CNTRLPLANE-2905: add network policies

[dusk125]

Adds NetworkPolicy resources for both operator and operand namespaces

[openshift-ci-robot]

@dusk125: This pull request references CNTRLPLANE-2905 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Adds NetworkPolicy resources for both operator and operand namespaces

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[dusk125]

/retest-required

[dusk125]

/retest-required

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7c2deee7-02e0-4ffd-9ff3-cbff0abf3d5d

📥 Commits

Reviewing files that changed from the base of the PR and between 9d54941 and bd34e90.

📒 Files selected for processing (3)

• bindata/assets/openshift-controller-manager/networkpolicy-allow.yaml
• bindata/assets/openshift-controller-manager/route-controller-manager-networkpolicy-allow.yaml
• manifests/0000_25_openshift-controller-manager-operator_01_network-policy-operator.yaml

🚧 Files skipped from review as they are similar to previous changes (3)

• bindata/assets/openshift-controller-manager/route-controller-manager-networkpolicy-allow.yaml
• manifests/0000_25_openshift-controller-manager-operator_01_network-policy-operator.yaml
• bindata/assets/openshift-controller-manager/networkpolicy-allow.yaml

---

Walkthrough

Adds NetworkPolicy YAMLs: namespace-wide default-deny and specific allow policies (ingress TCP 8443, unrestricted egress) for controller-manager, route-controller-manager, and the controller-manager-operator; and registers four new controller-manager assets in the operator static resource list.

Changes

Cohort / File(s)	Summary
Network Policies - Controller Manager bindata/assets/openshift-controller-manager/networkpolicy-allow.yaml, bindata/assets/openshift-controller-manager/networkpolicy-default-deny.yaml	Adds a namespace default-deny and an allow policy selecting controller-manager: "true" that permits ingress on TCP 8443 and allows all egress.
Network Policies - Route Controller Manager bindata/assets/openshift-controller-manager/route-controller-manager-networkpolicy-allow.yaml, bindata/assets/openshift-controller-manager/route-controller-manager-networkpolicy-default-deny.yaml	Adds a namespace default-deny and an allow policy selecting route-controller-manager: "true" that permits ingress on TCP 8443 and allows all egress.
Network Policies - Operator manifests/0000_25_openshift-controller-manager-operator_01_network-policy-default-deny.yaml, manifests/0000_25_openshift-controller-manager-operator_01_network-policy-operator.yaml	Adds a default-deny and an allow-operator policy in openshift-controller-manager-operator; allow-operator selects app: openshift-controller-manager-operator, permits ingress TCP 8443, allows all egress, and contains HA/single-node annotations.
Operator Static Assets pkg/operator/starter.go	Appends four new bindata assets (the two controller-manager and two route-controller-manager NetworkPolicy YAMLs) to the StaticResourceController reconciliation list.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'CNTRLPLANE-2905: add network policies' directly and clearly summarizes the main change - adding network policies across multiple namespaces in the openshift-controller-manager-operator project.
Stable And Deterministic Test Names	✅ Passed	The PR exclusively adds YAML manifest files and updates starter.go to reference them. No Ginkgo test files or test code are present in this PR.
Test Structure And Quality	✅ Passed	This PR does not include any Ginkgo test code; it only modifies network policy YAML manifests and configuration files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

You can make CodeRabbit's review stricter and more nitpicky using the `assertive` profile, if that's what you prefer.

Change the reviews.profile setting to assertive to make CodeRabbit's nitpick more issues in your PRs.

[openshift-ci-robot]

@dusk125: This pull request references CNTRLPLANE-2905 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Adds NetworkPolicy resources for both operator and operand namespaces

Summary by CodeRabbit

• New Features
• Added Network Policies for enhanced cluster security, implementing default-deny rules that block all traffic by default while explicitly permitting essential communication paths for controller managers and operators.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@bindata/assets/openshift-controller-manager/networkpolicy-allow.yaml`:
- Around line 8-24: The NetworkPolicy named allow-controller-manager currently
permits ingress on port 8443 but lacks a source restriction; update the
spec.ingress of the allow-controller-manager NetworkPolicy to include a from
clause that limits traffic to the openshift-monitoring namespace (e.g., add a
from: - namespaceSelector with an appropriate label selector matching the
monitoring namespace) so only pods from openshift-monitoring can reach port 8443
on pods selected by spec.podSelector (app: openshift-controller-manager-a,
controller-manager: "true").

