Skip to content

CNTRLPLANE-2905: add network policies #414

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dusk125 wants to merge 3 commits into
base: master
Choose a base branch
from
Open

CNTRLPLANE-2905: add network policies #414

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e62007a
add network policies
dusk125 Mar 4, 2026
f23b2db
address comments
dusk125 Mar 9, 2026
dd09c2f
move operand networkpolicies to operator managed
dusk125 Mar 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 29 additions & 0 deletions bindata/assets/openshift-controller-manager/networkpolicy-allow.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
# Network policy for the openshift-controller-manager pods.
#
# Egress:
# - Allow all egress to support communication with the Kubernetes API server,
# whose IP address and port are not known at manifest time. This implicitly
# covers DNS resolution as well.
#
# Ingress:
# - Allow ingress on port 8443 (metrics) from the openshift-monitoring namespace
# so that Prometheus can scrape metrics from the controller-manager pods.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-controller-manager
namespace: openshift-controller-manager
spec:
podSelector:
matchLabels:
app: openshift-controller-manager-a
controller-manager: "true"
ingress:
- ports:
- protocol: TCP
port: 8443
Comment on lines +8 to +24
Copy link

@coderabbitai coderabbitai bot Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Same issue: comment mentions restricted source but ingress allows all.

Lines 8-10 claim ingress is "from the openshift-monitoring namespace", but the ingress rule has no from selector. This allows any source to connect to port 8443. Same fix as the route-controller-manager policy if restriction is intended.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@bindata/assets/openshift-controller-manager/networkpolicy-allow.yaml` around
lines 8 - 24, The NetworkPolicy named allow-controller-manager currently permits
ingress on port 8443 but lacks a source restriction; update the spec.ingress of
the allow-controller-manager NetworkPolicy to include a from clause that limits
traffic to the openshift-monitoring namespace (e.g., add a from: -
namespaceSelector with an appropriate label selector matching the monitoring
namespace) so only pods from openshift-monitoring can reach port 8443 on pods
selected by spec.podSelector (app: openshift-controller-manager-a,
controller-manager: "true").

egress:
- {} # Allow all egress for API server access
policyTypes:
- Ingress
- Egress
22 changes: 22 additions & 0 deletions bindata/assets/openshift-controller-manager/networkpolicy-default-deny.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# Default-deny network policy for the openshift-controller-manager namespace.
# This policy selects all pods in the namespace and enables default-deny for both
# ingress and egress by specifying policyTypes without any allow rules.
#
# NetworkPolicies are additive (use OR logic):
# - This policy enables default-deny for all pods
# - Subsequent policies add specific allow rules
# - If any policy allows traffic, that traffic is permitted
# - Policies cannot override or block traffic allowed by other policies
#
# Without this policy, all pods would have unrestricted network access (allow-all).
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
namespace: openshift-controller-manager
spec:
podSelector: {} # Selects all pods in the namespace
policyTypes:
- Ingress
- Egress
# No ingress or egress rules - denies all traffic by default
29 changes: 29 additions & 0 deletions ...ata/assets/openshift-controller-manager/route-controller-manager-networkpolicy-allow.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
# Network policy for the route-controller-manager pods.
#
# Egress:
# - Allow all egress to support communication with the Kubernetes API server,
# whose IP address and port are not known at manifest time. This implicitly
# covers DNS resolution as well.
#
# Ingress:
# - Allow ingress on port 8443 (metrics) from the openshift-monitoring namespace
# so that Prometheus can scrape metrics from the route-controller-manager pods.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-route-controller-manager
namespace: openshift-route-controller-manager
spec:
podSelector:
matchLabels:
app: route-controller-manager
route-controller-manager: "true"
ingress:
- ports:
- protocol: TCP
port: 8443
Comment on lines +8 to +24
Copy link

@coderabbitai coderabbitai bot Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Comment claims restricted source but ingress rule allows all sources.

The comment on lines 8-10 states ingress is allowed "from the openshift-monitoring namespace", but the ingress rule at lines 21-24 has no from selector, meaning it allows TCP 8443 from any source in the cluster.

If the intent is to restrict to Prometheus only, add a namespace selector:

🔒 Proposed fix to restrict ingress source 
   ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: openshift-monitoring
     ports:
     - protocol: TCP
       port: 8443

If allowing from all sources is intentional, update the comment to reflect that.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# Ingress:
# - Allow ingress on port 8443 (metrics) from the openshift-monitoring namespace
# so that Prometheus can scrape metrics from the route-controller-manager pods.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-route-controller-manager
namespace: openshift-route-controller-manager
spec:
podSelector:
matchLabels:
app: route-controller-manager
route-controller-manager: "true"
ingress:
- ports:
- protocol: TCP
port: 8443
# Ingress:
# - Allow ingress on port 8443 (metrics) from the openshift-monitoring namespace
# so that Prometheus can scrape metrics from the route-controller-manager pods.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-route-controller-manager
namespace: openshift-route-controller-manager
spec:
podSelector:
matchLabels:
app: route-controller-manager
route-controller-manager: "true"
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: openshift-monitoring
ports:
- protocol: TCP
port: 8443
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In
`@bindata/assets/openshift-controller-manager/route-controller-manager-networkpolicy-allow.yaml`
around lines 8 - 24, The NetworkPolicy named allow-route-controller-manager in
namespace openshift-route-controller-manager currently permits ingress to pods
matching labels app: route-controller-manager and route-controller-manager:
"true" on TCP port 8443 from any source; update the spec.ingress entry to
include a from block that restricts sources to the openshift-monitoring
namespace (use namespaceSelector with matchLabels or metadata.name selector for
the monitoring namespace) so Prometheus alone can scrape metrics, or if open
access is intended, change the comment above to say it allows ingress from any
source rather than from openshift-monitoring.

