<carry>: update network policy configuration for metrics and dns on openshift

Per Goncalves da Silva · Per Goncalves da Silva · commit 417fcc183194 · 2025-05-19T14:48:39.000+02:00
Signed-off-by: Per Goncalves da Silva &lt;pegoncal@redhat.com&gt;
diff --git a/manifests/0000_50_olm_01-networkpolicies.yaml b/manifests/0000_50_olm_01-networkpolicies.yaml
@@ -29,18 +29,29 @@ spec:
     matchLabels:
       app: olm-operator
   ingress:
-    - ports:
-        - port: metrics
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              name: openshift-monitoring
+      ports:
+        - port: 8443
           protocol: TCP
   egress:
     - ports:
         - port: 6443
           protocol: TCP
     - ports:
-        - port: 53
+        - port: dns-tcp
           protocol: TCP
-        - port: 53
+        - port: dns
           protocol: UDP
+      to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: openshift-dns
+        - podSelector:
+            matchLabels:
+              dns.operator.openshift.io/daemonset-dns: default
   policyTypes:
     - Ingress
     - Egress
@@ -60,18 +71,29 @@ spec:
     matchLabels:
       app: catalog-operator
   ingress:
-    - ports:
-        - port: metrics
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              name: openshift-monitoring
+      ports:
+        - port: 8443
           protocol: TCP
   egress:
     - ports:
         - port: 6443
           protocol: TCP
     - ports:
-        - port: 53
+        - port: dns-tcp
           protocol: TCP
-        - port: 53
+        - port: dns
           protocol: UDP
+      to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: openshift-dns
+        - podSelector:
+            matchLabels:
+              dns.operator.openshift.io/daemonset-dns: default
     - ports: # This is another distinct rule in the egress list
         - protocol: TCP
           port: 50051
@@ -99,10 +121,17 @@ spec:
           port: 5443
   egress:
     - ports:
-        - port: 53
+        - port: dns-tcp
           protocol: TCP
-        - port: 53
+        - port: dns
           protocol: UDP
+      to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: openshift-dns
+        - podSelector:
+            matchLabels:
+              dns.operator.openshift.io/daemonset-dns: default
     - ports:
         - protocol: TCP
           port: 50051
diff --git a/microshift-manifests/0000_50_olm_01-networkpolicies.yaml b/microshift-manifests/0000_50_olm_01-networkpolicies.yaml
@@ -29,18 +29,29 @@ spec:
     matchLabels:
       app: olm-operator
   ingress:
-    - ports:
-        - port: metrics
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              name: openshift-monitoring
+      ports:
+        - port: 8443
           protocol: TCP
   egress:
     - ports:
         - port: 6443
           protocol: TCP
     - ports:
-        - port: 53
+        - port: dns-tcp
           protocol: TCP
-        - port: 53
+        - port: dns
           protocol: UDP
+      to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: openshift-dns
+        - podSelector:
+            matchLabels:
+              dns.operator.openshift.io/daemonset-dns: default
   policyTypes:
     - Ingress
     - Egress
@@ -60,18 +71,29 @@ spec:
     matchLabels:
       app: catalog-operator
   ingress:
-    - ports:
-        - port: metrics
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              name: openshift-monitoring
+      ports:
+        - port: 8443
           protocol: TCP
   egress:
     - ports:
         - port: 6443
           protocol: TCP
     - ports:
-        - port: 53
+        - port: dns-tcp
           protocol: TCP
-        - port: 53
+        - port: dns
           protocol: UDP
+      to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: openshift-dns
+        - podSelector:
+            matchLabels:
+              dns.operator.openshift.io/daemonset-dns: default
     - ports: # This is another distinct rule in the egress list
         - protocol: TCP
           port: 50051
@@ -99,10 +121,17 @@ spec:
           port: 5443
   egress:
     - ports:
-        - port: 53
+        - port: dns-tcp
           protocol: TCP
-        - port: 53
+        - port: dns
           protocol: UDP
+      to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: openshift-dns
+        - podSelector:
+            matchLabels:
+              dns.operator.openshift.io/daemonset-dns: default
     - ports:
         - protocol: TCP
           port: 50051
diff --git a/values.yaml b/values.yaml
@@ -104,3 +104,26 @@ package:
 monitoring:
   enabled: true
   namespace: openshift-monitoring
+
+networkPolicy:
+  dns:
+    ports:
+      - protocol: TCP
+        port: dns-tcp
+      - protocol: UDP
+        port: dns
+    to:
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: openshift-dns
+      - podSelector:
+          matchLabels:
+            dns.operator.openshift.io/daemonset-dns: default
+  metrics:
+    ports:
+      - port: 8443
+        protocol: TCP
+    from:
+      - namespaceSelector:
+          matchLabels:
+            name: openshift-monitoring