In
`@bindata/assets/openshift-controller-manager/route-controller-manager-networkpolicy-allow.yaml`:
- Around line 8-24: The NetworkPolicy named allow-route-controller-manager in
namespace openshift-route-controller-manager currently permits ingress to pods
matching labels app: route-controller-manager and route-controller-manager:
"true" on TCP port 8443 from any source; update the spec.ingress entry to
include a from block that restricts sources to the openshift-monitoring
namespace (use namespaceSelector with matchLabels or metadata.name selector for
the monitoring namespace) so Prometheus alone can scrape metrics, or if open
access is intended, change the comment above to say it allows ingress from any
source rather than from openshift-monitoring.

In
`@manifests/0000_25_openshift-controller-manager-operator_01_network-policy-operator.yaml`:
- Around line 8-26: The doc/comment claims ingress is limited "from
openshift-monitoring" but the NetworkPolicy allow-operator (namespace
openshift-controller-manager-operator, podSelector app:
openshift-controller-manager-operator) currently has no from block and therefore
allows all sources; fix by adding a from block to the spec.ingress that
restricts traffic to the openshift-monitoring namespace (e.g., add a from: -
namespaceSelector: matchLabels: kubernetes.io/metadata.name:
openshift-monitoring) so the port: 8443 rule truly only allows Prometheus from
that namespace, or alternatively update the comment to accurately state that the
rule allows all sources—choose one and make the change in the NetworkPolicy
manifest.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 2eea60ce-ba75-46c4-9a24-3663c5f3bbdd

📥 Commits

Reviewing files that changed from the base of the PR and between ec06b68 and dd09c2f.

📒 Files selected for processing (7)

• bindata/assets/openshift-controller-manager/networkpolicy-allow.yaml
• bindata/assets/openshift-controller-manager/networkpolicy-default-deny.yaml
• bindata/assets/openshift-controller-manager/route-controller-manager-networkpolicy-allow.yaml
• bindata/assets/openshift-controller-manager/route-controller-manager-networkpolicy-default-deny.yaml
• manifests/0000_25_openshift-controller-manager-operator_01_network-policy-default-deny.yaml
• manifests/0000_25_openshift-controller-manager-operator_01_network-policy-operator.yaml
• pkg/operator/starter.go

[dusk125]

/payload 4.22 nightly blocking
/payload 4.22 nightly informing

[openshift-ci]

@dusk125: trigger 14 job(s) of type blocking for the nightly release of OCP 4.22

• periodic-ci-openshift-release-main-ci-4.22-e2e-aws-upgrade-ovn-single-node
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-upgrade-fips
• periodic-ci-openshift-release-main-ci-4.22-e2e-azure-ovn-upgrade
• periodic-ci-openshift-release-main-ci-4.22-upgrade-from-stable-4.21-e2e-gcp-ovn-rt-upgrade
• periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-aws-ovn-conformance
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-serial-1of2
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-serial-2of2
• periodic-ci-openshift-release-main-ci-4.22-e2e-aws-ovn-techpreview
• periodic-ci-openshift-release-main-ci-4.22-e2e-aws-ovn-techpreview-serial-1of3
• periodic-ci-openshift-release-main-ci-4.22-e2e-aws-ovn-techpreview-serial-2of3
• periodic-ci-openshift-release-main-ci-4.22-e2e-aws-ovn-techpreview-serial-3of3
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-upgrade-fips-no-nat-instance
• periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ipi-ovn-ipv4
• periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ipi-ovn-ipv6

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/a53ecd80-1cb9-11f1-955c-2264a6e7c378-0

