OPRUN-3926: add static network policy for collect-profiles pod

Per Goncalves da Silva · Per Goncalves da Silva · commit eaca49b95078 · 2025-05-20T10:52:30.000+02:00
Signed-off-by: Per Goncalves da Silva &lt;pegoncal@redhat.com&gt;
diff --git a/manifests/0000_50_olm_01-networkpolicies.yaml b/manifests/0000_50_olm_01-networkpolicies.yaml
@@ -29,12 +29,8 @@ spec:
     matchLabels:
       app: olm-operator
   ingress:
-    - from:
-        - namespaceSelector:
-            matchLabels:
-              name: openshift-monitoring
-      ports:
-        - port: 8443
+    - ports:
+        - port: metrics
           protocol: TCP
   egress:
     - ports:
@@ -71,12 +67,8 @@ spec:
     matchLabels:
       app: catalog-operator
   ingress:
-    - from:
-        - namespaceSelector:
-            matchLabels:
-              name: openshift-monitoring
-      ports:
-        - port: 8443
+    - ports:
+        - port: metrics
           protocol: TCP
   egress:
     - ports:
diff --git a/manifests/0000_50_olm_07-collect-profiles.cronjob.yaml b/manifests/0000_50_olm_07-collect-profiles.cronjob.yaml
@@ -7,6 +7,8 @@ metadata:
     include.release.openshift.io/self-managed-high-availability: "true"
     capability.openshift.io/name: "OperatorLifecycleManager"
   name: collect-profiles
+  labels:
+    app: olm-collect-profiles
   namespace: openshift-operator-lifecycle-manager
 spec:
   schedule: "*/15 * * * *"
@@ -18,6 +20,8 @@ spec:
           annotations:
             target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
             openshift.io/required-scc: restricted-v2
+          labels:
+            app: olm-collect-profiles
         spec:
           securityContext:
             runAsNonRoot: true
diff --git a/manifests/0000_50_olm_07-collect-profiles.networkpolicy.yaml b/manifests/0000_50_olm_07-collect-profiles.networkpolicy.yaml
@@ -0,0 +1,46 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: collect-profiles
+  namespace: openshift-operator-lifecycle-manager
+  annotations:
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    capability.openshift.io/name: "OperatorLifecycleManager"
+    include.release.openshift.io/hypershift: "true"
+spec:
+  podSelector:
+    matchLabels:
+      app: olm-collect-profiles
+  egress:
+    - ports:
+        - port: 8443
+          protocol: TCP
+      from:
+        - namespaceSelector:
+            matchLabels:
+              name: openshift-operator-lifecycle-manager
+        - podSelector:
+            matchLabels:
+              app: olm-operator
+        - podSelector:
+            matchLabels:
+              app: catalog-operator
+    - ports:
+        - port: 6443
+          protocol: TCP
+    - ports:
+        - port: dns-tcp
+          protocol: TCP
+        - port: dns
+          protocol: UDP
+      to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: openshift-dns
+        - podSelector:
+            matchLabels:
+              dns.operator.openshift.io/daemonset-dns: default
+  policyTypes:
+    - Egress
+    - Ingress
diff --git a/microshift-manifests/0000_50_olm_01-networkpolicies.yaml b/microshift-manifests/0000_50_olm_01-networkpolicies.yaml
@@ -30,12 +30,8 @@ spec:
     matchLabels:
       app: olm-operator
   ingress:
-    - from:
-        - namespaceSelector:
-            matchLabels:
-              name: openshift-monitoring
-      ports:
-        - port: 8443
+    - ports:
+        - port: metrics
           protocol: TCP
   egress:
     - ports:
@@ -72,12 +68,8 @@ spec:
     matchLabels:
       app: catalog-operator
   ingress:
-    - from:
-        - namespaceSelector:
-            matchLabels:
-              name: openshift-monitoring
-      ports:
-        - port: 8443
+    - ports:
+        - port: metrics
           protocol: TCP
   egress:
     - ports:
diff --git a/microshift-manifests/0000_50_olm_07-collect-profiles.cronjob.yaml b/microshift-manifests/0000_50_olm_07-collect-profiles.cronjob.yaml
@@ -7,6 +7,8 @@ metadata:
     include.release.openshift.io/self-managed-high-availability: "true"
     capability.openshift.io/name: "OperatorLifecycleManager"
   name: collect-profiles
+  labels:
+    app: olm-collect-profiles
   namespace: openshift-operator-lifecycle-manager
 spec:
   schedule: "*/15 * * * *"
@@ -18,6 +20,8 @@ spec:
           annotations:
             target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
             openshift.io/required-scc: restricted-v2
+          labels:
+            app: olm-collect-profiles
         spec:
           securityContext:
             runAsNonRoot: true
diff --git a/microshift-manifests/0000_50_olm_07-collect-profiles.networkpolicy.yaml b/microshift-manifests/0000_50_olm_07-collect-profiles.networkpolicy.yaml
@@ -0,0 +1,46 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: collect-profiles
+  namespace: openshift-operator-lifecycle-manager
+  annotations:
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    capability.openshift.io/name: "OperatorLifecycleManager"
+    include.release.openshift.io/hypershift: "true"
+spec:
+  podSelector:
+    matchLabels:
+      app: olm-collect-profiles
+  egress:
+    - ports:
+        - port: 8443
+          protocol: TCP
+      from:
+        - namespaceSelector:
+            matchLabels:
+              name: openshift-operator-lifecycle-manager
+        - podSelector:
+            matchLabels:
+              app: olm-operator
+        - podSelector:
+            matchLabels:
+              app: catalog-operator
+    - ports:
+        - port: 6443
+          protocol: TCP
+    - ports:
+        - port: dns-tcp
+          protocol: TCP
+        - port: dns
+          protocol: UDP
+      to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: openshift-dns
+        - podSelector:
+            matchLabels:
+              dns.operator.openshift.io/daemonset-dns: default
+  policyTypes:
+    - Egress
+    - Ingress
diff --git a/scripts/generate_crds_manifests.sh b/scripts/generate_crds_manifests.sh
@@ -407,6 +407,55 @@ data:
   tls.key: ""
 EOF
 
