openshift
diff --git a/‎manifests/0000_50_olm_01-networkpolicies.yaml
Lines changed: 146 additions & 0 deletions b/‎manifests/0000_50_olm_01-networkpolicies.yaml
Lines changed: 146 additions & 0 deletions
diff --git a/‎manifests/0000_50_olm_01-olm-operator.serviceaccount.yaml renamed to ‎manifests/0000_50_olm_02-olm-operator.serviceaccount.yaml b/‎manifests/0000_50_olm_01-olm-operator.serviceaccount.yaml renamed to ‎manifests/0000_50_olm_02-olm-operator.serviceaccount.yaml
diff --git a/‎manifests/0000_50_olm_02-olmconfig.yaml renamed to ‎manifests/0000_50_olm_03-olmconfig.yaml b/‎manifests/0000_50_olm_02-olmconfig.yaml renamed to ‎manifests/0000_50_olm_03-olmconfig.yaml
diff --git a/‎manifests/0000_50_olm_02-services.yaml renamed to ‎manifests/0000_50_olm_03-services.yaml b/‎manifests/0000_50_olm_02-services.yaml renamed to ‎manifests/0000_50_olm_03-services.yaml
diff --git a/‎manifests/0000_50_olm_06-psm-operator.networkpolicy.yaml
Lines changed: 34 additions & 0 deletions b/‎manifests/0000_50_olm_06-psm-operator.networkpolicy.yaml
Lines changed: 34 additions & 0 deletions
diff --git a/‎manifests/0000_50_olm_07-collect-profiles.cronjob.yaml
Lines changed: 4 additions & 0 deletions b/‎manifests/0000_50_olm_07-collect-profiles.cronjob.yaml
Lines changed: 4 additions & 0 deletions
diff --git a/‎manifests/0000_50_olm_07-collect-profiles.networkpolicy.yaml
Lines changed: 43 additions & 0 deletions b/‎manifests/0000_50_olm_07-collect-profiles.networkpolicy.yaml
Lines changed: 43 additions & 0 deletions
diff --git a/‎microshift-manifests/0000_50_olm_01-networkpolicies.yaml
Lines changed: 89 additions & 0 deletions b/‎microshift-manifests/0000_50_olm_01-networkpolicies.yaml
Lines changed: 89 additions & 0 deletions
diff --git a/‎microshift-manifests/0000_50_olm_01-olm-operator.serviceaccount.yaml renamed to ‎microshift-manifests/0000_50_olm_02-olm-operator.serviceaccount.yaml b/‎microshift-manifests/0000_50_olm_01-olm-operator.serviceaccount.yaml renamed to ‎microshift-manifests/0000_50_olm_02-olm-operator.serviceaccount.yaml
diff --git a/‎microshift-manifests/0000_50_olm_02-olmconfig.yaml renamed to ‎microshift-manifests/0000_50_olm_03-olmconfig.yaml b/‎microshift-manifests/0000_50_olm_02-olmconfig.yaml renamed to ‎microshift-manifests/0000_50_olm_03-olmconfig.yaml
diff --git a/‎microshift-manifests/0000_50_olm_02-services.yaml renamed to ‎microshift-manifests/0000_50_olm_03-services.yaml b/‎microshift-manifests/0000_50_olm_02-services.yaml renamed to ‎microshift-manifests/0000_50_olm_03-services.yaml
diff --git a/‎microshift-manifests/0000_50_olm_06-psm-operator.networkpolicy.yaml
Lines changed: 34 additions & 0 deletions b/‎microshift-manifests/0000_50_olm_06-psm-operator.networkpolicy.yaml
Lines changed: 34 additions & 0 deletions
diff --git a/‎microshift-manifests/0000_50_olm_07-collect-profiles.cronjob.yaml
Lines changed: 4 additions & 0 deletions b/‎microshift-manifests/0000_50_olm_07-collect-profiles.cronjob.yaml
Lines changed: 4 additions & 0 deletions
@@ -0,0 +1,146 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-all-traffic
+  namespace: openshift-operator-lifecycle-manager
+  annotations:
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    capability.openshift.io/name: "OperatorLifecycleManager"
+    include.release.openshift.io/hypershift: "true"
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: olm-operator
+  namespace: openshift-operator-lifecycle-manager
+  annotations:
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    capability.openshift.io/name: "OperatorLifecycleManager"
+    include.release.openshift.io/hypershift: "true"
+spec:
+  podSelector:
+    matchLabels:
+      app: olm-operator
+  ingress:
+    - ports:
+        - port: metrics
+          protocol: TCP
+  egress:
+    - ports:
+        - port: 6443
+          protocol: TCP
+    - ports:
+        - port: dns-tcp
+          protocol: TCP
+        - port: dns
+          protocol: UDP
