OPRUN-3923,OPRUN-3906,OPRUN-3903,OPRUN-3926: Add NetworkPolicy support to OLMv0 components

[perdasilva]

This PR adds NetworkPolicy resources to restrict OLMv0 component network communications:

resources:

• default-deny-all added to openshift-operator-lifecycle-manager namespaces
• olm-operator restricted to: egress: dns, kube-apiserver / ingress: metrics
• catalog-operator restricted to: egress dns, kube-apiserver, 50051 (catalog services) / ingress: metrics
• packageserver: egress dns, kube-apiserver, 50051 (catalog services) / ingress: 5443 (service port)
• package-server-manager: egress dns, kube-apiserver / ingress: 8443 (metrics)
• collect-profiles: egress dns, kube-apiserver, olm/catalog-operator metrics

code change:
network policies for catalogs need to be managed programmatically by stamping out NetworkPolicy resources for the catalog source pod. The definition of the policy depends on the type of catalog source (grpc or configmap). But they essentially restrict ingress to 50051 (catalog services). In the case of the configmap catalog source, egress to the kube-apiserver is also required (to read the configmap)

microshift:

• packageserver, package-server-manger, and collect-profiles are not in microshift, therefore they are excluded (by the kustomization.yaml) from microshift. Because the packageserver network policy comes from upstream, it is removed from the network policy resources by the generate-crds_manifests.sh script.

[openshift-ci-robot]

@perdasilva: This pull request references OPRUN-3923 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

In response to this:

Makes the necessary changes to downstream and pulls in the necessary commits for adding NetworkPolicy resources to help constrain the network communication of OLM components

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@perdasilva: This pull request references OPRUN-3923 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

This pull request references OPRUN-3906 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

In response to this:

Makes the necessary changes to downstream and pulls in the necessary commits for adding NetworkPolicy resources to help constrain the network communication of OLM components

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@perdasilva: This pull request references OPRUN-3923 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

This pull request references OPRUN-3906 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

This pull request references OPRUN-3903 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

In response to this:

Makes the necessary changes to downstream and pulls in the necessary commits for adding NetworkPolicy resources to help constrain the network communication of OLM components

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@perdasilva: An error was encountered searching for bug OPRUN-3926 on the Jira server at https://issues.redhat.com/. No known errors were detected, please see the full error message for details.

Full error message.

No response returned: Get "https://issues.redhat.com/rest/api/2/issue/OPRUN-3926": GET https://issues.redhat.com/rest/api/2/issue/OPRUN-3926 giving up after 5 attempt(s)

Please contact an administrator to resolve this issue, then request a bug refresh with /jira refresh.

In response to this:

Makes the necessary changes to downstream and pulls in the necessary commits for adding NetworkPolicy resources to help constrain the network communication of OLM components

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@perdasilva: This pull request references OPRUN-3923 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

This pull request references OPRUN-3906 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

This pull request references OPRUN-3903 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

In response to this:

Makes the necessary changes to downstream and pulls in the necessary commits for adding NetworkPolicy resources to help constrain the network communication of OLM components

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[kuiwang02]

the issue mentioned in #1005 (comment) is fixed in this PR. I already update the bug ticket.

[perdasilva]

@kuiwang02 thanks for the thorough review ^^ I'll fix those up!

[openshift-ci-robot]

@perdasilva: This pull request references OPRUN-3923 which is a valid jira issue.

This pull request references OPRUN-3906 which is a valid jira issue.

This pull request references OPRUN-3903 which is a valid jira issue.

This pull request references OPRUN-3926 which is a valid jira issue.

This pull request references Jira Issue OCPBUGS-56355, which is invalid:

• expected the bug to be in one of the following states: NEW, ASSIGNED, POST, but it is Verified instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Makes the necessary changes to downstream and pulls in the necessary commits for adding NetworkPolicy resources to help constrain the network communication of OLM components

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@perdasilva: This pull request references OPRUN-3923 which is a valid jira issue.

This pull request references OPRUN-3906 which is a valid jira issue.

This pull request references OPRUN-3903 which is a valid jira issue.

This pull request references OPRUN-3926 which is a valid jira issue.

In response to this:

This PR adds NetworkPolicy resources to restrict OLMv0 component network communications:

resources:

• default-deny-all added to openshift-operator-lifecycle-manager namespaces
• olm-operator restricted to: egress: dns, kube-apiserver / ingress: metrics
• catalog-operator restricted to: egress dns, kube-apiserver, 50051 (catalog services) / ingress: metrics
• packageserver: egress dns, kube-apiserver, 50051 (catalog services) / ingress: 5443 (service port)
• package-server-manager: egress dns, kube-apiserver / ingress: 8443 (metrics)
• collect-profiles: egress dns, kube-apiserver, olm/catalog-operator metrics

code change:
network policies for catalogs need to be managed programmatically by stamping out NetworkPolicy resources for the catalog source pod. The definition of the policy depends on the type of catalog source (grpc or configmap). But they essentially restrict ingress to 50051 (catalog services). In the case of the configmap catalog source, egress to the kube-apiserver is also required (to read the configmap)

microshift:

• packageserver, package-server-manger, and collect-profiles are not in microshift, therefore they are excluded (by the kustomization.yaml) from microshift. Because the packageserver network policy comes from upstream, it is removed from the network policy resources by the generate-crds_manifests.sh script.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[perdasilva]

/retest

[perdasilva]

/retest

[perdasilva]

/retest

[perdasilva]

/retest

[perdasilva]

/retest

[perdasilva]

/retest

[perdasilva]

/retest

[tmshort]

GCP tests are in permafail

[bentito]

/approve
/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bentito, perdasilva

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• DOWNSTREAM_OWNERS [perdasilva]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@perdasilva: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-bot]

[ART PR BUILD NOTIFIER]

Distgit: operator-registry
This PR has been included in build operator-registry-container-v4.20.0-202505221844.p0.g082d59a.assembly.stream.el9.
All builds following this will include this PR.

[openshift-bot]

[ART PR BUILD NOTIFIER]

Distgit: operator-lifecycle-manager
This PR has been included in build operator-lifecycle-manager-container-v4.20.0-202505221844.p0.g082d59a.assembly.stream.el9.
All builds following this will include this PR.

[openshift-bot]

[ART PR BUILD NOTIFIER]

Distgit: ose-operator-framework-tools
This PR has been included in build ose-operator-framework-tools-container-v4.20.0-202505221844.p0.g082d59a.assembly.stream.el9.
All builds following this will include this PR.