OCPBUGS-42579: Add network policies for konnectivity server and ignition server proxy #4840
Conversation
openshift-ci-robot
added
jira/valid-reference
|
@davidvossel: This pull request references Jira Issue OCPBUGS-42579, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
bot
added
the
area/hypershift-operator
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: davidvossel The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
approved
|
/jira refresh |
openshift-ci-robot
added
the
jira/valid-bug
|
@davidvossel: This pull request references Jira Issue OCPBUGS-42579, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
No GitHub users were found matching the public email listed for the QA contact in Jira ([email protected]), skipping review request. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci-robot
removed
the
jira/invalid-bug
| @@ -151,6 +151,13 @@ func (r *HostedClusterReconciler) reconcileNetworkPolicies(ctx context.Context, | |||
| }); err != nil { | |||
| return fmt.Errorf("failed to reconcile ignition nodeport network policy: %w", err) | |||
| } | |||
| // Reconcile nodeport-ignition-procy Network Policy | |||
There was a problem hiding this comment.
nit: s/nodeport-ignition-procy/nodeport-ignition-proxy/
|
|
||
| // Reconcile nodeport-konnectivity Network Policy when konnectivity is hosted in the kas pod | ||
| policy = networkpolicy.NodePortKonnectivityKASNetworkPolicy(controlPlaneNamespaceName) | ||
| if _, err := createOrUpdate(ctx, r.Client, policy, func() error { |
There was a problem hiding this comment.
I think this will create the policy always, we need to identify where is konnectivity and then place the netpol accordingly.
There was a problem hiding this comment.
we need to identify where is konnectivity and then place the netpol accordingly.
how? the hypershift operator isn't responsible for laying down the konnectivity agent.
There was a problem hiding this comment.
Yeah you're right. I had an eye in the security people that maybe they will concern to have that gate opened.
|
|
||
| // Reconcile nodeport-konnectivity Network Policy when konnectivity is hosted in the kas pod | ||
| policy = networkpolicy.NodePortKonnectivityKASNetworkPolicy(controlPlaneNamespaceName) | ||
| if _, err := createOrUpdate(ctx, r.Client, policy, func() error { |
There was a problem hiding this comment.
we need to identify where is konnectivity and then place the netpol accordingly.
how? the hypershift operator isn't responsible for laying down the konnectivity agent.
Signed-off-by: David Vossel <[email protected]>
There was a problem hiding this comment.
Looks good so far. This also will cover this other bug OCPBUGS-39317. I will mark it as dup and remark it will be solved with this PR.
|
|
||
| // Reconcile nodeport-konnectivity Network Policy when konnectivity is hosted in the kas pod | ||
| policy = networkpolicy.NodePortKonnectivityKASNetworkPolicy(controlPlaneNamespaceName) | ||
| if _, err := createOrUpdate(ctx, r.Client, policy, func() error { |
There was a problem hiding this comment.
Yeah you're right. I had an eye in the security people that maybe they will concern to have that gate opened.
|
/lgtm |
|
@davidvossel: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
@davidvossel: Jira Issue OCPBUGS-42579: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-42579 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[ART PR BUILD NOTIFIER] Distgit: hypershift |
|
/cherry-pick release-4.17 release-4.16 release-4.15 release-4.14 |
|
@davidvossel: new pull request created: #4865 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
This fixes two issues that impact HCP with the NodePort publishing strategy.
This is resolved by adding a new network policy that allows access to the konnectivity server when it is hosted within the kas pod (which is how this is currently deployed in 4.17)