From 479c4a335c70c7597a23884ab7bf9b5cb2ac3bec Mon Sep 17 00:00:00 2001 From: Rashmi Gottipati Date: Sun, 8 Mar 2026 20:52:45 -0400 Subject: [PATCH 1/2] OCPBUGS-77958: Update NetworkPolicy egress to support HyperShift custom API ports Signed-off-by: Rashmi Gottipati --- manifests/0000_50_olm_01-networkpolicies.yaml | 42 ++++++++----------- ..._50_olm_06-psm-operator.networkpolicy.yaml | 14 +++---- ...olm_07-collect-profiles.networkpolicy.yaml | 14 +++---- manifests/0000_90_olm_00-service-monitor.yaml | 10 +++++ .../0000_50_olm_01-networkpolicies.yaml | 28 ++++++------- ..._50_olm_06-psm-operator.networkpolicy.yaml | 14 +++---- .../0000_90_olm_00-service-monitor.yaml | 10 +++++ scripts/generate_crds_manifests.sh | 28 ++++++------- .../deploy/chart/values.yaml | 7 ++-- .../controller/registry/reconciler/helpers.go | 36 ++++++++++++++-- values.yaml | 12 +++--- .../controller/registry/reconciler/helpers.go | 36 ++++++++++++++-- 12 files changed, 156 insertions(+), 95 deletions(-) diff --git a/manifests/0000_50_olm_01-networkpolicies.yaml b/manifests/0000_50_olm_01-networkpolicies.yaml index e4048bf97f..4defacb3bd 100644 --- a/manifests/0000_50_olm_01-networkpolicies.yaml +++ b/manifests/0000_50_olm_01-networkpolicies.yaml @@ -33,18 +33,16 @@ spec: - port: metrics protocol: TCP egress: + - {} - ports: - - port: 6443 + - port: 53 protocol: TCP - - ports: - - port: dns-tcp + - port: 53 + protocol: UDP + - port: 5353 protocol: TCP - - port: dns + - port: 5353 protocol: UDP - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: openshift-dns policyTypes: - Ingress - Egress @@ -68,18 +66,16 @@ spec: - port: metrics protocol: TCP egress: + - {} - ports: - - port: 6443 + - port: 53 protocol: TCP - - ports: - - port: dns-tcp + - port: 53 + protocol: UDP + - port: 5353 protocol: TCP - - port: dns + - port: 5353 protocol: UDP - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: openshift-dns - ports: - protocol: TCP port: 50051 @@ -106,18 +102,16 @@ spec: - protocol: TCP port: 5443 egress: + - {} - ports: - - port: 6443 + - port: 53 protocol: TCP - - ports: - - port: dns-tcp + - port: 53 + protocol: UDP + - port: 5353 protocol: TCP - - port: dns + - port: 5353 protocol: UDP - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: openshift-dns - ports: - protocol: TCP port: 50051 diff --git a/manifests/0000_50_olm_06-psm-operator.networkpolicy.yaml b/manifests/0000_50_olm_06-psm-operator.networkpolicy.yaml index 38c8696796..c18bf69c27 100644 --- a/manifests/0000_50_olm_06-psm-operator.networkpolicy.yaml +++ b/manifests/0000_50_olm_06-psm-operator.networkpolicy.yaml @@ -17,18 +17,16 @@ spec: - port: 8443 protocol: TCP egress: + - {} - ports: - - port: 6443 + - port: 53 protocol: TCP - - ports: - - port: dns-tcp + - port: 53 + protocol: UDP + - port: 5353 protocol: TCP - - port: dns + - port: 5353 protocol: UDP - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: openshift-dns policyTypes: - Ingress - Egress diff --git a/manifests/0000_50_olm_07-collect-profiles.networkpolicy.yaml b/manifests/0000_50_olm_07-collect-profiles.networkpolicy.yaml index f0bb3486ca..37b4aba044 100644 --- a/manifests/0000_50_olm_07-collect-profiles.networkpolicy.yaml +++ b/manifests/0000_50_olm_07-collect-profiles.networkpolicy.yaml @@ -27,18 +27,16 @@ spec: - podSelector: matchLabels: app: catalog-operator + - {} - ports: - - port: 6443 + - port: 53 protocol: TCP - - ports: - - port: dns-tcp + - port: 53 + protocol: UDP + - port: 