OPRUN-3926: add static network policy for collect-profiles pod

Per Goncalves da Silva · Per Goncalves da Silva · commit 263fbc59475d · 2025-05-20T18:30:41.000+02:00
Signed-off-by: Per Goncalves da Silva &lt;pegoncal@redhat.com&gt;
diff --git a/manifests/0000_50_olm_07-collect-profiles.cronjob.yaml b/manifests/0000_50_olm_07-collect-profiles.cronjob.yaml
@@ -7,6 +7,8 @@ metadata:
     include.release.openshift.io/self-managed-high-availability: "true"
     capability.openshift.io/name: "OperatorLifecycleManager"
   name: collect-profiles
+  labels:
+    app: olm-collect-profiles
   namespace: openshift-operator-lifecycle-manager
 spec:
   schedule: "*/15 * * * *"
@@ -18,6 +20,8 @@ spec:
           annotations:
             target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
             openshift.io/required-scc: restricted-v2
+          labels:
+            app: olm-collect-profiles
         spec:
           securityContext:
             runAsNonRoot: true
diff --git a/manifests/0000_50_olm_07-collect-profiles.networkpolicy.yaml b/manifests/0000_50_olm_07-collect-profiles.networkpolicy.yaml
@@ -0,0 +1,43 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: collect-profiles
+  namespace: openshift-operator-lifecycle-manager
+  annotations:
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    capability.openshift.io/name: "OperatorLifecycleManager"
+    include.release.openshift.io/hypershift: "true"
+spec:
+  podSelector:
+    matchLabels:
+      app: olm-collect-profiles
+  egress:
+    - ports:
+        - port: 8443
+          protocol: TCP
+      to:
+        - namespaceSelector:
+            matchLabels:
+              name: openshift-operator-lifecycle-manager
+        - podSelector:
+            matchLabels:
+              app: olm-operator
+        - podSelector:
+            matchLabels:
+              app: catalog-operator
+    - ports:
+        - port: 6443
+          protocol: TCP
+    - ports:
+        - port: dns-tcp
+          protocol: TCP
+        - port: dns
+          protocol: UDP
+      to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: openshift-dns
+  policyTypes:
+    - Egress
+    - Ingress
diff --git a/microshift-manifests/0000_50_olm_07-collect-profiles.cronjob.yaml b/microshift-manifests/0000_50_olm_07-collect-profiles.cronjob.yaml
@@ -7,6 +7,8 @@ metadata:
     include.release.openshift.io/self-managed-high-availability: "true"
     capability.openshift.io/name: "OperatorLifecycleManager"
   name: collect-profiles
+  labels:
+    app: olm-collect-profiles
   namespace: openshift-operator-lifecycle-manager
 spec:
   schedule: "*/15 * * * *"
@@ -18,6 +20,8 @@ spec:
           annotations:
             target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
             openshift.io/required-scc: restricted-v2
+          labels:
+            app: olm-collect-profiles
         spec:
           securityContext:
             runAsNonRoot: true
diff --git a/microshift-manifests/0000_50_olm_07-collect-profiles.networkpolicy.yaml b/microshift-manifests/0000_50_olm_07-collect-profiles.networkpolicy.yaml
@@ -0,0 +1,43 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: collect-profiles
+  namespace: openshift-operator-lifecycle-manager
+  annotations:
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    capability.openshift.io/name: "OperatorLifecycleManager"
+    include.release.openshift.io/hypershift: "true"
+spec:
+  podSelector:
+    matchLabels:
+      app: olm-collect-profiles
+  egress:
+    - ports:
+        - port: 8443
+          protocol: TCP
+      to:
+        - namespaceSelector:
+            matchLabels:
+              name: openshift-operator-lifecycle-manager
+        - podSelector:
+            matchLabels:
+              app: olm-operator
+        - podSelector:
+            matchLabels:
+              app: catalog-operator
+    - ports:
+        - port: 6443
+          protocol: TCP
+    - ports:
+        - port: dns-tcp
+          protocol: TCP
+        - port: dns
+          protocol: UDP
+      to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: openshift-dns
+  policyTypes:
+    - Egress
+    - Ingress
diff --git a/scripts/generate_crds_manifests.sh b/scripts/generate_crds_manifests.sh
@@ -400,6 +400,52 @@ data:
   tls.key: ""
 EOF
 
+cat << EOF > manifests/0000_50_olm_07-collect-profiles.networkpolicy.yaml
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: collect-profiles
+  namespace: openshift-operator-lifecycle-manager
+  annotations:
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    capability.openshift.io/name: "OperatorLifecycleManager"
+    include.release.openshift.io/hypershift: "true"
+spec:
+  podSelector:
+    matchLabels:
+      app: olm-collect-profiles
+  egress:
+    - ports:
+        - port: 8443
+          protocol: TCP
+      to:
+        - namespaceSelector:
+            matchLabels:
+              name: openshift-operator-lifecycle-manager
+        - podSelector:
+            matchLabels:
+              app: olm-operator
+        - podSelector:
+            matchLabels:
+              app: catalog-operator
+    - ports:
+        - port: 6443
+          protocol: TCP
+    - ports:
+        - port: dns-tcp
+          protocol: TCP
+        - port: dns
+          protocol: UDP
+      to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: openshift-dns
+  policyTypes:
+    - Egress
+    - Ingress
+EOF
+
 cat << EOF > manifests/0000_50_olm_07-collect-profiles.cronjob.yaml
 apiVersion: batch/v1
 kind: CronJob
@@ -409,6 +455,8 @@ metadata:
     include.release.openshift.io/hypershift: "true"
     include.release.openshift.io/self-managed-high-availability: "true"
   name: collect-profiles
+  labels:
+    app: olm-collect-profiles
   namespace: openshift-operator-lifecycle-manager
 spec:
   schedule: "*/15 * * * *"
@@ -420,6 +468,8 @@ spec:
           annotations:
             target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
             openshift.io/required-scc: restricted-v2
+          labels:
+            app: olm-collect-profiles
         spec:
           securityContext:
             runAsNonRoot: true
diff --git a/staging/operator-lifecycle-manager/test/e2e/util.go b/staging/operator-lifecycle-manager/test/e2e/util.go
@@ -1069,6 +1069,7 @@ func SetupGeneratedTestNamespaceWithOperatorGroup(name string, og operatorsv1.Op
 	ns := corev1.Namespace{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: name,
+			Labels: map[string]string{},
 		},
 	}
 	Eventually(func() error {

Original file line number	Diff line number	Diff line change
`@@ -1069,6 +1069,7 @@ func SetupGeneratedTestNamespaceWithOperatorGroup(name string, og operatorsv1.Op`
`1069`	`1069`	`ns := corev1.Namespace{`
`1070`	`1070`	`ObjectMeta: metav1.ObjectMeta{`
`1071`	`1071`	`Name: name,`
	`1072`	`+ Labels: map[string]string{},`
`1072`	`1073`	`},`
`1073`	`1074`	`}`
`1074`	`1075`	`Eventually(func() error {`