Add config-operator workload and namespaces network policies

Author: liouk

manifests/0000_10_config-operator_00_networkpolicy_config-operator.yaml

@@ -0,0 +1,47 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  annotations:
+    include.release.openshift.io/hypershift: "true"
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+  name: config-operator-networkpolicy
+  namespace: openshift-config-operator
+spec:
+  podSelector:
+    matchLabels:
+      app: openshift-config-operator
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  # allow prometheus to scrape operator for its metrics
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: openshift-monitoring
+      podSelector:
+        matchLabels:
+          app.kubernetes.io/name: prometheus
+    ports:
+    - protocol: TCP
+      port: 8443
+  egress:
+  # allow egress to DNS
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: openshift-dns
+      podSelector:
+        matchLabels:
+          dns.operator.openshift.io/daemonset-dns: default
+    ports:
+    - protocol: TCP
+      port: 5353
+    - protocol: UDP
+      port: 5353
+  # allow egress TCP traffic
+  # required for egress to kube-apiserver pods
+  - ports:
+    - protocol: TCP

manifests/0000_10_config-operator_00_networkpolicy_default-deny-all.yaml

@@ -0,0 +1,15 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ annotations:
+   include.release.openshift.io/hypershift: "true"
+   include.release.openshift.io/ibm-cloud-managed: "true"
+   include.release.openshift.io/self-managed-high-availability: "true"
+   include.release.openshift.io/single-node-developer: "true"
+ name: default-deny-all
+ namespace: openshift-config-operator
+spec:
+ podSelector: {}
+ policyTypes:
+ - Ingress
+ - Egress

manifests/0000_10_config-operator_01_openshift-config-managed-ns_networkpolicy_default-deny-all.yaml

@@ -0,0 +1,15 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ annotations:
+   include.release.openshift.io/hypershift: "true"
+   include.release.openshift.io/ibm-cloud-managed: "true"
+   include.release.openshift.io/self-managed-high-availability: "true"
+   include.release.openshift.io/single-node-developer: "true"
+ name: default-deny-all
+ namespace: openshift-config-managed
+spec:
+ podSelector: {}
+ policyTypes:
+ - Ingress
+ - Egress

manifests/0000_10_config-operator_01_openshift-config-ns_networkpolicy_default-deny-all.yaml

@@ -0,0 +1,15 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  annotations:
+    include.release.openshift.io/hypershift: "true"
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+  name: default-deny-all
+  namespace: openshift-config
+spec:
+ podSelector: {}
+ policyTypes:
+ - Ingress
+ - Egress