Skip to content

OCPBUGS-61088: revert PR #2738, enhance test for config_test.go and let CVO manage CMO networkpolicies #2740

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 8 commits into from
Nov 26, 2025
Merged

OCPBUGS-61088: revert PR #2738, enhance test for config_test.go and let CVO manage CMO networkpolicies #2740

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
018ad6a
Reapply "OCPBUGS-61088: create networkpolicy settings for in-cluster …
juzhao Nov 10, 2025
9ce5af8
revert PR 2738, enhance test for config_test.go and deploy the denyNe…
juzhao Nov 10, 2025
710acfa
let CVO manage the CMO networkpolicy
juzhao Nov 17, 2025
cf58a6c
remove code
juzhao Nov 17, 2025
1e748de
add annotations for CMO networkpolicy
juzhao Nov 17, 2025
0d45a90
deploy default deny networkpolicy at the end to avoid dead lock
juzhao Nov 20, 2025
87642a3
Merge branch 'openshift:main' into revert_pr_2738
juzhao Nov 25, 2025
ce98ac6
update CreateOrUpdateNetworkPolicy func due to api bump and update ot…
juzhao Nov 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions assets/admission-webhook/network-policy-downstream.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
app.kubernetes.io/managed-by: cluster-monitoring-operator
app.kubernetes.io/part-of: openshift-monitoring
name: prometheus-operator-admission-webhook
namespace: openshift-monitoring
spec:
egress:
- {}
ingress:
- ports:
- port: https
protocol: TCP
podSelector:
matchLabels:
app.kubernetes.io/name: prometheus-operator-admission-webhook
policyTypes:
- Ingress
- Egress
25 changes: 25 additions & 0 deletions assets/alertmanager/network-policy-downstream.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
app.kubernetes.io/managed-by: cluster-monitoring-operator
app.kubernetes.io/part-of: openshift-monitoring
name: alertmanager
namespace: openshift-monitoring
spec:
egress:
- {}
ingress:
- ports:
- port: tenancy
protocol: TCP
- port: web
protocol: TCP
- port: metrics
protocol: TCP
podSelector:
matchLabels:
app.kubernetes.io/name: alertmanager
policyTypes:
- Ingress
- Egress
13 changes: 13 additions & 0 deletions assets/cluster-monitoring-operator/network-policy-default-deny.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
app.kubernetes.io/managed-by: cluster-monitoring-operator
app.kubernetes.io/part-of: openshift-monitoring
name: default-deny
namespace: openshift-monitoring
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
23 changes: 23 additions & 0 deletions assets/kube-state-metrics/network-policy-downstream.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
app.kubernetes.io/managed-by: cluster-monitoring-operator
app.kubernetes.io/part-of: openshift-monitoring
name: kube-state-metrics
namespace: openshift-monitoring
spec:
egress:
- {}
ingress:
- ports:
- port: https-main
protocol: TCP
- port: https-self
protocol: TCP
podSelector:
matchLabels:
app.kubernetes.io/name: kube-state-metrics
policyTypes:
- Ingress
- Egress
21 changes: 21 additions & 0 deletions assets/metrics-server/network-policy-downstream.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
app.kubernetes.io/managed-by: cluster-monitoring-operator
app.kubernetes.io/part-of: openshift-monitoring
name: metrics-server
namespace: openshift-monitoring
spec:
egress:
- {}
ingress:
- ports:
- port: https
protocol: TCP
podSelector:
matchLabels:
app.kubernetes.io/name: metrics-server
policyTypes:
- Ingress
- Egress
21 changes: 21 additions & 0 deletions assets/monitoring-plugin/network-policy-downstream.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
app.kubernetes.io/managed-by: cluster-monitoring-operator
app.kubernetes.io/part-of: openshift-monitoring
name: monitoring-plugin
namespace: openshift-monitoring
spec:
egress:
- {}
ingress:
- ports:
- port: https
protocol: TCP
podSelector:
matchLabels:
app.kubernetes.io/name: monitoring-plugin
policyTypes:
- Ingress
- Egress
23 changes: 23 additions & 0 deletions assets/openshift-state-metrics/network-policy-downstream.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
app.kubernetes.io/managed-by: cluster-monitoring-operator
app.kubernetes.io/part-of: openshift-monitoring
name: openshift-state-metrics
namespace: openshift-monitoring
spec:
egress:
- {}
ingress:
- ports:
- port: https-main
protocol: TCP
- port: https-self
protocol: TCP
podSelector:
matchLabels:
app.kubernetes.io/name: openshift-state-metrics
policyTypes:
- Ingress
- Egress
21 changes: 21 additions & 0 deletions assets/prometheus-k8s/network-policy-downstream.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
app.kubernetes.io/managed-by: cluster-monitoring-operator
app.kubernetes.io/part-of: openshift-monitoring
name: prometheus
namespace: openshift-monitoring
spec:
egress:
- {}
ingress:
- ports:
- port: grpc
protocol: TCP
podSelector:
matchLabels:
app.kubernetes.io/name: prometheus
policyTypes:
- Ingress
- Egress
21 changes: 21 additions & 0 deletions assets/prometheus-operator/network-policy-downstream.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
app.kubernetes.io/managed-by: cluster-monitoring-operator
app.kubernetes.io/part-of: openshift-monitoring
name: prometheus-operator
namespace: openshift-monitoring
spec:
egress:
- {}
ingress:
- ports:
- port: https
protocol: TCP
podSelector:
matchLabels:
app.kubernetes.io/name: prometheus-operator
policyTypes:
- Ingress
- Egress
21 changes: 21 additions & 0 deletions assets/telemeter-client/network-policy-downstream.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
app.kubernetes.io/managed-by: cluster-monitoring-operator
app.kubernetes.io/part-of: openshift-monitoring
name: telemeter-client
namespace: openshift-monitoring
spec:
egress:
- {}
ingress:
- ports:
- port: https
protocol: TCP
podSelector:
matchLabels:
app.kubernetes.io/name: telemeter-client
policyTypes:
- Ingress
- Egress
21 changes: 21 additions & 0 deletions assets/thanos-querier/network-policy-downstream.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
app.kubernetes.io/managed-by: cluster-monitoring-operator
app.kubernetes.io/part-of: openshift-monitoring
name: thanos-querier
namespace: openshift-monitoring
spec:
egress:
- {}
ingress:
- ports:
- port: tenancy
protocol: TCP
podSelector:
matchLabels:
app.kubernetes.io/name: thanos-query
policyTypes:
- Ingress
- Egress
34 changes: 34 additions & 0 deletions jsonnet/components/admission-webhook.libsonnet
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -169,4 +169,38 @@ function(params)
},
],
},
networkPolicyDownstream: {
apiVersion: 'networking.k8s.io/v1',
kind: 'NetworkPolicy',
metadata: {
name: 'prometheus-operator-admission-webhook',
namespace: 'openshift-monitoring',
},
spec: {
podSelector: {
matchLabels: {
'app.kubernetes.io/name': 'prometheus-operator-admission-webhook',
},
},
policyTypes: [
'Ingress',
'Egress',
],
ingress: [
{
ports: [
{
// allow apiserver reach to prometheus-operator-admission-webhook
// 8443(port name: https) port to validate customresourcedefinitions
port: 'https',
protocol: 'TCP',
},
],
},
],
egress: [
{},
],
},
},
}
44 changes: 44 additions & 0 deletions jsonnet/components/alertmanager.libsonnet
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -445,4 +445,48 @@ function(params)
],
},
},
networkPolicyDownstream: {
apiVersion: 'networking.k8s.io/v1',
kind: 'NetworkPolicy',
metadata: {
name: 'alertmanager',
namespace: cfg.namespace,
},
spec: {
podSelector: {
matchLabels: {
'app.kubernetes.io/name': 'alertmanager',
},
},
policyTypes: [
'Ingress',
'Egress',
],
ingress: [
{
ports: [
{
// allow access to the Alertmanager endpoints restricted to a given project,
// port number 9092(port name: tenancy)
port: 'tenancy',
protocol: 'TCP',
},
{
// allow prometheus to sent alerts to alertmanager, port number 9095(port name: web)
port: 'web',
protocol: 'TCP',
},
{
// allow prometheus to scrape alertmanager endpoint, port number 9097(port name: metrics)
port: 'metrics',
protocol: 'TCP',
},
],
},
],
egress: [
{},
],
},
},
}
23 changes: 23 additions & 0 deletions jsonnet/components/cluster-monitoring-operator.libsonnet
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -322,6 +322,11 @@ function(params) {
resources: ['alertmanagers/api'],
verbs: ['*'],
},
{
apiGroups: ['networking.k8s.io'],
resources: ['networkpolicies'],
verbs: ['create', 'get', 'list', 'watch', 'update', 'delete'],
},
],
},

Expand Down Expand Up @@ -566,4 +571,22 @@ function(params) {
verbs: ['*'],
}],
},

// Default deny all pods traffic
networkPolicyDefaultDeny: {
apiVersion: 'networking.k8s.io/v1',
kind: 'NetworkPolicy',
metadata: {
name: 'default-deny',
namespace: cfg.namespace,
},
spec: {
podSelector: {
},
policyTypes: [
'Ingress',
'Egress',
],
},
},
}
Loading