egress:
- {} # Allow all egress for API server access
policyTypes:
- Ingress
- Egress
22 changes: 22 additions & 0 deletions ...ets/openshift-controller-manager/route-controller-manager-networkpolicy-default-deny.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# Default-deny network policy for the openshift-route-controller-manager namespace.
# This policy selects all pods in the namespace and enables default-deny for both
# ingress and egress by specifying policyTypes without any allow rules.
#
# NetworkPolicies are additive (use OR logic):
# - This policy enables default-deny for all pods
# - Subsequent policies add specific allow rules
# - If any policy allows traffic, that traffic is permitted
# - Policies cannot override or block traffic allowed by other policies
#
# Without this policy, all pods would have unrestricted network access (allow-all).
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
namespace: openshift-route-controller-manager
spec:
podSelector: {} # Selects all pods in the namespace
policyTypes:
- Ingress
- Egress
# No ingress or egress rules - denies all traffic by default
25 changes: 25 additions & 0 deletions manifests/0000_25_openshift-controller-manager-operator_01_network-policy-default-deny.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# Default-deny network policy for the openshift-controller-manager-operator namespace.
# This policy selects all pods in the namespace and enables default-deny for both
# ingress and egress by specifying policyTypes without any allow rules.
#
# NetworkPolicies are additive (use OR logic):
# - This policy enables default-deny for all pods
# - Subsequent policies add specific allow rules
# - If any policy allows traffic, that traffic is permitted
# - Policies cannot override or block traffic allowed by other policies
#
# Without this policy, all pods would have unrestricted network access (allow-all).
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
namespace: openshift-controller-manager-operator
annotations:
include.release.openshift.io/self-managed-high-availability: "true"
include.release.openshift.io/single-node-developer: "true"
spec:
podSelector: {} # Selects all pods in the namespace
policyTypes:
- Ingress
- Egress
# No ingress or egress rules - denies all traffic by default
31 changes: 31 additions & 0 deletions manifests/0000_25_openshift-controller-manager-operator_01_network-policy-operator.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
# Network policy for the openshift-controller-manager-operator pod.
#
# Egress:
# - Allow all egress to support communication with the Kubernetes API server,
# whose IP address and port are not known at manifest time. This implicitly
# covers DNS resolution as well.
#
# Ingress:
# - Allow ingress on port 8443 (metrics) from the openshift-monitoring namespace
# so that Prometheus can scrape metrics from the operator.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-operator
namespace: openshift-controller-manager-operator
annotations:
include.release.openshift.io/self-managed-high-availability: "true"
include.release.openshift.io/single-node-developer: "true"
spec:
podSelector:
matchLabels:
app: openshift-controller-manager-operator
ingress:
- ports:
- protocol: TCP
port: 8443
Comment on lines +8 to +26
Copy link

@coderabbitai coderabbitai bot Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Same documentation inconsistency: comment says "from openshift-monitoring" but rule allows all sources.

The comment claims ingress is restricted to the openshift-monitoring namespace, but the ingress rule at lines 23-26 has no from selector. This is consistent with the other allow policies but the documentation should match the implementation.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In
`@manifests/0000_25_openshift-controller-manager-operator_01_network-policy-operator.yaml`
around lines 8 - 26, The doc/comment claims ingress is limited "from
openshift-monitoring" but the NetworkPolicy allow-operator (namespace
openshift-controller-manager-operator, podSelector app:
openshift-controller-manager-operator) currently has no from block and therefore
allows all sources; fix by adding a from block to the spec.ingress that
restricts traffic to the openshift-monitoring namespace (e.g., add a from: -
namespaceSelector: matchLabels: kubernetes.io/metadata.name:
openshift-monitoring) so the port: 8443 rule truly only allows Prometheus from
that namespace, or alternatively update the comment to accurately state that the
rule allows all sources—choose one and make the change in the NetworkPolicy
manifest.

egress:
- {} # Allow all egress for API server access
policyTypes:
- Ingress
- Egress
4 changes: 4 additions & 0 deletions pkg/operator/starter.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -237,6 +237,10 @@ func RunOperator(ctx context.Context, controllerConfig *controllercmd.Controller
"assets/openshift-controller-manager/deployer-clusterrolebinding.yaml",
"assets/openshift-controller-manager/image-trigger-controller-clusterrole.yaml",
"assets/openshift-controller-manager/image-trigger-controller-clusterrolebinding.yaml",
"assets/openshift-controller-manager/networkpolicy-allow.yaml",
"assets/openshift-controller-manager/networkpolicy-default-deny.yaml",
"assets/openshift-controller-manager/route-controller-manager-networkpolicy-allow.yaml",
"assets/openshift-controller-manager/route-controller-manager-networkpolicy-default-deny.yaml",
},
resourceapply.NewKubeClientHolder(kubeClient),
opClient,
Expand Down