Skip to content

OPRUN-3923,OPRUN-3906,OPRUN-3903,OPRUN-3926: Add NetworkPolicy support to OLMv0 components #1008

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 10 commits into from
May 22, 2025
Merged

OPRUN-3923,OPRUN-3906,OPRUN-3903,OPRUN-3926: Add NetworkPolicy support to OLMv0 components #1008

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
cc35d70
<carry>: update generate_crds_manifests script to care about service …
May 19, 2025
4f132b2
✨ Include network policy for all configmap and grpc catalogsources (#…
joelanford May 15, 2025
c1249cb
✨ Introduce NetworkPolicy for core component workloads. (#3579)
anik120 May 16, 2025
4a6471e
add NetworkPolicy as a supported kind (#3580)
rashmigottipati May 18, 2025
c3acba0
Add kubeapi server access to packageserver network policy (#3581)
perdasilva May 19, 2025
8970d0f
Adds kube-apiserver egress to config map catalog source network polic…
perdasilva May 19, 2025
708a111
<carry>: update network policy configuration for metrics and dns on o…
May 19, 2025
793060b
OPRUN-3903: Add package server manager network policy
May 19, 2025
05841d8
OPRUN-3926: add static network policy for collect-profiles pod
May 19, 2025
03b8689
<carry>: add some information about the generate_crds_manifests scripts
May 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
146 changes: 146 additions & 0 deletions manifests/0000_50_olm_01-networkpolicies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,146 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all-traffic
namespace: openshift-operator-lifecycle-manager
annotations:
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
capability.openshift.io/name: "OperatorLifecycleManager"
include.release.openshift.io/hypershift: "true"
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: olm-operator
namespace: openshift-operator-lifecycle-manager
annotations:
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
capability.openshift.io/name: "OperatorLifecycleManager"
include.release.openshift.io/hypershift: "true"
spec:
podSelector:
matchLabels:
app: olm-operator
ingress:
- ports:
- port: metrics
protocol: TCP
egress:
- ports:
- port: 6443
protocol: TCP
- ports:
- port: dns-tcp
protocol: TCP
- port: dns
protocol: UDP
to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: openshift-dns
policyTypes:
- Ingress
- Egress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: catalog-operator
namespace: openshift-operator-lifecycle-manager
annotations:
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
capability.openshift.io/name: "OperatorLifecycleManager"
include.release.openshift.io/hypershift: "true"
spec:
podSelector:
matchLabels:
app: catalog-operator
ingress:
- ports:
- port: metrics
protocol: TCP
egress:
- ports:
- port: 6443
protocol: TCP
- ports:
- port: dns-tcp
protocol: TCP
- port: dns
protocol: UDP
to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: openshift-dns
- ports: # This is another distinct rule in the egress list
- protocol: TCP
port: 50051
policyTypes:
- Ingress
- Egress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: packageserver
namespace: openshift-operator-lifecycle-manager
annotations:
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
capability.openshift.io/name: "OperatorLifecycleManager"
include.release.openshift.io/hypershift: "true"
spec:
podSelector:
matchLabels:
app: packageserver
ingress:
- ports:
- protocol: TCP
port: 5443
egress:
- ports:
- port: 6443
protocol: TCP
- ports:
- port: dns-tcp
protocol: TCP
- port: dns
protocol: UDP
to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: openshift-dns
- ports:
- protocol: TCP
port: 50051
policyTypes:
- Ingress
- Egress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-allow-all
namespace: openshift-operators
annotations:
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
capability.openshift.io/name: "OperatorLifecycleManager"
include.release.openshift.io/hypershift: "true"
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress:
- {}
egress:
- {}
0 ...0_olm_01-olm-operator.serviceaccount.yaml → ...0_olm_02-olm-operator.serviceaccount.yaml
View file
Open in desktop
File renamed without changes.
0 manifests/0000_50_olm_02-olmconfig.yaml → manifests/0000_50_olm_03-olmconfig.yaml
View file
Open in desktop
File renamed without changes.
0 manifests/0000_50_olm_02-services.yaml → manifests/0000_50_olm_03-services.yaml
View file
Open in desktop
File renamed without changes.
34 changes: 34 additions & 0 deletions manifests/0000_50_olm_06-psm-operator.networkpolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: package-server-manager
namespace: openshift-operator-lifecycle-manager
annotations:
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
capability.openshift.io/name: "OperatorLifecycleManager"
include.release.openshift.io/hypershift: "true"
spec:
podSelector:
matchLabels:
app: package-server-manager
ingress:
- ports:
- port: 8443
protocol: TCP
egress:
- ports:
- port: 6443
protocol: TCP
- ports:
- port: dns-tcp
protocol: TCP
- port: dns
protocol: UDP
to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: openshift-dns