+cat << EOF > manifests/0000_50_olm_07-collect-profiles.networkpolicy.yaml
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: collect-profiles
+  namespace: openshift-operator-lifecycle-manager
+  annotations:
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    capability.openshift.io/name: "OperatorLifecycleManager"
+    include.release.openshift.io/hypershift: "true"
+spec:
+  podSelector:
+    matchLabels:
+      app: olm-collect-profiles
+  egress:
+    - ports:
+        - port: 8443
+          protocol: TCP
+      from:
+        - namespaceSelector:
+            matchLabels:
+              name: openshift-operator-lifecycle-manager
+        - podSelector:
+            matchLabels:
+              app: olm-operator
+        - podSelector:
+            matchLabels:
+              app: catalog-operator
+    - ports:
+        - port: 6443
+          protocol: TCP
+    - ports:
+        - port: dns-tcp
+          protocol: TCP
+        - port: dns
+          protocol: UDP
+      to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: openshift-dns
+        - podSelector:
+            matchLabels:
+              dns.operator.openshift.io/daemonset-dns: default
+  policyTypes:
+    - Egress
+    - Ingress
+EOF
+
 cat << EOF > manifests/0000_50_olm_07-collect-profiles.cronjob.yaml
 apiVersion: batch/v1
 kind: CronJob
@@ -416,6 +465,8 @@ metadata:
     include.release.openshift.io/hypershift: "true"
     include.release.openshift.io/self-managed-high-availability: "true"
   name: collect-profiles
+  labels:
+    app: olm-collect-profiles
   namespace: openshift-operator-lifecycle-manager
 spec:
   schedule: "*/15 * * * *"
@@ -427,6 +478,8 @@ spec:
           annotations:
             target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
             openshift.io/required-scc: restricted-v2
+          labels:
+            app: olm-collect-profiles
         spec:
           securityContext:
             runAsNonRoot: true
diff --git a/staging/operator-lifecycle-manager/test/e2e/util.go b/staging/operator-lifecycle-manager/test/e2e/util.go
@@ -1069,6 +1069,7 @@ func SetupGeneratedTestNamespaceWithOperatorGroup(name string, og operatorsv1.Op
 	ns := corev1.Namespace{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: name,
+			Labels: map[string]string{},
 		},
 	}
 	Eventually(func() error {
diff --git a/values.yaml b/values.yaml
@@ -119,11 +119,3 @@ networkPolicy:
       - podSelector:
           matchLabels:
             dns.operator.openshift.io/daemonset-dns: default
-  metrics:
-    ports:
-      - port: 8443
-        protocol: TCP
-    from:
-      - namespaceSelector:
-          matchLabels:
-            name: openshift-monitoring

Original file line number	Diff line number	Diff line change
`@@ -1069,6 +1069,7 @@ func SetupGeneratedTestNamespaceWithOperatorGroup(name string, og operatorsv1.Op`
`1069`	`1069`	`ns := corev1.Namespace{`
`1070`	`1070`	`ObjectMeta: metav1.ObjectMeta{`
`1071`	`1071`	`Name: name,`
	`1072`	`+ Labels: map[string]string{},`
`1072`	`1073`	`},`
`1073`	`1074`	`}`
`1074`	`1075`	`Eventually(func() error {`