trigger 65 job(s) of type informing for the nightly release of OCP 4.22

• periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-azure-aks-ovn-conformance
• periodic-ci-openshift-release-main-nightly-4.22-console-aws
• periodic-ci-openshift-cluster-control-plane-machine-set-operator-release-4.22-periodics-e2e-aws
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-csi
• periodic-ci-openshift-release-main-ci-4.22-e2e-aws-ovn
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-cgroupsv2
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-fips
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-single-node
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-single-node-csi
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-single-node-serial
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-single-node-techpreview
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-single-node-techpreview-serial
• periodic-ci-openshift-release-main-nightly-4.22-upgrade-from-stable-4.21-e2e-aws-upgrade-ovn-single-node
• periodic-ci-openshift-release-main-ci-4.22-e2e-aws-ovn-upgrade-out-of-change
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-upi
• periodic-ci-openshift-cluster-control-plane-machine-set-operator-release-4.22-periodics-e2e-azure
• periodic-ci-openshift-release-main-nightly-4.22-e2e-azure-csi
• periodic-ci-openshift-release-main-ci-4.22-e2e-azure-ovn
• periodic-ci-openshift-release-main-ci-4.22-e2e-azure-ovn-serial
• periodic-ci-openshift-release-main-ci-4.22-e2e-azure-ovn-techpreview
• periodic-ci-openshift-release-main-ci-4.22-e2e-azure-ovn-techpreview-serial
• periodic-ci-openshift-release-main-ci-4.22-e2e-azure-ovn-upgrade-out-of-change
• periodic-ci-openshift-release-main-cnv-nightly-4.22-deploy-azure-kubevirt-ovn
• periodic-ci-openshift-cluster-control-plane-machine-set-operator-release-4.22-periodics-e2e-gcp
• periodic-ci-openshift-release-main-ci-4.22-e2e-gcp-ovn
• periodic-ci-openshift-release-main-nightly-4.22-e2e-gcp-ovn-csi
• periodic-ci-openshift-release-main-nightly-4.22-e2e-gcp-ovn-rt
• periodic-ci-openshift-release-main-nightly-4.22-e2e-gcp-ovn-serial
• periodic-ci-openshift-release-main-ci-4.22-e2e-gcp-ovn-techpreview
• periodic-ci-openshift-release-main-ci-4.22-e2e-gcp-ovn-techpreview-serial
• periodic-ci-openshift-release-main-ci-4.22-upgrade-from-stable-4.21-e2e-gcp-ovn-upgrade
• periodic-ci-openshift-release-main-ci-4.22-e2e-gcp-ovn-upgrade
• periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-azure-kubevirt-ovn
• periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ipi-ovn-dualstack
• periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ipi-ovn-dualstack-techpreview
• periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ipi-ovn-ipv6-techpreview
• periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ipi-ovn-serial-ipv4
• periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ipi-ovn-serial-virtualmedia-1of2
• periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ipi-ovn-serial-virtualmedia-2of2
• periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ipi-ovn-techpreview
• periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ipi-ovn-upgrade
• periodic-ci-openshift-release-main-nightly-4.22-upgrade-from-stable-4.21-e2e-metal-ipi-ovn-upgrade
• periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ipi-serial-ovn-ipv6
• periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ipi-serial-ovn-dualstack
• periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ipi-upgrade-ovn-ipv6
• periodic-ci-openshift-release-main-nightly-4.22-upgrade-from-stable-4.21-e2e-metal-ipi-upgrade-ovn-ipv6
• periodic-ci-openshift-release-main-nightly-4.22-metal-ovn-single-node-recert-cluster-rename
• periodic-ci-openshift-osde2e-main-nightly-4.22-osd-aws
• periodic-ci-openshift-release-main-nightly-4.22-e2e-osd-ccs-gcp
• periodic-ci-openshift-osde2e-main-nightly-4.22-osd-gcp
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-proxy
• periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ovn-single-node-live-iso
• periodic-ci-openshift-eng-ocp-qe-perfscale-ci-main-aws-4.22-nightly-x86-payload-control-plane-6nodes
• periodic-ci-openshift-release-main-nightly-4.22-e2e-telco5g
• periodic-ci-openshift-release-main-ci-4.22-upgrade-from-stable-4.21-e2e-aws-ovn-upgrade
• periodic-ci-openshift-release-main-nightly-4.22-e2e-vsphere-ovn
• periodic-ci-openshift-release-main-nightly-4.22-e2e-vsphere-ovn-csi
• periodic-ci-openshift-release-main-nightly-4.22-e2e-vsphere-ovn-serial
• periodic-ci-openshift-release-main-nightly-4.22-e2e-vsphere-ovn-techpreview
• periodic-ci-openshift-release-main-nightly-4.22-e2e-vsphere-ovn-techpreview-serial
• periodic-ci-openshift-release-main-ci-4.22-e2e-vsphere-ovn-upgrade
• periodic-ci-openshift-release-main-ci-4.22-upgrade-from-stable-4.21-e2e-vsphere-ovn-upgrade
• periodic-ci-openshift-release-main-nightly-4.22-e2e-vsphere-ovn-upi
• periodic-ci-openshift-release-main-nightly-4.22-e2e-vsphere-ovn-upi-serial
• periodic-ci-openshift-release-main-nightly-4.22-e2e-vsphere-static-ovn

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/a53ecd80-1cb9-11f1-955c-2264a6e7c378-1

[openshift-ci-robot]

@dusk125: This pull request references CNTRLPLANE-2905 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Adds NetworkPolicy resources for both operator and operand namespaces

Summary by CodeRabbit

• New Features
• Added NetworkPolicy resources in controller-manager, route-controller-manager, and operator namespaces: default-deny policies that deny all traffic by default, plus allow rules that permit TCP ingress on port 8443 for controller/operator pods and permit broad egress where specified.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[dusk125]

/label tide/merge-method-squash

[coderabbitai]

♻️ Duplicate comments (2)

bindata/assets/openshift-controller-manager/route-controller-manager-networkpolicy-allow.yaml (1)

8-23: ⚠️ Potential issue | 🟠 Major

Restrict metrics ingress or fix the comment.