policyTypes:
- Ingress
- Egress
4 changes: 4 additions & 0 deletions manifests/0000_50_olm_07-collect-profiles.cronjob.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ metadata:
include.release.openshift.io/self-managed-high-availability: "true"
capability.openshift.io/name: "OperatorLifecycleManager"
name: collect-profiles
labels:
app: olm-collect-profiles
namespace: openshift-operator-lifecycle-manager
spec:
schedule: "*/15 * * * *"
Expand All @@ -18,6 +20,8 @@ spec:
annotations:
target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
openshift.io/required-scc: restricted-v2
labels:
app: olm-collect-profiles
spec:
securityContext:
runAsNonRoot: true
Expand Down
43 changes: 43 additions & 0 deletions manifests/0000_50_olm_07-collect-profiles.networkpolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: collect-profiles
namespace: openshift-operator-lifecycle-manager
annotations:
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
capability.openshift.io/name: "OperatorLifecycleManager"
include.release.openshift.io/hypershift: "true"
spec:
podSelector:
matchLabels:
app: olm-collect-profiles
egress:
- ports:
- port: 8443
protocol: TCP
to:
- namespaceSelector:
matchLabels:
name: openshift-operator-lifecycle-manager
- podSelector:
matchLabels:
app: olm-operator
- podSelector:
matchLabels:
app: catalog-operator
- ports:
- port: 6443
protocol: TCP
- ports:
- port: dns-tcp
protocol: TCP
- port: dns
protocol: UDP
to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: openshift-dns
policyTypes:
- Egress
- Ingress
89 changes: 89 additions & 0 deletions microshift-manifests/0000_50_olm_01-networkpolicies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,89 @@
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all-traffic
namespace: openshift-operator-lifecycle-manager
annotations:
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
capability.openshift.io/name: "OperatorLifecycleManager"
include.release.openshift.io/hypershift: "true"
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: olm-operator
namespace: openshift-operator-lifecycle-manager
annotations:
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
capability.openshift.io/name: "OperatorLifecycleManager"
include.release.openshift.io/hypershift: "true"
spec:
podSelector:
matchLabels:
app: olm-operator
ingress:
- ports:
- port: metrics
protocol: TCP
egress:
- ports:
- port: 6443
protocol: TCP
- ports:
- port: dns-tcp
protocol: TCP
- port: dns
protocol: UDP
to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: openshift-dns
policyTypes:
- Ingress
- Egress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: catalog-operator
namespace: openshift-operator-lifecycle-manager
annotations:
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
capability.openshift.io/name: "OperatorLifecycleManager"
include.release.openshift.io/hypershift: "true"
spec:
podSelector:
matchLabels:
app: catalog-operator
ingress:
- ports:
- port: metrics
protocol: TCP
egress:
- ports:
- port: 6443
protocol: TCP
- ports:
- port: dns-tcp
protocol: TCP
- port: dns
protocol: UDP
to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: openshift-dns
- ports: # This is another distinct rule in the egress list
- protocol: TCP
port: 50051
policyTypes:
- Ingress
- Egress
0 ...0_olm_01-olm-operator.serviceaccount.yaml → ...0_olm_02-olm-operator.serviceaccount.yaml
View file
Open in desktop
File renamed without changes.
0 ...t-manifests/0000_50_olm_02-olmconfig.yaml → ...t-manifests/0000_50_olm_03-olmconfig.yaml
View file
Open in desktop
File renamed without changes.
0 ...ft-manifests/0000_50_olm_02-services.yaml → ...ft-manifests/0000_50_olm_03-services.yaml
View file
Open in desktop
File renamed without changes.
34 changes: 34 additions & 0 deletions microshift-manifests/0000_50_olm_06-psm-operator.networkpolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: package-server-manager
namespace: openshift-operator-lifecycle-manager
annotations:
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
capability.openshift.io/name: "OperatorLifecycleManager"
include.release.openshift.io/hypershift: "true"
spec:
podSelector:
matchLabels:
app: package-server-manager
ingress:
- ports:
- port: 8443
protocol: TCP
egress:
- ports:
- port: 6443
protocol: TCP
- ports:
- port: dns-tcp
protocol: TCP
- port: dns
protocol: UDP
to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: openshift-dns
policyTypes:
- Ingress
- Egress
4 changes: 4 additions & 0 deletions microshift-manifests/0000_50_olm_07-collect-profiles.cronjob.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ metadata:
include.release.openshift.io/self-managed-high-availability: "true"
capability.openshift.io/name: "OperatorLifecycleManager"
name: collect-profiles
labels:
app: olm-collect-profiles
namespace: openshift-operator-lifecycle-manager
spec:
schedule: "*/15 * * * *"
Expand All @@ -18,6 +20,8 @@ spec:
annotations:
target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
openshift.io/required-scc: restricted-v2
labels:
app: olm-collect-profiles
spec:
securityContext:
runAsNonRoot: true
Expand Down
Loading