diff --git a/assets/overlays/openstack-manila/base/network-policy-allow-all-egress.yaml b/assets/overlays/openstack-manila/base/network-policy-allow-all-egress.yaml new file mode 100644 index 000000000..94a02c41b --- /dev/null +++ b/assets/overlays/openstack-manila/base/network-policy-allow-all-egress.yaml @@ -0,0 +1,22 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-all-egress + namespace: ${NAMESPACE} + annotations: + include.release.openshift.io/hypershift: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + capability.openshift.io/name: Storage +spec: + podSelector: + matchLabels: + openshift.storage.network-policy.all-egress: allow + egress: + - ports: + - protocol: TCP + port: 1 + endPort: 65535 + policyTypes: + - Egress diff --git a/assets/overlays/openstack-manila/base/network-policy-allow-egress-to-api-server.yaml b/assets/overlays/openstack-manila/base/network-policy-allow-egress-to-api-server.yaml new file mode 100644 index 000000000..1ebc17fd0 --- /dev/null +++ b/assets/overlays/openstack-manila/base/network-policy-allow-egress-to-api-server.yaml @@ -0,0 +1,21 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-egress-to-api-server + namespace: ${NAMESPACE} + annotations: + include.release.openshift.io/hypershift: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + capability.openshift.io/name: Storage +spec: + podSelector: + matchLabels: + openshift.storage.network-policy.api-server: allow + egress: + - ports: + - protocol: TCP + port: 6443 + policyTypes: + - Egress diff --git a/assets/overlays/openstack-manila/base/network-policy-allow-ingress-to-metrics.yaml b/assets/overlays/openstack-manila/base/network-policy-allow-ingress-to-metrics.yaml new file mode 100644 index 000000000..77cca884b --- /dev/null +++ b/assets/overlays/openstack-manila/base/network-policy-allow-ingress-to-metrics.yaml @@ -0,0 +1,22 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-ingress-to-metrics-range + namespace: ${NAMESPACE} + annotations: + include.release.openshift.io/hypershift: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + capability.openshift.io/name: Storage +spec: + podSelector: + matchLabels: + openshift.storage.network-policy.metrics-range: allow + ingress: + - ports: + - protocol: TCP + port: 9201 + endPort: 9223 + policyTypes: + - Ingress diff --git a/assets/overlays/openstack-manila/base/network-policy-allow-to-dns.yaml b/assets/overlays/openstack-manila/base/network-policy-allow-to-dns.yaml new file mode 100644 index 000000000..295c4a4d2 --- /dev/null +++ b/assets/overlays/openstack-manila/base/network-policy-allow-to-dns.yaml @@ -0,0 +1,30 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-to-dns + namespace: ${NAMESPACE} + annotations: + include.release.openshift.io/hypershift: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + capability.openshift.io/name: Storage +spec: + podSelector: + matchLabels: + openshift.storage.network-policy.dns: allow + egress: + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: openshift-dns + podSelector: + matchLabels: + dns.operator.openshift.io/daemonset-dns: default + ports: + - protocol: TCP + port: dns-tcp + - protocol: UDP + port: dns + policyTypes: + - Egress diff --git a/assets/overlays/openstack-manila/generated/hypershift/manifests.yaml b/assets/overlays/openstack-manila/generated/hypershift/manifests.yaml index 204364ac9..dc28f2e4b 100644 --- a/assets/overlays/openstack-manila/generated/hypershift/manifests.yaml +++ b/assets/overlays/openstack-manila/generated/hypershift/manifests.yaml @@ -3,6 +3,10 @@ controllerStaticAssetNames: - controller.yaml - controller_pdb.yaml - controller_sa.yaml +- network-policy-allow-all-egress.yaml +- network-policy-allow-egress-to-api-server.yaml +- network-policy-allow-ingress-to-metrics.yaml +- network-policy-allow-to-dns.yaml - service.yaml guestStaticAssetNames: - csidriver.yaml diff --git a/assets/overlays/openstack-manila/generated/hypershift/network-policy-allow-all-egress.yaml b/assets/overlays/openstack-manila/generated/hypershift/network-policy-allow-all-egress.yaml new file mode 100644 index 000000000..6ff74a4aa --- /dev/null +++ b/assets/overlays/openstack-manila/generated/hypershift/network-policy-allow-all-egress.yaml @@ -0,0 +1,28 @@ +# Generated file. Do not edit. Update using "make update". +# +# Loaded from overlays/openstack-manila/base/network-policy-allow-all-egress.yaml +# +# + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + capability.openshift.io/name: Storage + include.release.openshift.io/hypershift: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + name: allow-all-egress + namespace: ${NAMESPACE} +spec: + egress: + - ports: + - endPort: 65535 + port: 1 + protocol: TCP + podSelector: + matchLabels: + openshift.storage.network-policy.all-egress: allow + policyTypes: + - Egress diff --git a/assets/overlays/openstack-manila/generated/hypershift/network-policy-allow-egress-to-api-server.yaml b/assets/overlays/openstack-manila/generated/hypershift/network-policy-allow-egress-to-api-server.yaml new file mode 100644 index 000000000..7b1ced94d --- /dev/null +++ b/assets/overlays/openstack-manila/generated/hypershift/network-policy-allow-egress-to-api-server.yaml @@ -0,0 +1,27 @@ +# Generated file. Do not edit. Update using "make update". +# +# Loaded from overlays/openstack-manila/base/network-policy-allow-egress-to-api-server.yaml +# +# + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + capability.openshift.io/name: Storage + include.release.openshift.io/hypershift: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + name: allow-egress-to-api-server + namespace: ${NAMESPACE} +spec: + egress: + - ports: + - port: 6443 + protocol: TCP + podSelector: + matchLabels: + openshift.storage.network-policy.api-server: allow + policyTypes: + - Egress diff --git a/assets/overlays/openstack-manila/generated/hypershift/network-policy-allow-ingress-to-metrics.yaml b/assets/overlays/openstack-manila/generated/hypershift/network-policy-allow-ingress-to-metrics.yaml new file mode 100644 index 000000000..9a09ac7a8 --- /dev/null +++ b/assets/overlays/openstack-manila/generated/hypershift/network-policy-allow-ingress-to-metrics.yaml @@ -0,0 +1,28 @@ +# Generated file. Do not edit. Update using "make update". +# +# Loaded from overlays/openstack-manila/base/network-policy-allow-ingress-to-metrics.yaml +# +# + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + capability.openshift.io/name: Storage + include.release.openshift.io/hypershift: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + name: allow-ingress-to-metrics-range + namespace: ${NAMESPACE} +spec: + ingress: + - ports: + - endPort: 9223 + port: 9201 + protocol: TCP + podSelector: + matchLabels: + openshift.storage.network-policy.metrics-range: allow + policyTypes: + - Ingress diff --git a/assets/overlays/openstack-manila/generated/hypershift/network-policy-allow-to-dns.yaml b/assets/overlays/openstack-manila/generated/hypershift/network-policy-allow-to-dns.yaml new file mode 100644 index 000000000..54f9d7441 --- /dev/null +++ b/assets/overlays/openstack-manila/generated/hypershift/network-policy-allow-to-dns.yaml @@ -0,0 +1,36 @@ +# Generated file. Do not edit. Update using "make update". +# +# Loaded from overlays/openstack-manila/base/network-policy-allow-to-dns.yaml +# +# + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + capability.openshift.io/name: Storage + include.release.openshift.io/hypershift: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + name: allow-to-dns + namespace: ${NAMESPACE} +spec: + egress: + - ports: + - port: dns-tcp + protocol: TCP + - port: dns + protocol: UDP + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: openshift-dns + podSelector: + matchLabels: + dns.operator.openshift.io/daemonset-dns: default + podSelector: + matchLabels: + openshift.storage.network-policy.dns: allow + policyTypes: + - Egress diff --git a/assets/overlays/openstack-manila/generated/standalone/manifests.yaml b/assets/overlays/openstack-manila/generated/standalone/manifests.yaml index baac27210..73c5be1bd 100644 --- a/assets/overlays/openstack-manila/generated/standalone/manifests.yaml +++ b/assets/overlays/openstack-manila/generated/standalone/manifests.yaml @@ -5,6 +5,10 @@ controllerStaticAssetNames: - controller_sa.yaml - kube_rbac_proxy_binding.yaml - kube_rbac_proxy_role.yaml +- network-policy-allow-all-egress.yaml +- network-policy-allow-egress-to-api-server.yaml +- network-policy-allow-ingress-to-metrics.yaml +- network-policy-allow-to-dns.yaml - prometheus_binding.yaml - prometheus_role.yaml - service.yaml diff --git a/assets/overlays/openstack-manila/generated/standalone/network-policy-allow-all-egress.yaml b/assets/overlays/openstack-manila/generated/standalone/network-policy-allow-all-egress.yaml new file mode 100644 index 000000000..6ff74a4aa --- /dev/null +++ b/assets/overlays/openstack-manila/generated/standalone/network-policy-allow-all-egress.yaml @@ -0,0 +1,28 @@ +# Generated file. Do not edit. Update using "make update". +# +# Loaded from overlays/openstack-manila/base/network-policy-allow-all-egress.yaml +# +# + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + capability.openshift.io/name: Storage + include.release.openshift.io/hypershift: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + name: allow-all-egress + namespace: ${NAMESPACE} +spec: + egress: + - ports: + - endPort: 65535 + port: 1 + protocol: TCP + podSelector: + matchLabels: + openshift.storage.network-policy.all-egress: allow + policyTypes: + - Egress diff --git a/assets/overlays/openstack-manila/generated/standalone/network-policy-allow-egress-to-api-server.yaml b/assets/overlays/openstack-manila/generated/standalone/network-policy-allow-egress-to-api-server.yaml new file mode 100644 index 000000000..7b1ced94d --- /dev/null +++ b/assets/overlays/openstack-manila/generated/standalone/network-policy-allow-egress-to-api-server.yaml @@ -0,0 +1,27 @@ +# Generated file. Do not edit. Update using "make update". +# +# Loaded from overlays/openstack-manila/base/network-policy-allow-egress-to-api-server.yaml +# +# + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + capability.openshift.io/name: Storage + include.release.openshift.io/hypershift: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + name: allow-egress-to-api-server + namespace: ${NAMESPACE} +spec: + egress: + - ports: + - port: 6443 + protocol: TCP + podSelector: + matchLabels: + openshift.storage.network-policy.api-server: allow + policyTypes: + - Egress diff --git a/assets/overlays/openstack-manila/generated/standalone/network-policy-allow-ingress-to-metrics.yaml b/assets/overlays/openstack-manila/generated/standalone/network-policy-allow-ingress-to-metrics.yaml new file mode 100644 index 000000000..9a09ac7a8 --- /dev/null +++ b/assets/overlays/openstack-manila/generated/standalone/network-policy-allow-ingress-to-metrics.yaml @@ -0,0 +1,28 @@ +# Generated file. Do not edit. Update using "make update". +# +# Loaded from overlays/openstack-manila/base/network-policy-allow-ingress-to-metrics.yaml +# +# + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + capability.openshift.io/name: Storage + include.release.openshift.io/hypershift: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + name: allow-ingress-to-metrics-range + namespace: ${NAMESPACE} +spec: + ingress: + - ports: + - endPort: 9223 + port: 9201 + protocol: TCP + podSelector: + matchLabels: + openshift.storage.network-policy.metrics-range: allow + policyTypes: + - Ingress diff --git a/assets/overlays/openstack-manila/generated/standalone/network-policy-allow-to-dns.yaml b/assets/overlays/openstack-manila/generated/standalone/network-policy-allow-to-dns.yaml new file mode 100644 index 000000000..54f9d7441 --- /dev/null +++ b/assets/overlays/openstack-manila/generated/standalone/network-policy-allow-to-dns.yaml @@ -0,0 +1,36 @@ +# Generated file. Do not edit. Update using "make update". +# +# Loaded from overlays/openstack-manila/base/network-policy-allow-to-dns.yaml +# +# + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + capability.openshift.io/name: Storage + include.release.openshift.io/hypershift: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + name: allow-to-dns + namespace: ${NAMESPACE} +spec: + egress: + - ports: + - port: dns-tcp + protocol: TCP + - port: dns + protocol: UDP + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: openshift-dns + podSelector: + matchLabels: + dns.operator.openshift.io/daemonset-dns: default + podSelector: + matchLabels: + openshift.storage.network-policy.dns: allow + policyTypes: + - Egress diff --git a/pkg/driver/openstack-manila/openstack_manila.go b/pkg/driver/openstack-manila/openstack_manila.go index 40fa1ef98..8bd49757e 100644 --- a/pkg/driver/openstack-manila/openstack_manila.go +++ b/pkg/driver/openstack-manila/openstack_manila.go @@ -73,7 +73,13 @@ func GetOpenStackManilaGeneratorConfig() *generator.CSIDriverGeneratorConfig { "--probe-timeout=10s", ), }, - Assets: commongenerator.DefaultControllerAssets, + Assets: commongenerator.DefaultControllerAssets.WithAssets(generator.AllFlavours, + "overlays/openstack-manila/base/network-policy-allow-all-egress.yaml", + "overlays/openstack-manila/base/network-policy-allow-egress-to-api-server.yaml", + "overlays/openstack-manila/base/network-policy-allow-to-dns.yaml", + "overlays/openstack-manila/base/network-policy-allow-ingress-to-metrics.yaml", + ), + AssetPatches: commongenerator.DefaultAssetPatches.WithPatches(generator.HyperShiftOnly, "controller.yaml", "overlays/openstack-manila/patches/controller_add_hypershift_volumes.yaml", "controller.yaml", "overlays/openstack-manila/patches/controller_rename_config_map.yaml",