The comment says port 8443 is only opened to openshift-monitoring, but this rule has no from selector, so it allows ingress on 8443 from all sources. That leaves the metrics endpoint broader than intended.

🔒 Proposed fix

   ingress:
-  - ports:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: openshift-monitoring
+    ports:
     - protocol: TCP
       port: 8443

If open access is intentional, update Lines 9-10 to say that explicitly.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@bindata/assets/openshift-controller-manager/route-controller-manager-networkpolicy-allow.yaml`
around lines 8 - 23, The NetworkPolicy named allow-route-controller-manager in
namespace openshift-route-controller-manager currently allows ingress to pods
with label route-controller-manager on TCP port 8443 from any source,
contradicting the comment that it should only allow openshift-monitoring; either
restrict the rule by adding a from clause that selects the openshift-monitoring
namespace (e.g., namespaceSelector matching metadata.name: openshift-monitoring
or a suitable podSelector) to limit ingress to Prometheus, or if open access was
intended, update the comment to state that port 8443 is intentionally open to
all sources.

bindata/assets/openshift-controller-manager/networkpolicy-allow.yaml (1)

8-23: ⚠️ Potential issue | 🟠 Major

Restrict metrics ingress or fix the comment.

Same issue here: Lines 9-10 say metrics ingress is from openshift-monitoring, but the rule has no from clause, so port 8443 is reachable from all sources.

🔒 Proposed fix

   ingress:
-  - ports:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: openshift-monitoring
+    ports:
     - protocol: TCP
       port: 8443

If cluster-wide access is intended, please make the comment match the actual policy.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@bindata/assets/openshift-controller-manager/networkpolicy-allow.yaml` around
lines 8 - 23, The NetworkPolicy named allow-controller-manager in namespace
openshift-controller-manager currently exposes port 8443 to all sources
(spec.ingress has no from clause) while the comment says it should allow ingress
only from the openshift-monitoring namespace; either update the comment to
reflect cluster-wide access or restrict the rule by adding a from clause under
spec.ingress that limits traffic to pods in the openshift-monitoring namespace
(e.g., a namespaceSelector matching metadata.name: openshift-monitoring or a
podSelector as appropriate) so the policy behavior matches the documented
intent.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@bindata/assets/openshift-controller-manager/networkpolicy-allow.yaml`:
- Around line 8-23: The NetworkPolicy named allow-controller-manager in
namespace openshift-controller-manager currently exposes port 8443 to all
sources (spec.ingress has no from clause) while the comment says it should allow
ingress only from the openshift-monitoring namespace; either update the comment
to reflect cluster-wide access or restrict the rule by adding a from clause
under spec.ingress that limits traffic to pods in the openshift-monitoring
namespace (e.g., a namespaceSelector matching metadata.name:
openshift-monitoring or a podSelector as appropriate) so the policy behavior
matches the documented intent.

In
`@bindata/assets/openshift-controller-manager/route-controller-manager-networkpolicy-allow.yaml`:
- Around line 8-23: The NetworkPolicy named allow-route-controller-manager in
namespace openshift-route-controller-manager currently allows ingress to pods
with label route-controller-manager on TCP port 8443 from any source,
contradicting the comment that it should only allow openshift-monitoring; either
restrict the rule by adding a from clause that selects the openshift-monitoring
namespace (e.g., namespaceSelector matching metadata.name: openshift-monitoring
or a suitable podSelector) to limit ingress to Prometheus, or if open access was
intended, update the comment to state that port 8443 is intentionally open to
all sources.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 9b517a00-bb3a-41e6-87b8-534a9184167e

📥 Commits

Reviewing files that changed from the base of the PR and between dd09c2f and 9d54941.

📒 Files selected for processing (2)

• bindata/assets/openshift-controller-manager/networkpolicy-allow.yaml
• bindata/assets/openshift-controller-manager/route-controller-manager-networkpolicy-allow.yaml

[liouk]

/lgtm

[openshift-ci-robot]

@dusk125: This pull request references CNTRLPLANE-2905 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Adds NetworkPolicy resources for both operator and operand namespaces

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[liouk]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dusk125, liouk
Once this PR has been reviewed and has the lgtm label, please assign adambkaplan for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@dusk125: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.