diff --git a/manifests/0000_50_olm_01-networkpolicies.yaml b/manifests/0000_50_olm_01-networkpolicies.yaml index e4048bf97f..4defacb3bd 100644 --- a/manifests/0000_50_olm_01-networkpolicies.yaml +++ b/manifests/0000_50_olm_01-networkpolicies.yaml @@ -33,18 +33,16 @@ spec: - port: metrics protocol: TCP egress: + - {} - ports: - - port: 6443 + - port: 53 protocol: TCP - - ports: - - port: dns-tcp + - port: 53 + protocol: UDP + - port: 5353 protocol: TCP - - port: dns + - port: 5353 protocol: UDP - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: openshift-dns policyTypes: - Ingress - Egress @@ -68,18 +66,16 @@ spec: - port: metrics protocol: TCP egress: + - {} - ports: - - port: 6443 + - port: 53 protocol: TCP - - ports: - - port: dns-tcp + - port: 53 + protocol: UDP + - port: 5353 protocol: TCP - - port: dns + - port: 5353 protocol: UDP - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: openshift-dns - ports: - protocol: TCP port: 50051 @@ -106,18 +102,16 @@ spec: - protocol: TCP port: 5443 egress: + - {} - ports: - - port: 6443 + - port: 53 protocol: TCP - - ports: - - port: dns-tcp + - port: 53 + protocol: UDP + - port: 5353 protocol: TCP - - port: dns + - port: 5353 protocol: UDP - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: openshift-dns - ports: - protocol: TCP port: 50051 diff --git a/manifests/0000_50_olm_06-psm-operator.networkpolicy.yaml b/manifests/0000_50_olm_06-psm-operator.networkpolicy.yaml index 38c8696796..c18bf69c27 100644 --- a/manifests/0000_50_olm_06-psm-operator.networkpolicy.yaml +++ b/manifests/0000_50_olm_06-psm-operator.networkpolicy.yaml @@ -17,18 +17,16 @@ spec: - port: 8443 protocol: TCP egress: + - {} - ports: - - port: 6443 + - port: 53 protocol: TCP - - ports: - - port: dns-tcp + - port: 53 + protocol: UDP + - port: 5353 protocol: TCP - - port: dns + - port: 5353 protocol: UDP - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: openshift-dns policyTypes: - Ingress - Egress diff --git a/manifests/0000_50_olm_07-collect-profiles.networkpolicy.yaml b/manifests/0000_50_olm_07-collect-profiles.networkpolicy.yaml index f0bb3486ca..37b4aba044 100644 --- a/manifests/0000_50_olm_07-collect-profiles.networkpolicy.yaml +++ b/manifests/0000_50_olm_07-collect-profiles.networkpolicy.yaml @@ -27,18 +27,16 @@ spec: - podSelector: matchLabels: app: catalog-operator + - {} - ports: - - port: 6443 + - port: 53 protocol: TCP - - ports: - - port: dns-tcp + - port: 53 + protocol: UDP + - port: 5353 protocol: TCP - - port: dns + - port: 5353 protocol: UDP - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: openshift-dns policyTypes: - Egress - Ingress diff --git a/microshift-manifests/0000_50_olm_01-networkpolicies.yaml b/microshift-manifests/0000_50_olm_01-networkpolicies.yaml index fe556ac92d..c991681f8d 100644 --- a/microshift-manifests/0000_50_olm_01-networkpolicies.yaml +++ b/microshift-manifests/0000_50_olm_01-networkpolicies.yaml @@ -34,18 +34,16 @@ spec: - port: metrics protocol: TCP egress: + - {} - ports: - - port: 6443 + - port: 53 protocol: TCP - - ports: - - port: dns-tcp + - port: 53 + protocol: UDP + - port: 5353 protocol: TCP - - port: dns + - port: 5353 protocol: UDP - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: openshift-dns policyTypes: - Ingress - Egress @@ -69,18 +67,16 @@ spec: - port: metrics protocol: TCP egress: + - {} - ports: - - port: 6443 + - port: 53 protocol: TCP - - ports: - - port: dns-tcp + - port: 53 + protocol: UDP + - port: 5353 protocol: TCP - - port: dns + - port: 5353 protocol: UDP - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: openshift-dns - ports: - protocol: TCP port: 50051 diff --git a/microshift-manifests/0000_50_olm_06-psm-operator.networkpolicy.yaml b/microshift-manifests/0000_50_olm_06-psm-operator.networkpolicy.yaml index 38c8696796..c18bf69c27 100644 --- a/microshift-manifests/0000_50_olm_06-psm-operator.networkpolicy.yaml +++ b/microshift-manifests/0000_50_olm_06-psm-operator.networkpolicy.yaml @@ -17,18 +17,16 @@ spec: - port: 8443 protocol: TCP egress: + - {} - ports: - - port: 6443 + - port: 53 protocol: TCP - - ports: - - port: dns-tcp + - port: 53 + protocol: UDP + - port: 5353 protocol: TCP - - port: dns + - port: 5353 protocol: UDP - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: openshift-dns policyTypes: - Ingress - Egress diff --git a/scripts/generate_crds_manifests.sh b/scripts/generate_crds_manifests.sh index d1a89a63a8..004bc9e9bb 100755 --- a/scripts/generate_crds_manifests.sh +++ b/scripts/generate_crds_manifests.sh @@ -143,18 +143,16 @@ spec: - port: 8443 protocol: TCP egress: + - {} - ports: - - port: 6443 + - port: 53 protocol: TCP - - ports: - - port: dns-tcp + - port: 53 + protocol: UDP + - port: 5353 protocol: TCP - - port: dns + - port: 5353 protocol: UDP - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: openshift-dns policyTypes: - Ingress - Egress @@ -445,18 +443,16 @@ spec: - podSelector: matchLabels: app: catalog-operator + - {} - ports: - - port: 6443 + - port: 53 protocol: TCP - - ports: - - port: dns-tcp + - port: 53 + protocol: UDP + - port: 5353 protocol: TCP - - port: dns + - port: 5353 protocol: UDP - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: openshift-dns policyTypes: - Egress - Ingress diff --git a/staging/operator-lifecycle-manager/deploy/chart/values.yaml b/staging/operator-lifecycle-manager/deploy/chart/values.yaml index 394159bb4b..652b417dd3 100644 --- a/staging/operator-lifecycle-manager/deploy/chart/values.yaml +++ b/staging/operator-lifecycle-manager/deploy/chart/values.yaml @@ -110,10 +110,11 @@ networkPolicy: port: 53 - protocol: UDP port: 53 - kubeAPIServer: - ports: - protocol: TCP - port: 6443 + port: 5353 + - protocol: UDP + port: 5353 + kubeAPIServer: {} metrics: ports: - protocol: TCP diff --git a/staging/operator-lifecycle-manager/pkg/controller/registry/reconciler/helpers.go b/staging/operator-lifecycle-manager/pkg/controller/registry/reconciler/helpers.go index 8302cd5df6..eca6a2459d 100644 --- a/staging/operator-lifecycle-manager/pkg/controller/registry/reconciler/helpers.go +++ b/staging/operator-lifecycle-manager/pkg/controller/registry/reconciler/helpers.go @@ -46,14 +46,29 @@ func DesiredGRPCServerNetworkPolicy(catalogSource *v1alpha1.CatalogSource, match }, } - // Allow egress to kube-apiserver from configmap backed catalog sources + // Allow egress to kube-apiserver and DNS from configmap backed catalog sources if catalogSource.Spec.SourceType == v1alpha1.SourceTypeConfigmap || catalogSource.Spec.SourceType == v1alpha1.SourceTypeInternal { np.Spec.Egress = []networkingv1.NetworkPolicyEgressRule{ + // Wildcard allow all IPs/Ports for kube-apiserver + {}, + // Wildcard allow all IPs with DNS ports { Ports: []networkingv1.NetworkPolicyPort{ { Protocol: ptr.To(corev1.ProtocolTCP), - Port: ptr.To(intstr.FromInt32(6443)), + Port: ptr.To(intstr.FromInt32(53)), + }, + { + Protocol: ptr.To(corev1.ProtocolUDP), + Port: ptr.To(intstr.FromInt32(53)), + }, + { + Protocol: ptr.To(corev1.ProtocolTCP), + Port: ptr.To(intstr.FromInt32(5353)), + }, + { + Protocol: ptr.To(corev1.ProtocolUDP), + Port: ptr.To(intstr.FromInt32(5353)), }, }, }, @@ -90,11 +105,26 @@ func DesiredUnpackBundlesNetworkPolicy(catalogSource client.Object) *networkingv }, PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress, networkingv1.PolicyTypeEgress}, Egress: []networkingv1.NetworkPolicyEgressRule{ + // Wildcard allow all IPs/Ports for kube-apiserver + {}, + // Wildcard allow all IPs with DNS ports { Ports: []networkingv1.NetworkPolicyPort{ { Protocol: ptr.To(corev1.ProtocolTCP), - Port: ptr.To(intstr.FromInt32(6443)), + Port: ptr.To(intstr.FromInt32(53)), + }, + { + Protocol: ptr.To(corev1.ProtocolUDP), + Port: ptr.To(intstr.FromInt32(53)), + }, + { + Protocol: ptr.To(corev1.ProtocolTCP), + Port: ptr.To(intstr.FromInt32(5353)), + }, + { + Protocol: ptr.To(corev1.ProtocolUDP), + Port: ptr.To(intstr.FromInt32(5353)), }, }, }, diff --git a/tests-extension/.openshift-tests-extension/openshift_payload_olmv0.json b/tests-extension/.openshift-tests-extension/openshift_payload_olmv0.json index 4aeb037d79..caf09c3a89 100644 --- a/tests-extension/.openshift-tests-extension/openshift_payload_olmv0.json +++ b/tests-extension/.openshift-tests-extension/openshift_payload_olmv0.json @@ -897,6 +897,7 @@ "originalName": "[sig-operator][Jira:OLM] OLMv0 on microshift PolarionID:83581-[Skipped:Disconnected]olmv0 networkpolicy on microshift.", "labels": { "Extended": {}, + "Lifecycle:informing": {}, "NonHyperShiftHOST": {}, "original-name:[sig-operator][Jira:OLM] OLMv0 on microshift PolarionID:83581-[Skipped:Disconnected]olmv0 networkpolicy on microshift.": {} }, @@ -904,7 +905,7 @@ "isolation": {} }, "source": "openshift:payload:olmv0", - "lifecycle": "blocking", + "lifecycle": "informing", "environmentSelector": { "exclude": "topology==\"External\"" } @@ -962,6 +963,7 @@ "originalName": "[sig-operator][Jira:OLM] OLMv0 should PolarionID:83105-[Skipped:Disconnected]olmv0 