +# whose IP address and port are not known at manifest time. This implicitly +# covers DNS resolution as well. +# +# Ingress: +# - Allow ingress on port 8443 (metrics) from the openshift-monitoring namespace +# so that Prometheus can scrape metrics from the route-controller-manager pods. +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-route-controller-manager + namespace: openshift-route-controller-manager + annotations: + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" +spec: + podSelector: {} # Core component - selects all pods in the namespace + ingress: + - ports: + - protocol: TCP + port: 8443 + egress: + - {} # Allow all egress for API server access + policyTypes: + - Ingress + - Egress +--- +# Default-deny network policy for the openshift-route-controller-manager namespace. +# This policy selects all pods in the namespace and enables default-deny for both +# ingress and egress by specifying policyTypes without any allow rules. +# +# NetworkPolicies are additive (use OR logic): +# - This policy enables default-deny for all pods +# - Subsequent policies add specific allow rules +# - If any policy allows traffic, that traffic is permitted +# - Policies cannot override or block traffic allowed by other policies +# +# Without this policy, all pods would have unrestricted network access (allow-all). +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny + namespace: openshift-route-controller-manager + annotations: + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" +spec: + podSelector: {} # Selects all pods in the namespace + policyTypes: + - Ingress + - Egress + # No ingress or egress rules - denies all traffic by default From f23b2dbed94769b6e5b439397d497f7db436c27f Mon Sep 17 00:00:00 2001 From: Allen Ray Date: Mon, 9 Mar 2026 11:00:53 -0400 Subject: [PATCH 2/3] address comments --- ...ntroller-manager-operator_01_network-policy-operator.yaml | 4 +++- ...troller-manager_01_network-policy-controller-manager.yaml | 5 ++++- ...r-manager_01_network-policy-route-controller-manager.yaml | 5 ++++- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/manifests/0000_25_openshift-controller-manager-operator_01_network-policy-operator.yaml b/manifests/0000_25_openshift-controller-manager-operator_01_network-policy-operator.yaml index a5bd5289c..bbcecb392 100644 --- a/manifests/0000_25_openshift-controller-manager-operator_01_network-policy-operator.yaml +++ b/manifests/0000_25_openshift-controller-manager-operator_01_network-policy-operator.yaml @@ -17,7 +17,9 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" spec: - podSelector: {} # Core component - selects all pods in the namespace + podSelector: + matchLabels: + app: openshift-controller-manager-operator ingress: - ports: - protocol: TCP diff --git a/manifests/0000_25_openshift-controller-manager_01_network-policy-controller-manager.yaml b/manifests/0000_25_openshift-controller-manager_01_network-policy-controller-manager.yaml index 57dcb3308..c540926ec 100644 --- a/manifests/0000_25_openshift-controller-manager_01_network-policy-controller-manager.yaml +++ b/manifests/0000_25_openshift-controller-manager_01_network-policy-controller-manager.yaml @@ -17,7 +17,10 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" spec: - podSelector: {} # Core component - selects all pods in the namespace + podSelector: + matchLabels: + app: openshift-controller-manager-a + controller-manager: "true" ingress: - ports: - protocol: TCP diff --git a/manifests/0000_25_openshift-route-controller-manager_01_network-policy-route-controller-manager.yaml b/manifests/0000_25_openshift-route-controller-manager_01_network-policy-route-controller-manager.yaml index 74c29515a..9ec03e3d1 100644 --- a/manifests/0000_25_openshift-route-controller-manager_01_network-policy-route-controller-manager.yaml +++ b/manifests/0000_25_openshift-route-controller-manager_01_network-policy-route-controller-manager.yaml @@ -17,7 +17,10 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" spec: - podSelector: {} # Core component - selects all pods in the namespace + podSelector: + matchLabels: + app: route-controller-manager + route-controller-manager: "true" ingress: - ports: - protocol: TCP From dd09c2fe36717a94132fd29b323253c1c45e886c Mon Sep 17 00:00:00 2001 From: Allen Ray Date: Mon, 9 Mar 2026 13:02:56 -0400 Subject: [PATCH 3/3] move operand networkpolicies to operator managed --- .../networkpolicy-allow.yaml | 29 ++++++++++ .../networkpolicy-default-deny.yaml | 22 +++++++ ...ontroller-manager-networkpolicy-allow.yaml | 29 ++++++++++ ...er-manager-networkpolicy-default-deny.yaml | 22 +++++++ ...erator_01_network-policy-default-deny.yaml | 25 ++++++++ ...r-operator_01_network-policy-operator.yaml | 26 --------- ..._01_network-policy-controller-manager.yaml | 58 ------------------- ...twork-policy-route-controller-manager.yaml | 58 ------------------- pkg/operator/starter.go | 4 ++ 9 files changed, 131 insertions(+), 142 deletions(-) create mode 100644 bindata/assets/openshift-controller-manager/networkpolicy-allow.yaml create mode 100644 bindata/assets/openshift-controller-manager/networkpolicy-default-deny.yaml create mode 100644 bindata/assets/openshift-controller-manager/route-controller-manager-networkpolicy-allow.yaml create mode 100644 bindata/assets/openshift-controller-manager/route-controller-manager-networkpolicy-default-deny.yaml create mode 100644 manifests/0000_25_openshift-controller-manager-operator_01_network-policy-default-deny.yaml delete mode 100644 manifests/0000_25_openshift-controller-manager_01_network-policy-controller-manager.yaml delete mode 100644 manifests/0000_25_openshift-route-controller-manager_01_network-policy-route-controller-manager.yaml diff --git a/bindata/assets/openshift-controller-manager/networkpolicy-allow.yaml b/bindata/assets/openshift-controller-manager/networkpolicy-allow.yaml new file mode 100644 index 000000000..811b902a9 --- /dev/null +++ b/bindata/assets/openshift-controller-manager/networkpolicy-allow.yaml @@ -0,0 +1,29 @@ +# Network policy for the openshift-controller-manager pods. +# +# Egress: +# - Allow all egress to support communication with the Kubernetes API server, +# whose IP address and port are not known at manifest time. This implicitly +# covers DNS resolution as well. +# +# Ingress: +# - Allow ingress on port 8443 (metrics) from the openshift-monitoring namespace +# so that Prometheus can scrape metrics from the controller-manager pods. +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-controller-manager + namespace: openshift-controller-manager +spec: + podSelector: + matchLabels: + app: openshift-controller-manager-a + controller-manager: "true" + ingress: + - ports: + - protocol: TCP + port: 8443 + egress: + - {} # Allow all egress for API server access + policyTypes: + - Ingress + - Egress diff --git a/bindata/assets/openshift-controller-manager/networkpolicy-default-deny.yaml b/bindata/assets/openshift-controller-manager/networkpolicy-default-deny.yaml new file mode 100644 index 000000000..230c13ba4 --- /dev/null +++ b/bindata/assets/openshift-controller-manager/networkpolicy-default-deny.yaml @@ -0,0 +1,22 @@ +# Default-deny network policy for the openshift-controller-manager namespace. +# This policy selects all pods in the namespace and enables default-deny for both +# ingress and egress by specifying policyTypes without any allow rules. +# +# NetworkPolicies are additive (use OR logic): +# - This policy enables default-deny for all pods +# - Subsequent policies add specific allow rules +# - If any policy allows traffic, that traffic is permitted +# - Policies cannot override or block traffic allowed by other policies +# +# Without this policy, all pods would have unrestricted network access (allow-all). +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny + namespace: openshift-controller-manager +spec: + podSelector: {} # Selects all pods in the namespace + policyTypes: + - Ingress + - Egress + # No ingress or egress rules - denies all traffic by default diff --git a/bindata/assets/openshift-controller-manager/route-controller-manager-networkpolicy-allow.yaml b/bindata/assets/openshift-controller-manager/route-controller-manager-networkpolicy-allow.yaml new file mode 100644 index 000000000..4895de649 --- /dev/null +++ b/bindata/assets/openshift-controller-manager/route-controller-manager-networkpolicy-allow.yaml @@ -0,0 +1,29 @@ +# Network policy for the route-controller-manager pods. +# +# Egress: +# - Allow all egress to support communication with the Kubernetes API server, +# whose IP address and port are not known at manifest time. This implicitly +# covers DNS resolution as well. +# +# Ingress: +# - Allow ingress on port 8443 (metrics) from the openshift-monitoring namespace +# so that Prometheus can scrape metrics from the route-controller-manager pods. +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-route-controller-manager + namespace: openshift-route-controller-manager +spec: + podSelector: + matchLabels: + app: route-controller-manager + route-controller-manager: "true" + ingress: + - ports: + - protocol: TCP + port: 8443 + egress: + - {} # Allow all egress for API server access + policyTypes: + - Ingress + - Egress diff --git a/bindata/assets/openshift-controller-manager/route-controller-manager-networkpolicy-default-deny.yaml b/bindata/assets/openshift-controller-manager/route-controller-manager-networkpolicy-default-deny.yaml new file mode 100644 index 000000000..6a81d6928 --- /dev/null +++ b/bindata/assets/openshift-controller-manager/route-controller-manager-networkpolicy-default-deny.yaml @@ -0,0 +1,22 @@ +# Default-deny network policy for the openshift-route-controller-manager namespace. +# This policy selects all pods in the namespace and enables default-deny for both +# ingress and egress by specifying policyTypes without any allow rules. +# +# NetworkPolicies are additive (use OR logic): +# - This policy enables default-deny for all pods +# - Subsequent policies add specific allow rules +# - If any policy allows traffic, that traffic is permitted +# - Policies cannot override or block traffic allowed by other policies +# +# Without this policy, all pods would have unrestricted network access (allow-all). +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny + namespace: openshift-route-controller-manager +spec: + podSelector: {} # Selects all pods in the namespace + policyTypes: + - Ingress + - Egress + # No ingress or egress rules - denies all traffic by default diff --git a/manifests/0000_25_openshift-controller-manager-operator_01_network-policy-default-deny.yaml b/manifests/0000_25_openshift-controller-manager-operator_01_network-policy-default-deny.yaml new file mode 100644 index 000000000..c82642d1c --- /dev/null +++ b/manifests/0000_25_openshift-controller-manager-operator_01_network-policy-default-deny.yaml @@ -0,0 +1,25 @@ +# Default-deny network policy for the openshift-controller-manager-operator namespace. +# This policy selects all pods in the namespace and enables default-deny for both +# ingress and egress by specifying policyTypes without any allow rules. +# +# NetworkPolicies are additive (use OR logic): +# - This policy enables default-deny for all pods +# - Subsequent policies add specific allow rules +# - If any policy allows traffic, that traffic is permitted +# - Policies cannot override or block traffic allowed by other policies +# +# Without this policy, all pods would have unrestricted network access (allow-all). +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny + namespace: openshift-controller-manager-operator + annotations: + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" +spec: + podSelector: {} # Selects all pods in the namespace + policyTypes: + - Ingress + - Egress + # No ingress or egress rules - denies all traffic by default diff --git a/manifests/0000_25_openshift-controller-manager-operator_01_network-policy-operator.yaml b/manifests/0000_25_openshift-controller-manager-operator_01_network-policy-operator.yaml index bbcecb392..11831a1f0 100644 --- a/manifests/0000_25_openshift-controller-manager-operator_01_network-policy-operator.yaml +++ b/manifests/0000_25_openshift-controller-manager-operator_01_network-policy-operator.yaml @@ -29,29 +29,3 @@ spec: policyTypes: - Ingress - Egress ---- -# Default-deny network policy for the openshift-controller-manager-operator namespace. -# This policy selects all pods in the namespace and enables default-deny for both -# ingress and egress by specifying policyTypes without any allow rules. -# -# NetworkPolicies are additive (use OR logic): -# - This policy enables default-deny for all pods -# - Subsequent policies add specific allow rules -# - If any policy allows traffic, that traffic is permitted -# - Policies cannot override or block traffic allowed by other policies -# -# Without this policy, all pods would have unrestricted network access (allow-all). -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: default-deny - namespace: openshift-controller-manager-operator - annotations: - include.release.openshift.io/self-managed-high-availability: "true" - include.release.openshift.io/single-node-developer: "true" -spec: - podSelector: {} # Selects all pods in the namespace - policyTypes: - - Ingress - - Egress - # No ingress or egress rules - denies all traffic by default diff --git a/manifests/0000_25_openshift-controller-manager_01_network-policy-controller-manager.yaml b/manifests/0000_25_openshift-controller-manager_01_network-policy-controller-manager.yaml deleted file mode 100644 index c540926ec..000000000 --- a/manifests/0000_25_openshift-controller-manager_01_network-policy-controller-manager.yaml +++ /dev/null @@ -1,58 +0,0 @@ -# Network policy for the openshift-controller-manager pods. -# -# Egress: -# - Allow all egress to support communication with the Kubernetes API server, -# whose IP address and port are not known at manifest time. This implicitly -# covers DNS resolution as well. -# -# Ingress: -# - Allow ingress on port 8443 (metrics) from the openshift-monitoring namespace -# so that Prometheus can scrape metrics from the controller-manager pods. -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: allow-controller-manager - namespace: openshift-controller-manager - annotations: - include.release.openshift.io/self-managed-high-availability: "true" - include.release.openshift.io/single-node-developer: "true" -spec: - podSelector: - matchLabels: - app: openshift-controller-manager-a - controller-manager: "true" - ingress: - - ports: - - protocol: TCP - port: 8443 - egress: - - {} # Allow all egress for API server access - policyTypes: - - Ingress - - Egress ---- -# Default-deny network policy for the openshift-controller-manager namespace. -# This policy selects all pods in the namespace and enables default-deny for both -# ingress and egress by specifying policyTypes without any allow rules. -# -# NetworkPolicies are additive (use OR logic): -# - This policy enables default-deny for all pods -# - Subsequent policies add specific allow rules -# - If any policy allows traffic, that traffic is permitted -# - Policies cannot override or block traffic allowed by other policies -# -# Without this policy, all pods would have unrestricted network access (allow-all). -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: default-deny - namespace: openshift-controller-manager - annotations: - include.release.openshift.io/self-managed-high-availability: "true" - include.release.openshift.io/single-node-developer: "true" -spec: - podSelector: {} # Selects all pods in the namespace - policyTypes: - - Ingress - - Egress - # No ingress or egress rules - denies all traffic by default diff --git a/manifests/0000_25_openshift-route-controller-manager_01_network-policy-route-controller-manager.yaml b/manifests/0000_25_openshift-route-controller-manager_01_network-policy-route-controller-manager.yaml deleted file mode 100644 index 9ec03e3d1..000000000 --- a/manifests/0000_25_openshift-route-controller-manager_01_network-policy-route-controller-manager.yaml +++ /dev/null @@ -1,58 +0,0 @@ -# Network policy for the route-controller-manager pods. -# -# Egress: -# - Allow all egress to support communication with the Kubernetes API server, -# whose IP address and port are not known at manifest time. This implicitly -# covers DNS resolution as well. -# -# Ingress: -# - Allow ingress on port 8443 (metrics) from the openshift-monitoring namespace -# so that Prometheus can scrape metrics from the route-controller-manager pods. -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: allow-route-controller-manager - namespace: openshift-route-controller-manager - annotations: - include.release.openshift.io/self-managed-high-availability: "true" - include.release.openshift.io/single-node-developer: "true" -spec: - podSelector: - matchLabels: - app: route-controller-manager - route-controller-manager: "true" - ingress: - - ports: - - protocol: TCP - port: 8443 - egress: - - {} # Allow all egress for API server access - policyTypes: - - Ingress - - Egress ---- -# Default-deny network policy for the openshift-route-controller-manager namespace. -# This policy selects all pods in the namespace and enables default-deny for both -# ingress and egress by specifying policyTypes without any allow rules. -# -# NetworkPolicies are additive (use OR logic): -# - This policy enables default-deny for all pods -# - Subsequent policies add specific allow rules -# - If any policy allows traffic, that traffic is permitted -# - Policies cannot override or block traffic allowed by other policies -# -# Without this policy, all pods would have unrestricted network access (allow-all). -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: default-deny - namespace: openshift-route-controller-manager - annotations: - include.release.openshift.io/self-managed-high-availability: "true" - include.release.openshift.io/single-node-developer: "true" -spec: - podSelector: {} # Selects all pods in the namespace - policyTypes: - - Ingress - - Egress - # No ingress or egress rules - denies all traffic by default diff --git a/pkg/operator/starter.go b/pkg/operator/starter.go index 2d0299eba..762260d1b 100644 --- a/pkg/operator/starter.go +++ b/pkg/operator/starter.go @@ -237,6 +237,10 @@ func RunOperator(ctx context.Context, controllerConfig *controllercmd.Controller "assets/openshift-controller-manager/deployer-clusterrolebinding.yaml", "assets/openshift-controller-manager/image-trigger-controller-clusterrole.yaml", "assets/openshift-controller-manager/image-trigger-controller-clusterrolebinding.yaml", + "assets/openshift-controller-manager/networkpolicy-allow.yaml", + "assets/openshift-controller-manager/networkpolicy-default-deny.yaml", + "assets/openshift-controller-manager/route-controller-manager-networkpolicy-allow.yaml", + "assets/openshift-controller-manager/route-controller-manager-networkpolicy-default-deny.yaml", }, resourceapply.NewKubeClientHolder(kubeClient), opClient,