diff --git a/manifests/0000_50_olm_01-networkpolicies.yaml b/manifests/0000_50_olm_01-networkpolicies.yaml index e4048bf97f..4defacb3bd 100644 --- a/manifests/0000_50_olm_01-networkpolicies.yaml +++ b/manifests/0000_50_olm_01-networkpolicies.yaml @@ -33,18 +33,16 @@ spec: - port: metrics protocol: TCP egress: + - {} - ports: - - port: 6443 + - port: 53 protocol: TCP - - ports: - - port: dns-tcp + - port: 53 + protocol: UDP + - port: 5353 protocol: TCP - - port: dns + - port: 5353 protocol: UDP - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: openshift-dns policyTypes: - Ingress - Egress @@ -68,18 +66,16 @@ spec: - port: metrics protocol: TCP egress: + - {} - ports: - - port: 6443 + - port: 53 protocol: TCP - - ports: - - port: dns-tcp + - port: 53 + protocol: UDP + - port: 5353 protocol: TCP - - port: dns + - port: 5353 protocol: UDP - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: openshift-dns - ports: - protocol: TCP port: 50051 @@ -106,18 +102,16 @@ spec: - protocol: TCP port: 5443 egress: + - {} - ports: - - port: 6443 + - port: 53 protocol: TCP - - ports: - - port: dns-tcp + - port: 53 + protocol: UDP + - port: 5353 protocol: TCP - - port: dns + - port: 5353 protocol: UDP - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: openshift-dns - ports: - protocol: TCP port: 50051 diff --git a/manifests/0000_50_olm_06-psm-operator.networkpolicy.yaml b/manifests/0000_50_olm_06-psm-operator.networkpolicy.yaml index 38c8696796..c18bf69c27 100644 --- a/manifests/0000_50_olm_06-psm-operator.networkpolicy.yaml +++ b/manifests/0000_50_olm_06-psm-operator.networkpolicy.yaml @@ -17,18 +17,16 @@ spec: - port: 8443 protocol: TCP egress: + - {} - ports: - - port: 6443 + - port: 53 protocol: TCP - - ports: - - port: dns-tcp + - port: 53 + protocol: UDP + - port: 5353 protocol: TCP - - port: dns + - port: 5353 protocol: UDP - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: openshift-dns policyTypes: - Ingress - Egress diff --git a/manifests/0000_50_olm_07-collect-profiles.networkpolicy.yaml b/manifests/0000_50_olm_07-collect-profiles.networkpolicy.yaml index f0bb3486ca..37b4aba044 100644 --- a/manifests/0000_50_olm_07-collect-profiles.networkpolicy.yaml +++ b/manifests/0000_50_olm_07-collect-profiles.networkpolicy.yaml @@ -27,18 +27,16 @@ spec: - podSelector: matchLabels: app: catalog-operator + - {} - ports: - - port: 6443 + - port: 53 protocol: TCP - - ports: - - port: dns-tcp + - port: 53 + protocol: UDP + - port: 5353 protocol: TCP - - port: dns + - port: 5353 protocol: UDP - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: openshift-dns policyTypes: - Egress - Ingress diff --git a/microshift-manifests/0000_50_olm_01-networkpolicies.yaml b/microshift-manifests/0000_50_olm_01-networkpolicies.yaml index fe556ac92d..c991681f8d 100644 --- a/microshift-manifests/0000_50_olm_01-networkpolicies.yaml +++ b/microshift-manifests/0000_50_olm_01-networkpolicies.yaml @@ -34,18 +34,16 @@ spec: - port: metrics protocol: TCP egress: + - {} - ports: - - port: 6443 + - port: 53 protocol: TCP - - ports: - - port: dns-tcp + - port: 53 + protocol: UDP + - port: 5353 protocol: TCP - - port: dns + - port: 5353 protocol: UDP - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: openshift-dns policyTypes: - Ingress - Egress @@ -69,18 +67,16 @@ spec: - port: metrics protocol: TCP egress: + - {} - ports: - - port: 6443 + - port: 53 protocol: TCP - - ports: - - port: dns-tcp + - port: 53 + protocol: UDP + - port: 5353 protocol: TCP - - port: dns + - port: 5353 protocol: UDP - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: openshift-dns - ports: - protocol: TCP port: 50051 diff --git a/microshift-manifests/0000_50_olm_06-psm-operator.networkpolicy.yaml b/microshift-manifests/0000_50_olm_06-psm-operator.networkpolicy.yaml index 38c8696796..c18bf69c27 100644 --- a/microshift-manifests/0000_50_olm_06-psm-operator.networkpolicy.yaml +++ b/microshift-manifests/0000_50_olm_06-psm-operator.networkpolicy.yaml @@ -17,18 +17,16 @@ spec: - port: 8443 protocol: TCP egress: + - {} - ports: - - port: 6443 + - port: 53 protocol: TCP - - ports: - - port: dns-tcp + - port: 53 + protocol: UDP + - port: 5353 protocol: TCP - - port: dns + - port: 5353 protocol: UDP - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: openshift-dns policyTypes: - Ingress - Egress diff --git a/scripts/generate_crds_manifests.sh b/scripts/generate_crds_manifests.sh index 00191853b5..493d353846 100755 --- a/scripts/generate_crds_manifests.sh +++ b/scripts/generate_crds_manifests.sh @@ -143,18 +143,16 @@ spec: - port: 8443 protocol: TCP egress: + - {} - ports: - - port: 6443 + - port: 53 protocol: TCP - - ports: - - port: dns-tcp + - port: 53 + protocol: UDP + - port: 5353 protocol: TCP - - port: dns + - port: 5353 protocol: UDP - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: openshift-dns policyTypes: - Ingress - Egress @@ -444,18 +442,16 @@ spec: - podSelector: matchLabels: app: catalog-operator + - {} - ports: - - port: 6443 + - port: 53 protocol: TCP - - ports: - - port: dns-tcp + - port: 53 + protocol: UDP + - port: 5353 protocol: TCP - - port: dns + - port: 5353 protocol: UDP - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: openshift-dns policyTypes: - Egress - Ingress diff --git a/staging/operator-lifecycle-manager/deploy/chart/values.yaml b/staging/operator-lifecycle-manager/deploy/chart/values.yaml index 4e4ee726b8..2ca874a85f 100644 --- a/staging/operator-lifecycle-manager/deploy/chart/values.yaml +++ b/staging/operator-lifecycle-manager/deploy/chart/values.yaml @@ -85,10 +85,11 @@ networkPolicy: port: 53 - protocol: UDP port: 53 - kubeAPIServer: - ports: - protocol: TCP - port: 6443 + port: 5353 + - protocol: UDP + port: 5353 + kubeAPIServer: {} metrics: ports: - protocol: TCP diff --git a/staging/operator-lifecycle-manager/pkg/controller/registry/reconciler/helpers.go b/staging/operator-lifecycle-manager/pkg/controller/registry/reconciler/helpers.go index 8302cd5df6..eca6a2459d 100644 --- a/staging/operator-lifecycle-manager/pkg/controller/registry/reconciler/helpers.go +++ b/staging/operator-lifecycle-manager/pkg/controller/registry/reconciler/helpers.go @@ -46,14 +46,29 @@ func DesiredGRPCServerNetworkPolicy(catalogSource *v1alpha1.CatalogSource, match }, } - // Allow egress to kube-apiserver from configmap backed catalog sources + // Allow egress to kube-apiserver and DNS from configmap backed catalog sources if catalogSource.Spec.SourceType == v1alpha1.SourceTypeConfigmap || catalogSource.Spec.SourceType == v1alpha1.SourceTypeInternal { np.Spec.Egress = []networkingv1.NetworkPolicyEgressRule{ + // Wildcard allow all IPs/Ports for kube-apiserver + {}, + // Wildcard allow all IPs with DNS ports { Ports: []networkingv1.NetworkPolicyPort{ { Protocol: ptr.To(corev1.ProtocolTCP), - Port: ptr.To(intstr.FromInt32(6443)), + Port: ptr.To(intstr.FromInt32(53)), + }, + { + Protocol: ptr.To(corev1.ProtocolUDP), + Port: ptr.To(intstr.FromInt32(53)), + }, + { + Protocol: ptr.To(corev1.ProtocolTCP), + Port: ptr.To(intstr.FromInt32(5353)), + }, + { + Protocol: ptr.To(corev1.ProtocolUDP), + Port: ptr.To(intstr.FromInt32(5353)), }, }, }, @@ -90,11 +105,26 @@ func DesiredUnpackBundlesNetworkPolicy(catalogSource client.Object) *networkingv }, PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress, networkingv1.PolicyTypeEgress}, Egress: []networkingv1.NetworkPolicyEgressRule{ + // Wildcard allow all IPs/Ports for kube-apiserver + {}, + // Wildcard allow all IPs with DNS ports { Ports: []networkingv1.NetworkPolicyPort{ { Protocol: ptr.To(corev1.ProtocolTCP), - Port: ptr.To(intstr.FromInt32(6443)), + Port: ptr.To(intstr.FromInt32(53)), + }, + { + Protocol: ptr.To(corev1.ProtocolUDP), + Port: ptr.To(intstr.FromInt32(53)), + }, + { + Protocol: ptr.To(corev1.ProtocolTCP), + Port: ptr.To(intstr.FromInt32(5353)), + }, + { + Protocol: ptr.To(corev1.ProtocolUDP), + Port: ptr.To(intstr.FromInt32(5353)), }, }, }, diff --git a/values.yaml b/values.yaml index e61c785db8..cb5ed00be7 100644 --- a/values.yaml +++ b/values.yaml @@ -107,10 +107,10 @@ networkPolicy: dns: ports: - protocol: TCP - port: dns-tcp + port: 53 - protocol: UDP - port: dns - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: openshift-dns + port: 53 + - protocol: TCP + port: 5353 + - protocol: UDP + port: 5353 diff --git a/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/registry/reconciler/helpers.go b/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/registry/reconciler/helpers.go index 8302cd5df6..eca6a2459d 100644 --- a/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/registry/reconciler/helpers.go +++ b/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/registry/reconciler/helpers.go @@ -46,14 +46,29 @@ func DesiredGRPCServerNetworkPolicy(catalogSource *v1alpha1.CatalogSource, match }, } - // Allow egress to kube-apiserver from configmap backed catalog sources + // Allow egress to kube-apiserver and DNS from configmap backed catalog sources if catalogSource.Spec.SourceType == v1alpha1.SourceTypeConfigmap || catalogSource.Spec.SourceType == v1alpha1.SourceTypeInternal { np.Spec.Egress = []networkingv1.NetworkPolicyEgressRule{ + // Wildcard allow all IPs/Ports for kube-apiserver + {}, + // Wildcard allow all IPs with DNS ports { Ports: []networkingv1.NetworkPolicyPort{ { Protocol: ptr.To(corev1.ProtocolTCP), - Port: ptr.To(intstr.FromInt32(6443)), + Port: ptr.To(intstr.FromInt32(53)), + }, + { + Protocol: ptr.To(corev1.ProtocolUDP), + Port: ptr.To(intstr.FromInt32(53)), + }, + { + Protocol: ptr.To(corev1.ProtocolTCP), + Port: ptr.To(intstr.FromInt32(5353)), + }, + { + Protocol: ptr.To(corev1.ProtocolUDP), + Port: ptr.To(intstr.FromInt32(5353)), }, }, }, @@ -90,11 +105,26 @@ func DesiredUnpackBundlesNetworkPolicy(catalogSource client.Object) *networkingv }, PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress, networkingv1.PolicyTypeEgress}, Egress: []networkingv1.NetworkPolicyEgressRule{ + // Wildcard allow all IPs/Ports for kube-apiserver + {}, + // Wildcard allow all IPs with DNS ports { Ports: []networkingv1.NetworkPolicyPort{ { Protocol: ptr.To(corev1.ProtocolTCP), - Port: ptr.To(intstr.FromInt32(6443)), + Port: ptr.To(intstr.FromInt32(53)), + }, + { + Protocol: ptr.To(corev1.ProtocolUDP), + Port: ptr.To(intstr.FromInt32(53)), + }, + { + Protocol: ptr.To(corev1.ProtocolTCP), + Port: ptr.To(intstr.FromInt32(5353)), + }, + { + Protocol: ptr.To(corev1.ProtocolUDP), + Port: ptr.To(intstr.FromInt32(5353)), }, }, },