static networkpolicy on ocp", "labels": { "Extended": {}, + "Lifecycle:informing": {}, "NonHyperShiftHOST": {}, "ReleaseGate": {}, "original-name:[sig-operator][Jira:OLM] OLMv0 should PolarionID:83105-[Skipped:Disconnected]olmv0 static networkpolicy on ocp": {} @@ -970,7 +972,7 @@ "isolation": {} }, "source": "openshift:payload:olmv0", - "lifecycle": "blocking", + "lifecycle": "informing", "environmentSelector": { "exclude": "topology==\"External\"" } diff --git a/tests-extension/test/qe/specs/olmv0_microshift.go b/tests-extension/test/qe/specs/olmv0_microshift.go index ee0a7f9186..e5ef1a5496 100644 --- a/tests-extension/test/qe/specs/olmv0_microshift.go +++ b/tests-extension/test/qe/specs/olmv0_microshift.go @@ -7,6 +7,7 @@ import ( g "github.com/onsi/ginkgo/v2" o "github.com/onsi/gomega" + ote "github.com/openshift-eng/openshift-tests-extension/pkg/ginkgo" exutil "github.com/openshift/operator-framework-olm/tests-extension/test/qe/util" "github.com/openshift/operator-framework-olm/tests-extension/test/qe/util/olmv0util" @@ -219,7 +220,7 @@ var _ = g.Describe("[sig-operator][Jira:OLM] OLMv0 on microshift", g.Label("NonH }) - g.It("PolarionID:83581-[OTP][Skipped:Disconnected]olmv0 networkpolicy on microshift.", g.Label("original-name:[sig-operator][Jira:OLM] OLMv0 on microshift PolarionID:83581-[Skipped:Disconnected]olmv0 networkpolicy on microshift."), func() { + g.It("PolarionID:83581-[OTP][Skipped:Disconnected]olmv0 networkpolicy on microshift.", ote.Informing(), g.Label("original-name:[sig-operator][Jira:OLM] OLMv0 on microshift PolarionID:83581-[Skipped:Disconnected]olmv0 networkpolicy on microshift."), func() { policies := []olmv0util.NpExpecter{ { @@ -233,14 +234,17 @@ var _ = g.Describe("[sig-operator][Jira:OLM] OLMv0 on microshift", g.Label("NonH }, ExpectEgress: []olmv0util.EgressRule{ { - Ports: []olmv0util.Port{{Port: 6443, Protocol: "TCP"}}, + Ports: []olmv0util.Port{{}}, Selectors: nil, }, { - Ports: []olmv0util.Port{{Port: "dns-tcp", Protocol: "TCP"}, {Port: "dns", Protocol: "UDP"}}, - Selectors: []olmv0util.Selector{ - {NamespaceLabels: map[string]string{"kubernetes.io/metadata.name": "openshift-dns"}}, + Ports: []olmv0util.Port{ + {Port: "53", Protocol: "TCP"}, + {Port: "53", Protocol: "UDP"}, + {Port: "5353", Protocol: "TCP"}, + {Port: "5353", Protocol: "UDP"}, }, + Selectors: nil, }, { Ports: []olmv0util.Port{{Port: 50051, Protocol: "TCP"}}, @@ -269,14 +273,17 @@ var _ = g.Describe("[sig-operator][Jira:OLM] OLMv0 on microshift", g.Label("NonH }, ExpectEgress: []olmv0util.EgressRule{ { - Ports: []olmv0util.Port{{Port: 6443, Protocol: "TCP"}}, + Ports: []olmv0util.Port{{}}, Selectors: nil, }, { - Ports: []olmv0util.Port{{Port: "dns-tcp", Protocol: "TCP"}, {Port: "dns", Protocol: "UDP"}}, - Selectors: []olmv0util.Selector{ - {NamespaceLabels: map[string]string{"kubernetes.io/metadata.name": "openshift-dns"}}, + Ports: []olmv0util.Port{ + {Port: "53", Protocol: "TCP"}, + {Port: "53", Protocol: "UDP"}, + {Port: "5353", Protocol: "TCP"}, + {Port: "5353", Protocol: "UDP"}, }, + Selectors: nil, }, }, ExpectSelector: map[string]string{"app": "olm-operator"}, diff --git a/tests-extension/test/qe/specs/olmv0_networkpolicy.go b/tests-extension/test/qe/specs/olmv0_networkpolicy.go index 62676c89b2..0482cdc91b 100644 --- a/tests-extension/test/qe/specs/olmv0_networkpolicy.go +++ b/tests-extension/test/qe/specs/olmv0_networkpolicy.go @@ -6,6 +6,7 @@ import ( g "github.com/onsi/ginkgo/v2" o "github.com/onsi/gomega" + ote "github.com/openshift-eng/openshift-tests-extension/pkg/ginkgo" "github.com/tidwall/gjson" e2e "k8s.io/kubernetes/test/e2e/framework" @@ -26,7 +27,7 @@ var _ = g.Describe("[sig-operator][Jira:OLM] OLMv0 networkpolicy", func() { exutil.SkipNoOLMCore(oc) }) - g.It("PolarionID:83105-[OTP][Skipped:Disconnected]olmv0 static networkpolicy on ocp", g.Label("NonHyperShiftHOST", "ReleaseGate"), g.Label("original-name:[sig-operator][Jira:OLM] OLMv0 should PolarionID:83105-[Skipped:Disconnected]olmv0 static networkpolicy on ocp"), func() { + g.It("PolarionID:83105-[OTP][Skipped:Disconnected]olmv0 static networkpolicy on ocp", ote.Informing(), g.Label("NonHyperShiftHOST", "ReleaseGate"), g.Label("original-name:[sig-operator][Jira:OLM] OLMv0 should PolarionID:83105-[Skipped:Disconnected]olmv0 static networkpolicy on ocp"), func() { policies := []olmv0util.NpExpecter{ { @@ -52,14 +53,17 @@ var _ = g.Describe("[sig-operator][Jira:OLM] OLMv0 networkpolicy", func() { }, ExpectEgress: []olmv0util.EgressRule{ { - Ports: []olmv0util.Port{{Port: 6443, Protocol: "TCP"}}, + Ports: []olmv0util.Port{{}}, Selectors: nil, }, { - Ports: []olmv0util.Port{{Port: "dns-tcp", Protocol: "TCP"}, {Port: "dns", Protocol: "UDP"}}, - Selectors: []olmv0util.Selector{ - {NamespaceLabels: map[string]string{"kubernetes.io/metadata.name": "openshift-dns"}}, + Ports: []olmv0util.Port{ + {Port: "53", Protocol: "TCP"}, + {Port: "53", Protocol: "UDP"}, + {Port: "5353", Protocol: "TCP"}, + {Port: "5353", Protocol: "UDP"}, }, + Selectors: nil, }, { Ports: []olmv0util.Port{{Port: 50051, Protocol: "TCP"}}, @@ -88,14 +92,17 @@ var _ = g.Describe("[sig-operator][Jira:OLM] OLMv0 networkpolicy", func() { }, ExpectEgress: []olmv0util.EgressRule{ { - Ports: []olmv0util.Port{{Port: 6443, Protocol: "TCP"}}, + Ports: []olmv0util.Port{{}}, Selectors: nil, }, { - Ports: []olmv0util.Port{{Port: "dns-tcp", Protocol: "TCP"}, {Port: "dns", Protocol: "UDP"}}, - Selectors: []olmv0util.Selector{ - {NamespaceLabels: map[string]string{"kubernetes.io/metadata.name": "openshift-dns"}}, + Ports: []olmv0util.Port{ + {Port: "53", Protocol: "TCP"}, + {Port: "53", Protocol: "UDP"}, + {Port: "5353", Protocol: "TCP"}, + {Port: "5353", Protocol: "UDP"}, }, + Selectors: nil, }, }, ExpectSelector: map[string]string{"app": "olm-operator"}, @@ -112,14 +119,17 @@ var _ = g.Describe("[sig-operator][Jira:OLM] OLMv0 networkpolicy", func() { }, ExpectEgress: []olmv0util.EgressRule{ { - Ports: []olmv0util.Port{{Port: 6443, Protocol: "TCP"}}, + Ports: []olmv0util.Port{{}}, Selectors: nil, }, { - Ports: []olmv0util.Port{{Port: "dns-tcp", Protocol: "TCP"}, {Port: "dns", Protocol: "UDP"}}, - Selectors: []olmv0util.Selector{ - {NamespaceLabels: map[string]string{"kubernetes.io/metadata.name": "openshift-dns"}}, + Ports: []olmv0util.Port{ + {Port: "53", Protocol: "TCP"}, + {Port: "53", Protocol: "UDP"}, + {Port: "5353", Protocol: "TCP"}, + {Port: "5353", Protocol: "UDP"}, }, + Selectors: nil, }, }, ExpectSelector: map[string]string{"app": "package-server-manager"}, @@ -136,14 +146,17 @@ var _ = g.Describe("[sig-operator][Jira:OLM] OLMv0 networkpolicy", func() { }, ExpectEgress: []olmv0util.EgressRule{ { - Ports: []olmv0util.Port{{Port: 6443, Protocol: "TCP"}}, + Ports: []olmv0util.Port{{}}, Selectors: nil, }, { - Ports: []olmv0util.Port{{Port: "dns-tcp", Protocol: "TCP"}, {Port: "dns", Protocol: "UDP"}}, - Selectors: []olmv0util.Selector{ - {NamespaceLabels: map[string]string{"kubernetes.io/metadata.name": "openshift-dns"}}, + Ports: []olmv0util.Port{ + {Port: "53", Protocol: "TCP"}, + {Port: "53", Protocol: "UDP"}, + {Port: "5353", Protocol: "TCP"}, + {Port: "5353", Protocol: "UDP"}, }, + Selectors: nil, }, { Ports: []olmv0util.Port{{Port: 50051, Protocol: "TCP"}}, @@ -174,14 +187,17 @@ var _ = g.Describe("[sig-operator][Jira:OLM] OLMv0 networkpolicy", func() { }, }, { - Ports: []olmv0util.Port{{Port: 6443, Protocol: "TCP"}}, + Ports: []olmv0util.Port{{}}, Selectors: nil, }, { - Ports: []olmv0util.Port{{Port: "dns-tcp", Protocol: "TCP"}, {Port: "dns", Protocol: "UDP"}}, - Selectors: []olmv0util.Selector{ - {NamespaceLabels: map[string]string{"kubernetes.io/metadata.name": "openshift-dns"}}, + Ports: []olmv0util.Port{ + {Port: "53", Protocol: "TCP"}, + {Port: "53", Protocol: "UDP"}, + {Port: "5353", Protocol: "TCP"}, + {Port: "5353", Protocol: "UDP"}, }, + Selectors: nil, }, }, ExpectSelector: map[string]string{"app": "olm-collect-profiles"}, @@ -219,7 +235,16 @@ var _ = g.Describe("[sig-operator][Jira:OLM] OLMv0 networkpolicy", func() { ExpectIngress: nil, ExpectEgress: []olmv0util.EgressRule{ { - Ports: []olmv0util.Port{{Port: 6443, Protocol: "TCP"}}, + Ports: []olmv0util.Port{{}}, + Selectors: nil, + }, + { + Ports: []olmv0util.Port{ + {Port: 53, Protocol: "TCP"}, + {Port: 53, Protocol: "UDP"}, + {Port: 5353, Protocol: "TCP"}, + {Port: 5353, Protocol: "UDP"}, + }, Selectors: nil, }, }, @@ -291,12 +316,15 @@ var _ = g.Describe("[sig-operator][Jira:OLM] OLMv0 networkpolicy", func() { {Ports: []olmv0util.Port{{Port: "metrics", Protocol: "TCP"}}, Selectors: nil}, }, ExpectEgress: []olmv0util.EgressRule{ - {Ports: []olmv0util.Port{{Port: 6443, Protocol: "TCP"}}, Selectors: nil}, + {Ports: []olmv0util.Port{{}}, Selectors: nil}, { - Ports: []olmv0util.Port{{Port: "dns-tcp", Protocol: "TCP"}, {Port: "dns", Protocol: "UDP"}}, - Selectors: []olmv0util.Selector{ - {NamespaceLabels: map[string]string{"kubernetes.io/metadata.name": "openshift-dns"}}, + Ports: []olmv0util.Port{ + {Port: "53", Protocol: "TCP"}, + {Port: "53", Protocol: "UDP"}, + {Port: "5353", Protocol: "TCP"}, + {Port: "5353", Protocol: "UDP"}, }, + Selectors: nil, }, {Ports: []olmv0util.Port{{Port: 50051, Protocol: "TCP"}}, Selectors: nil}, }, @@ -318,12 +346,15 @@ var _ = g.Describe("[sig-operator][Jira:OLM] OLMv0 networkpolicy", func() { {Ports: []olmv0util.Port{{Port: "metrics", Protocol: "TCP"}}, Selectors: nil}, }, ExpectEgress: []olmv0util.EgressRule{ - {Ports: []olmv0util.Port{{Port: 6443, Protocol: "TCP"}}, Selectors: nil}, + {Ports: []olmv0util.Port{{}}, Selectors: nil}, { - Ports: []olmv0util.Port{{Port: "dns-tcp", Protocol: "TCP"}, {Port: "dns", Protocol: "UDP"}}, - Selectors: []olmv0util.Selector{ - {NamespaceLabels: map[string]string{"kubernetes.io/metadata.name": "openshift-dns"}}, + Ports: []olmv0util.Port{ + {Port: "53", Protocol: "TCP"}, + {Port: "53", Protocol: "UDP"}, + {Port: "5353", Protocol: "TCP"}, + {Port: "5353", Protocol: "UDP"}, }, + Selectors: nil, }, }, ExpectSelector: map[string]string{"app": "olm-operator"}, @@ -336,12 +367,15 @@ var _ = g.Describe("[sig-operator][Jira:OLM] OLMv0 networkpolicy", func() { {Ports: []olmv0util.Port{{Port: 8443, Protocol: "TCP"}}, Selectors: nil}, }, ExpectEgress: []olmv0util.EgressRule{ - {Ports: []olmv0util.Port{{Port: 6443, Protocol: "TCP"}}, Selectors: nil}, + {Ports: []olmv0util.Port{{}}, Selectors: nil}, { - Ports: []olmv0util.Port{{Port: "dns-tcp", Protocol: "TCP"}, {Port: "dns", Protocol: "UDP"}}, - Selectors: []olmv0util.Selector{ - {NamespaceLabels: map[string]string{"kubernetes.io/metadata.name": "openshift-dns"}}, + Ports: []olmv0util.Port{ + {Port: "53", Protocol: "TCP"}, + {Port: "53", Protocol: "UDP"}, + {Port: "5353", Protocol: "TCP"}, + {Port: "5353", Protocol: "UDP"}, }, + Selectors: nil, }, }, ExpectSelector: map[string]string{"app": "package-server-manager"}, @@ -354,12 +388,15 @@ var _ = g.Describe("[sig-operator][Jira:OLM] OLMv0 networkpolicy", func() { {Ports: []olmv0util.Port{{Port: 5443, Protocol: "TCP"}}, Selectors: nil}, }, ExpectEgress: []olmv0util.EgressRule{ - {Ports: []olmv0util.Port{{Port: 6443, Protocol: "TCP"}}, Selectors: nil}, + {Ports: []olmv0util.Port{{}}, Selectors: nil}, { - Ports: []olmv0util.Port{{Port: "dns-tcp", Protocol: "TCP"}, {Port: "dns", Protocol: "UDP"}}, - Selectors: []olmv0util.Selector{ - {NamespaceLabels: map[string]string{"kubernetes.io/metadata.name": "openshift-dns"}}, + Ports: []olmv0util.Port{ + {Port: "53", Protocol: "TCP"}, + {Port: "53", Protocol: "UDP"}, + {Port: "5353", Protocol: "TCP"}, + {Port: "5353", Protocol: "UDP"}, }, + Selectors: nil, }, {Ports: []olmv0util.Port{{Port: 50051, Protocol: "TCP"}}, Selectors: nil}, }, @@ -386,12 +423,15 @@ var _ = g.Describe("[sig-operator][Jira:OLM] OLMv0 networkpolicy", func() { {PodLabels: map[string]string{"app": "catalog-operator"}}, }, }, - {Ports: []olmv0util.Port{{Port: 6443, Protocol: "TCP"}}, Selectors: nil}, + {Ports: []olmv0util.Port{{}}, Selectors: nil}, { - Ports: []olmv0util.Port{{Port: "dns-tcp", Protocol: "TCP"}, {Port: "dns", Protocol: "UDP"}}, - Selectors: []olmv0util.Selector{ - {NamespaceLabels: map[string]string{"kubernetes.io/metadata.name": "openshift-dns"}}, + Ports: []olmv0util.Port{ + {Port: "53", Protocol: "TCP"}, + {Port: "53", Protocol: "UDP"}, + {Port: "5353", Protocol: "TCP"}, + {Port: "5353", Protocol: "UDP"}, }, + Selectors: nil, }, }, ExpectSelector: map[string]string{"app": "olm-collect-profiles"}, diff --git a/values.yaml b/values.yaml index 23cd802875..d982a9fd31 100644 --- a/values.yaml +++ b/values.yaml @@ -121,10 +121,10 @@ networkPolicy: dns: ports: - protocol: TCP - port: dns-tcp + port: 53 - protocol: UDP - port: dns - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: openshift-dns + port: 53 + - protocol: TCP + port: 5353 + - protocol: UDP + port: 5353 diff --git a/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/registry/reconciler/helpers.go b/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/registry/reconciler/helpers.go index 8302cd5df6..eca6a2459d 100644 --- a/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/registry/reconciler/helpers.go +++ b/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/registry/reconciler/helpers.go @@ -46,14 +46,29 @@ func DesiredGRPCServerNetworkPolicy(catalogSource *v1alpha1.CatalogSource, match }, } - // Allow egress to kube-apiserver from configmap backed catalog sources + // Allow egress to kube-apiserver and DNS from configmap backed catalog sources if catalogSource.Spec.SourceType == v1alpha1.SourceTypeConfigmap || catalogSource.Spec.SourceType == v1alpha1.SourceTypeInternal { np.Spec.Egress = []networkingv1.NetworkPolicyEgressRule{ + // Wildcard allow all IPs/Ports for kube-apiserver + {}, + // Wildcard allow all IPs with DNS ports { Ports: []networkingv1.NetworkPolicyPort{ { Protocol: ptr.To(corev1.ProtocolTCP), - Port: ptr.To(intstr.FromInt32(6443)), + Port: ptr.To(intstr.FromInt32(53)), + }, + { + Protocol: ptr.To(corev1.ProtocolUDP), + Port: ptr.To(intstr.FromInt32(53)), + }, + { + Protocol: ptr.To(corev1.ProtocolTCP), + Port: ptr.To(intstr.FromInt32(5353)), + }, + { + Protocol: ptr.To(corev1.ProtocolUDP), + Port: ptr.To(intstr.FromInt32(5353)), }, }, }, @@ -90,11 +105,26 @@ func DesiredUnpackBundlesNetworkPolicy(catalogSource client.Object) *networkingv }, PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress, networkingv1.PolicyTypeEgress}, Egress: []networkingv1.NetworkPolicyEgressRule{ + // Wildcard allow all IPs/Ports for kube-apiserver + {}, + // Wildcard allow all IPs with DNS ports { Ports: []networkingv1.NetworkPolicyPort{ { Protocol: ptr.To(corev1.ProtocolTCP), - Port: ptr.To(intstr.FromInt32(6443)), + Port: ptr.To(intstr.FromInt32(53)), + }, + { + Protocol: ptr.To(corev1.ProtocolUDP), + Port: ptr.To(intstr.FromInt32(53)), + }, + { + Protocol: ptr.To(corev1.ProtocolTCP), + Port: ptr.To(intstr.FromInt32(5353)), + }, + { + Protocol: ptr.To(corev1.ProtocolUDP), + Port: ptr.To(intstr.FromInt32(5353)), }, }, },