Skip to content

CNTRLPLANE-2699: adding network policies for operator and operands #645

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
openshift-merge-bot merged 4 commits into from
Apr 8, 2026
Merged

CNTRLPLANE-2699: adding network policies for operator and operands #645

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
29983f6
adding network policies for operator and operands
dusk125 Feb 5, 2026
ddf695a
move default deny to end of list, allow metrics scraping from everywhere
dusk125 Mar 4, 2026
d7b6905
address comments
dusk125 Mar 10, 2026
fa6a64a
operator manages operands networkpolicies
dusk125 Mar 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions bindata/v3.11.0/openshift-apiserver/networkpolicy-allow.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
# Network policy for openshift-apiserver operand pods.
#
# Unlike kube-apiserver and etcd, the openshift-apiserver pods run on the pod
# network (they do NOT use hostNetwork), so NetworkPolicy applies to them.
#
# Egress:
# - Allow all egress for API server communication, etcd access, and DNS
# resolution. All egress is permitted because destination addresses can vary
# by cluster configuration.
#
# Ingress:
# - Allow ingress on port 8443 for API requests and metrics scraping.
# The apiserver performs its own authentication/authorization.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-apiserver
namespace: openshift-apiserver
spec:
podSelector:
matchLabels:
apiserver: "true"
ingress:
- ports:
- protocol: TCP
port: 8443
egress:
- {}
Comment on lines +27 to +28
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Mar 10, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

egress: - {} removes meaningful egress isolation.

This rule allows every destination and port for the selected pods, so the companion default-deny no longer constrains outbound traffic from openshift-apiserver. If the goal is to harden the operand namespace, replace the unconditional allow with only the required DNS / kube-apiserver / etcd paths.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@bindata/v3.11.0/openshift-apiserver/networkpolicy-allow.yaml` around lines 27
- 28, The current egress entry "egress: - {}" in the NetworkPolicy for
openshift-apiserver removes egress isolation; remove that unconditional allow
and replace it with explicit egress rules limited to only required
destinations/ports (e.g., DNS to cluster DNS service on UDP/TCP 53,
kube-apiserver service on TCP 443, etcd endpoints on TCP 2379/2380) so the
companion default-deny can effectively restrict outbound traffic; update the
resource containing the "egress" key and its empty-item entry so it enumerates
only the minimal allowed to/from selectors instead of "- {}".

Copy link
Copy Markdown
Contributor Author

@dusk125 dusk125 Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Network policies do not allow us to select endpoints on the host network (which the api server is running on). So we would either need to generate a network policy dynamically that contain the endpoints of the kubernetes service and regenerate it when they change, or we allow any egress (since the port is changeable).

Our guidance for this feature was do to the latter.

Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dusk125, understood — since kube-apiserver and etcd run on the host network, NetworkPolicy pod/namespace selectors can't target them, making static egress restrictions impractical without a dynamic controller. Allowing all egress is the correct approach here. Thanks for the explanation!

📝 Learnings were identified and not saved (knowledge base disabled). Enable

policyTypes:
- Ingress
- Egress
21 changes: 21 additions & 0 deletions bindata/v3.11.0/openshift-apiserver/networkpolicy-default-deny.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# Default-deny policy for the openshift-apiserver namespace.
# This policy selects all pods in the namespace and enables default-deny for both
# ingress and egress by specifying policyTypes without any allow rules.
#
# NetworkPolicies are additive (use OR logic):
# - This policy enables default-deny for all pods
# - Subsequent policies add specific allow rules
# - If any policy allows traffic, that traffic is permitted
# - Policies cannot override or block traffic allowed by other policies
#
# Without this policy, all pods would have unrestricted network access (allow-all).
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
namespace: openshift-apiserver
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
31 changes: 31 additions & 0 deletions manifests/11_networkpolicies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
# Network policy for the openshift-apiserver-operator pod.
#
# Egress:
# - Allow all egress to support communication with the Kubernetes API server,
# whose IP address and port are not known at manifest time. This implicitly
# covers DNS resolution as well.
#
# Ingress:
# - Allow ingress on port 8443 (metrics) so that Prometheus can scrape metrics
# from the operator.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-operator
namespace: openshift-apiserver-operator
annotations:
include.release.openshift.io/self-managed-high-availability: "true"
include.release.openshift.io/single-node-developer: "true"
spec:
podSelector:
matchLabels:
app: openshift-apiserver-operator
ingress:
- ports:
- protocol: TCP
port: 8443
egress:
- {}
policyTypes:
- Ingress
- Egress
24 changes: 24 additions & 0 deletions manifests/11_networkpolicies_default-deny.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
# Default-deny policy for the openshift-apiserver-operator namespace.
# This policy selects all pods in the namespace and enables default-deny for both
# ingress and egress by specifying policyTypes without any allow rules.
#
# NetworkPolicies are additive (use OR logic):
# - This policy enables default-deny for all pods
# - Subsequent policies add specific allow rules
# - If any policy allows traffic, that traffic is permitted
# - Policies cannot override or block traffic allowed by other policies
#
# Without this policy, all pods would have unrestricted network access (allow-all).
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
namespace: openshift-apiserver-operator
annotations:
include.release.openshift.io/self-managed-high-availability: "true"
include.release.openshift.io/single-node-developer: "true"
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
2 changes: 2 additions & 0 deletions pkg/operator/starter.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -267,6 +267,8 @@ func RunOperator(ctx context.Context, controllerConfig *controllercmd.Controller
"v3.11.0/openshift-apiserver/svc.yaml",
"v3.11.0/openshift-apiserver/sa.yaml",
"v3.11.0/openshift-apiserver/trusted_ca_cm.yaml",
"v3.11.0/openshift-apiserver/networkpolicy-allow.yaml",
"v3.11.0/openshift-apiserver/networkpolicy-default-deny.yaml",
},
},
{
Expand Down
92 changes: 92 additions & 0 deletions pkg/operator/v311_00_assets/bindata.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.