+      to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: openshift-dns
+  policyTypes:
+    - Ingress
+    - Egress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: catalog-operator
+  namespace: openshift-operator-lifecycle-manager
+  annotations:
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    capability.openshift.io/name: "OperatorLifecycleManager"
+    include.release.openshift.io/hypershift: "true"
+spec:
+  podSelector:
+    matchLabels:
+      app: catalog-operator
+  ingress:
+    - ports:
+        - port: metrics
+          protocol: TCP
+  egress:
+    - ports:
+        - port: 6443
+          protocol: TCP
+    - ports:
+        - port: dns-tcp
+          protocol: TCP
+        - port: dns
+          protocol: UDP
+      to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: openshift-dns
+    - ports: # This is another distinct rule in the egress list
+        - protocol: TCP
+          port: 50051
+  policyTypes:
+    - Ingress
+    - Egress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: packageserver
+  namespace: openshift-operator-lifecycle-manager
+  annotations:
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    capability.openshift.io/name: "OperatorLifecycleManager"
+    include.release.openshift.io/hypershift: "true"
+spec:
+  podSelector:
+    matchLabels:
+      app: packageserver
+  ingress:
+    - ports:
+        - protocol: TCP
+          port: 5443
+  egress:
+    - ports:
+        - port: 6443
+          protocol: TCP
+    - ports:
+        - port: dns-tcp
+          protocol: TCP
+        - port: dns
+          protocol: UDP
+      to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: openshift-dns
+    - ports:
+        - protocol: TCP
+          port: 50051
+  policyTypes:
+    - Ingress
+    - Egress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-allow-all
+  namespace: openshift-operators
+  annotations:
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    capability.openshift.io/name: "OperatorLifecycleManager"
+    include.release.openshift.io/hypershift: "true"
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - {}
+  egress:
+    - {}
@@ -0,0 +1,34 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: package-server-manager
+  namespace: openshift-operator-lifecycle-manager
+  annotations:
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    capability.openshift.io/name: "OperatorLifecycleManager"
+    include.release.openshift.io/hypershift: "true"
+spec:
+  podSelector:
+    matchLabels:
+      app: package-server-manager
+  ingress:
+    - ports:
+        - port: 8443
+          protocol: TCP
+  egress:
+    - ports:
+        - port: 6443
+          protocol: TCP
+    - ports:
+        - port: dns-tcp
+          protocol: TCP
+        - port: dns
+          protocol: UDP
+      to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: openshift-dns
+  policyTypes:
+    - Ingress
+    - Egress
@@ -7,6 +7,8 @@ metadata:
     include.release.openshift.io/self-managed-high-availability: "true"
     capability.openshift.io/name: "OperatorLifecycleManager"
   name: collect-profiles
+  labels:
+    app: olm-collect-profiles
   namespace: openshift-operator-lifecycle-manager
 spec:
   schedule: "*/15 * * * *"
@@ -18,6 +20,8 @@ spec:
           annotations:
             target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
             openshift.io/required-scc: restricted-v2
+          labels:
+            app: olm-collect-profiles
         spec:
           securityContext:
             runAsNonRoot: true
 
@@ -0,0 +1,43 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: collect-profiles
+  namespace: openshift-operator-lifecycle-manager
+  annotations:
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    capability.openshift.io/name: "OperatorLifecycleManager"
+    include.release.openshift.io/hypershift: "true"
+spec:
+  podSelector:
+    matchLabels:
+      app: olm-collect-profiles
+  egress:
+    - ports:
+        - port: 8443
+          protocol: TCP
+      to:
+        - namespaceSelector:
+            matchLabels:
+              name: openshift-operator-lifecycle-manager
+        - podSelector:
+            matchLabels:
+              app: olm-operator
+        - podSelector:
+            matchLabels:
+              app: catalog-operator
+    - ports:
+        - port: 6443
+          protocol: TCP
+    - ports:
+        - port: dns-tcp
+          protocol: TCP
+        - port: dns
+          protocol: UDP
+      to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: openshift-dns
+  policyTypes:
+    - Egress
+    - Ingress
@@ -0,0 +1,89 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-all-traffic
+  namespace: openshift-operator-lifecycle-manager
+  annotations:
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    capability.openshift.io/name: "OperatorLifecycleManager"
+    include.release.openshift.io/hypershift: "true"
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: olm-operator
+  namespace: openshift-operator-lifecycle-manager
+  annotations:
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    capability.openshift.io/name: "OperatorLifecycleManager"
+    include.release.openshift.io/hypershift: "true"
+spec:
+  podSelector:
+    matchLabels:
+      app: olm-operator
+  ingress:
+    - ports:
+        - port: metrics
+          protocol: TCP
+  egress:
+    - ports:
+        - port: 6443
+          protocol: TCP
+    - ports:
+        - port: dns-tcp
+          protocol: TCP
+        - port: dns
+          protocol: UDP
+      to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: openshift-dns
+  policyTypes:
+    - Ingress
+    - Egress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: catalog-operator
+  namespace: openshift-operator-lifecycle-manager
+  annotations:
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    capability.openshift.io/name: "OperatorLifecycleManager"
+    include.release.openshift.io/hypershift: "true"
+spec:
+  podSelector:
+    matchLabels:
+      app: catalog-operator
+  ingress:
+    - ports:
+        - port: metrics
+          protocol: TCP
+  egress:
+    - ports:
+        - port: 6443
+          protocol: TCP
+    - ports:
+        - port: dns-tcp
+          protocol: TCP
+        - port: dns
+          protocol: UDP
+      to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: openshift-dns
+    - ports: # This is another distinct rule in the egress list
+        - protocol: TCP
+          port: 50051
+  policyTypes:
+    - Ingress
+    - Egress
@@ -0,0 +1,34 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: package-server-manager
+  namespace: openshift-operator-lifecycle-manager
+  annotations:
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    capability.openshift.io/name: "OperatorLifecycleManager"
+    include.release.openshift.io/hypershift: "true"
+spec:
+  podSelector:
+    matchLabels:
+      app: package-server-manager
+  ingress:
+    - ports:
+        - port: 8443
+          protocol: TCP
+  egress:
+    - ports:
+        - port: 6443
+          protocol: TCP
+    - ports:
+        - port: dns-tcp
+          protocol: TCP
+        - port: dns
+          protocol: UDP
+      to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: openshift-dns
+  policyTypes:
+    - Ingress
+    - Egress
@@ -7,6 +7,8 @@ metadata:
     include.release.openshift.io/self-managed-high-availability: "true"
     capability.openshift.io/name: "OperatorLifecycleManager"
   name: collect-profiles
+  labels:
+    app: olm-collect-profiles
   namespace: openshift-operator-lifecycle-manager
 spec:
   schedule: "*/15 * * * *"
@@ -18,6 +20,8 @@ spec:
           annotations:
             target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
             openshift.io/required-scc: restricted-v2
+          labels:
+            app: olm-collect-profiles
         spec:
           securityContext:
             runAsNonRoot: true