From 0d97fddd56187d7094d01a3d7bea9f7458194b7b Mon Sep 17 00:00:00 2001
From: David Vossel <davidvossel@gmail.com>
Date: Wed, 2 Oct 2024 10:13:39 -0400
Subject: [PATCH] Add network policies for konnectivity server and ignition
 server proxy

Signed-off-by: David Vossel <davidvossel@gmail.com>
---
 .../hostedcluster/network_policies.go         | 62 +++++++++++++++++++
 .../manifests/networkpolicy/manifests.go      | 18 ++++++
 2 files changed, 80 insertions(+)

diff --git a/hypershift-operator/controllers/hostedcluster/network_policies.go b/hypershift-operator/controllers/hostedcluster/network_policies.go
index 34f4739dd7..3485542d52 100644
--- a/hypershift-operator/controllers/hostedcluster/network_policies.go
+++ b/hypershift-operator/controllers/hostedcluster/network_policies.go
@@ -151,6 +151,13 @@ func (r *HostedClusterReconciler) reconcileNetworkPolicies(ctx context.Context,
 				}); err != nil {
 					return fmt.Errorf("failed to reconcile ignition nodeport network policy: %w", err)
 				}
+				// Reconcile nodeport-ignition-proxy Network Policy
+				policy = networkpolicy.NodePortIgnitionProxyNetworkPolicy(controlPlaneNamespaceName)
+				if _, err := createOrUpdate(ctx, r.Client, policy, func() error {
+					return reconcileNodePortIgnitionProxyNetworkPolicy(policy, hcluster)
+				}); err != nil {
+					return fmt.Errorf("failed to reconcile ignition proxy nodeport network policy: %w", err)
+				}
 			}
 		case hyperv1.Konnectivity:
 			if svc.ServicePublishingStrategy.Type == hyperv1.NodePort {
@@ -161,6 +168,15 @@ func (r *HostedClusterReconciler) reconcileNetworkPolicies(ctx context.Context,
 				}); err != nil {
 					return fmt.Errorf("failed to reconcile konnectivity nodeport network policy: %w", err)
 				}
+
+				// Reconcile nodeport-konnectivity Network Policy when konnectivity is hosted in the kas pod
+				policy = networkpolicy.NodePortKonnectivityKASNetworkPolicy(controlPlaneNamespaceName)
+				if _, err := createOrUpdate(ctx, r.Client, policy, func() error {
+					return reconcileNodePortKonnectivityKASNetworkPolicy(policy, hcluster)
+				}); err != nil {
+					return fmt.Errorf("failed to reconcile konnectivity nodeport network policy: %w", err)
+				}
+
 			}
 		}
 	}
@@ -357,6 +373,29 @@ func reconcileNodePortOauthNetworkPolicy(policy *networkingv1.NetworkPolicy, hcl
 	return nil
 }
 
+func reconcileNodePortIgnitionProxyNetworkPolicy(policy *networkingv1.NetworkPolicy, hcluster *hyperv1.HostedCluster) error {
+	port := intstr.FromInt(8443)
+	protocol := corev1.ProtocolTCP
+	policy.Spec.Ingress = []networkingv1.NetworkPolicyIngressRule{
+		{
+			From: []networkingv1.NetworkPolicyPeer{},
+			Ports: []networkingv1.NetworkPolicyPort{
+				{
+					Port:     &port,
+					Protocol: &protocol,
+				},
+			},
+		},
+	}
+	policy.Spec.PodSelector = metav1.LabelSelector{
+		MatchLabels: map[string]string{
+			"app": "ignition-server-proxy",
+		},
+	}
+	policy.Spec.PolicyTypes = []networkingv1.PolicyType{networkingv1.PolicyTypeIngress}
+	return nil
+}
+
 func reconcileNodePortIgnitionNetworkPolicy(policy *networkingv1.NetworkPolicy, hcluster *hyperv1.HostedCluster) error {
 	port := intstr.FromInt(9090)
 	protocol := corev1.ProtocolTCP
@@ -380,6 +419,29 @@ func reconcileNodePortIgnitionNetworkPolicy(policy *networkingv1.NetworkPolicy,
 	return nil
 }
 
+func reconcileNodePortKonnectivityKASNetworkPolicy(policy *networkingv1.NetworkPolicy, hcluster *hyperv1.HostedCluster) error {
+	port := intstr.FromInt(8091)
+	protocol := corev1.ProtocolTCP
+	policy.Spec.Ingress = []networkingv1.NetworkPolicyIngressRule{
+		{
+			From: []networkingv1.NetworkPolicyPeer{},
+			Ports: []networkingv1.NetworkPolicyPort{
+				{
+					Port:     &port,
+					Protocol: &protocol,
+				},
+			},
+		},
+	}
+	policy.Spec.PodSelector = metav1.LabelSelector{
+		MatchLabels: map[string]string{
+			"app": "kube-apiserver",
+		},
+	}
+	policy.Spec.PolicyTypes = []networkingv1.PolicyType{networkingv1.PolicyTypeIngress}
+	return nil
+}
+
 func reconcileNodePortKonnectivityNetworkPolicy(policy *networkingv1.NetworkPolicy, hcluster *hyperv1.HostedCluster) error {
 	port := intstr.FromInt(8091)
 	protocol := corev1.ProtocolTCP
diff --git a/hypershift-operator/controllers/manifests/networkpolicy/manifests.go b/hypershift-operator/controllers/manifests/networkpolicy/manifests.go
index 4ee01c7ed8..f99fec705f 100644
--- a/hypershift-operator/controllers/manifests/networkpolicy/manifests.go
+++ b/hypershift-operator/controllers/manifests/networkpolicy/manifests.go
@@ -95,6 +95,15 @@ func NodePortIgnitionNetworkPolicy(namespace string) *networkingv1.NetworkPolicy
 	}
 }
 
+func NodePortIgnitionProxyNetworkPolicy(namespace string) *networkingv1.NetworkPolicy {
+	return &networkingv1.NetworkPolicy{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: namespace,
+			Name:      "nodeport-ignition-proxy",
+		},
+	}
+}
+
 func NodePortKonnectivityNetworkPolicy(namespace string) *networkingv1.NetworkPolicy {
 	return &networkingv1.NetworkPolicy{
 		ObjectMeta: metav1.ObjectMeta{
@@ -104,6 +113,15 @@ func NodePortKonnectivityNetworkPolicy(namespace string) *networkingv1.NetworkPo
 	}
 }
 
+func NodePortKonnectivityKASNetworkPolicy(namespace string) *networkingv1.NetworkPolicy {
+	return &networkingv1.NetworkPolicy{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: namespace,
+			Name:      "nodeport-konnectivity-kas",
+		},
+	}
+}
+
 func VirtLauncherNetworkPolicy(namespace string) *networkingv1.NetworkPolicy {
 	return &networkingv1.NetworkPolicy{
 		ObjectMeta: metav1.ObjectMeta{