5353 protocol: TCP - - port: dns + - port: 5353 protocol: UDP - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: openshift-dns policyTypes: - Egress - Ingress diff --git a/manifests/0000_90_olm_00-service-monitor.yaml b/manifests/0000_90_olm_00-service-monitor.yaml index bcb43ae183..2fb5d13a2e 100644 --- a/manifests/0000_90_olm_00-service-monitor.yaml +++ b/manifests/0000_90_olm_00-service-monitor.yaml @@ -19,6 +19,14 @@ rules: - get - list - watch + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -72,6 +80,7 @@ spec: selector: matchLabels: app: olm-operator + serviceDiscoveryRole: EndpointSlice --- apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor @@ -106,3 +115,4 @@ spec: selector: matchLabels: app: catalog-operator + serviceDiscoveryRole: EndpointSlice diff --git a/microshift-manifests/0000_50_olm_01-networkpolicies.yaml b/microshift-manifests/0000_50_olm_01-networkpolicies.yaml index fe556ac92d..c991681f8d 100644 --- a/microshift-manifests/0000_50_olm_01-networkpolicies.yaml +++ b/microshift-manifests/0000_50_olm_01-networkpolicies.yaml @@ -34,18 +34,16 @@ spec: - port: metrics protocol: TCP egress: + - {} - ports: - - port: 6443 + - port: 53 protocol: TCP - - ports: - - port: dns-tcp + - port: 53 + protocol: UDP + - port: 5353 protocol: TCP - - port: dns + - port: 5353 protocol: UDP - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: openshift-dns policyTypes: - Ingress - Egress @@ -69,18 +67,16 @@ spec: - port: metrics protocol: TCP egress: + - {} - ports: - - port: 6443 + - port: 53 protocol: TCP - - ports: - - port: dns-tcp + - port: 53 + protocol: UDP + - port: 5353 protocol: TCP - - port: dns + - port: 5353 protocol: UDP - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: openshift-dns - ports: - protocol: TCP port: 50051 diff --git a/microshift-manifests/0000_50_olm_06-psm-operator.networkpolicy.yaml b/microshift-manifests/0000_50_olm_06-psm-operator.networkpolicy.yaml index 38c8696796..c18bf69c27 100644 --- a/microshift-manifests/0000_50_olm_06-psm-operator.networkpolicy.yaml +++ b/microshift-manifests/0000_50_olm_06-psm-operator.networkpolicy.yaml @@ -17,18 +17,16 @@ spec: - port: 8443 protocol: TCP egress: + - {} - ports: - - port: 6443 + - port: 53 protocol: TCP - - ports: - - port: dns-tcp + - port: 53 + protocol: UDP + - port: 5353 protocol: TCP - - port: dns + - port: 5353 protocol: UDP - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: openshift-dns policyTypes: - Ingress - Egress diff --git a/microshift-manifests/0000_90_olm_00-service-monitor.yaml b/microshift-manifests/0000_90_olm_00-service-monitor.yaml index bcb43ae183..2fb5d13a2e 100644 --- a/microshift-manifests/0000_90_olm_00-service-monitor.yaml +++ b/microshift-manifests/0000_90_olm_00-service-monitor.yaml @@ -19,6 +19,14 @@ rules: - get - list - watch + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -72,6 +80,7 @@ spec: selector: matchLabels: app: olm-operator + serviceDiscoveryRole: EndpointSlice --- apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor @@ -106,3 +115,4 @@ spec: selector: matchLabels: app: catalog-operator + serviceDiscoveryRole: EndpointSlice diff --git a/scripts/generate_crds_manifests.sh b/scripts/generate_crds_manifests.sh index 00191853b5..493d353846 100755 --- a/scripts/generate_crds_manifests.sh +++ b/scripts/generate_crds_manifests.sh @@ -143,18 +143,16 @@ spec: - port: 8443 protocol: TCP egress: + - {} - ports: - - port: 6443 + - port: 53 protocol: TCP - - ports: - - port: dns-tcp + - port: 53 + protocol: UDP + - port: 5353 protocol: TCP - - port: dns + - port: 5353 protocol: UDP - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: openshift-dns policyTypes: - Ingress - Egress @@ -444,18 +442,16 @@ spec: - podSelector: matchLabels: app: catalog-operator + - {} - ports: - - port: 6443 + - port: 53 protocol: TCP - - ports: - - port: dns-tcp + - port: 53 + protocol: UDP + - port: 5353 protocol: TCP - - port: dns + - port: 5353 protocol: UDP - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: openshift-dns policyTypes: - Egress - Ingress diff --git a/staging/operator-lifecycle-manager/deploy/chart/values.yaml b/staging/operator-lifecycle-manager/deploy/chart/values.yaml index 4e4ee726b8..2ca874a85f 100644 --- a/staging/operator-lifecycle-manager/deploy/chart/values.yaml +++ b/staging/operator-lifecycle-manager/deploy/chart/values.yaml @@ -85,10 +85,11 @@ networkPolicy: port: 53 - protocol: UDP port: 53 - kubeAPIServer: - ports: - protocol: TCP - port: 6443 + port: 5353 + - protocol: UDP + port: 5353 + kubeAPIServer: {} metrics: ports: - protocol: TCP diff --git a/staging/operator-lifecycle-manager/pkg/controller/registry/reconciler/helpers.go b/staging/operator-lifecycle-manager/pkg/controller/registry/reconciler/helpers.go index 8302cd5df6..eca6a2459d 100644 --- a/staging/operator-lifecycle-manager/pkg/controller/registry/reconciler/helpers.go +++ b/staging/operator-lifecycle-manager/pkg/controller/registry/reconciler/helpers.go @@ -46,14 +46,29 @@ func DesiredGRPCServerNetworkPolicy(catalogSource *v1alpha1.CatalogSource, match }, } - // Allow egress to kube-apiserver from configmap backed catalog sources + // Allow egress to kube-apiserver and DNS from configmap backed catalog sources if catalogSource.Spec.SourceType == v1alpha1.SourceTypeConfigmap || catalogSource.Spec.SourceType == v1alpha1.SourceTypeInternal { np.Spec.Egress = []networkingv1.NetworkPolicyEgressRule{ + // Wildcard allow all IPs/Ports for kube-apiserver + {}, + // Wildcard allow all IPs with DNS ports { Ports: []networkingv1.NetworkPolicyPort{ { Protocol: ptr.To(corev1.ProtocolTCP), - Port: ptr.To(intstr.FromInt32(6443)), + Port: ptr.To(intstr.FromInt32(53)), + }, + { + Protocol: ptr.To(corev1.ProtocolUDP), + Port: ptr.To(intstr.FromInt32(53)), + }, + { + Protocol: ptr.To(corev1.ProtocolTCP), + Port: ptr.To(intstr.FromInt32(5353)), + }, + { + Protocol: ptr.To(corev1.ProtocolUDP), + Port: ptr.To(intstr.FromInt32(5353)), }, }, }, @@ -90,11 +105,26 @@ func DesiredUnpackBundlesNetworkPolicy(catalogSource client.Object) *networkingv }, PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress, networkingv1.PolicyTypeEgress}, Egress: []networkingv1.NetworkPolicyEgressRule{ + // Wildcard allow all IPs/Ports for kube-apiserver + {}, + // Wildcard allow all IPs with DNS ports { Ports: []networkingv1.NetworkPolicyPort{ { Protocol: ptr.To(corev1.ProtocolTCP), - Port: ptr.To(intstr.FromInt32(6443)), + Port: ptr.To(intstr.FromInt32(53)), + }, + { + Protocol: ptr.To(corev1.ProtocolUDP), + Port: ptr.To(intstr.FromInt32(53)), + }, + { + Protocol: ptr.To(corev1.ProtocolTCP), + Port: ptr.To(intstr.FromInt32(5353)), + }, + { + Protocol: ptr.To(corev1.ProtocolUDP), + Port: ptr.To(intstr.FromInt32(5353)), }, }, }, diff --git a/values.yaml b/values.yaml index e61c785db8..cb5ed00be7 100644 --- a/values.yaml +++ b/values.yaml @@ -107,10 +107,10 @@ networkPolicy: dns: ports: - protocol: TCP - port: dns-tcp + port: 53 - protocol: UDP - port: dns - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: openshift-dns + port: 53 + - protocol: TCP + port: 5353 + - protocol: UDP + port: 5353 diff --git a/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/registry/reconciler/helpers.go b/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/registry/reconciler/helpers.go index 8302cd5df6..eca6a2459d 100644 --- a/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/registry/reconciler/helpers.go +++ b/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/registry/reconciler/helpers.go @@ -46,14 +46,29 @@ func DesiredGRPCServerNetworkPolicy(catalogSource *v1alpha1.CatalogSource, match }, } - // Allow egress to kube-apiserver from configmap backed catalog sources + // Allow egress to kube-apiserver and DNS from configmap backed catalog sources if catalogSource.Spec.SourceType == v1alpha1.SourceTypeConfigmap || catalogSource.Spec.SourceType == v1alpha1.SourceTypeInternal { np.Spec.Egress = []networkingv1.NetworkPolicyEgressRule{ + // Wildcard allow all IPs/Ports for kube-apiserver + {}, + // Wildcard allow all IPs with DNS ports { Ports: []networkingv1.NetworkPolicyPort{ { Protocol: ptr.To(corev1.ProtocolTCP), - Port: ptr.To(intstr.FromInt32(6443)), + Port: ptr.To(intstr.FromInt32(53)), + }, + { + Protocol: ptr.To(corev1.ProtocolUDP), + Port: ptr.To(intstr.FromInt32(53)), + }, + { + Protocol: ptr.To(corev1.ProtocolTCP), + Port: ptr.To(intstr.FromInt32(5353)), + }, + { + Protocol: ptr.To(corev1.ProtocolUDP), + Port: ptr.To(intstr.FromInt32(5353)), }, }, }, @@ -90,11 +105,26 @@ func DesiredUnpackBundlesNetworkPolicy(catalogSource client.Object) *networkingv }, PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress, networkingv1.PolicyTypeEgress}, Egress: []networkingv1.NetworkPolicyEgressRule{ + // Wildcard allow all IPs/Ports for kube-apiserver + {}, + // Wildcard allow all IPs with DNS ports { Ports: []networkingv1.NetworkPolicyPort{ { Protocol: ptr.To(corev1.ProtocolTCP), - Port: ptr.To(intstr.FromInt32(6443)), + Port: ptr.To(intstr.FromInt32(53)), + }, + { + Protocol: ptr.To(corev1.ProtocolUDP), + Port: ptr.To(intstr.FromInt32(53)), + }, + { + Protocol: ptr.To(corev1.ProtocolTCP), + Port: ptr.To(intstr.FromInt32(5353)), + }, + { + Protocol: ptr.To(corev1.ProtocolUDP), + Port: ptr.To(intstr.FromInt32(5353)), }, }, }, From 5317aa598c6057a967f2ea7f362dba45e7036717 Mon Sep 17 00:00:00 2001 From: Rashmi Gottipati Date: Mon, 9 Mar 2026 11:57:15 -0400 Subject: [PATCH 2/2] remove EndpointSlice content as it doesn't seem to be supported on 4.20 branch Signed-off-by: Rashmi Gottipati --- manifests/0000_90_olm_00-service-monitor.yaml | 10 ---------- .../0000_90_olm_00-service-monitor.yaml | 10 ---------- 2 files changed, 20 deletions(-) diff --git a/manifests/0000_90_olm_00-service-monitor.yaml b/manifests/0000_90_olm_00-service-monitor.yaml index 2fb5d13a2e..bcb43ae183 100644 --- a/manifests/0000_90_olm_00-service-monitor.yaml +++ b/manifests/0000_90_olm_00-service-monitor.yaml @@ -19,14 +19,6 @@ rules: - get - list - watch - - apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - get - - list - - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -80,7 +72,6 @@ spec: selector: matchLabels: app: olm-operator - serviceDiscoveryRole: EndpointSlice --- apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor @@ -115,4 +106,3 @@ spec: selector: matchLabels: app: catalog-operator - serviceDiscoveryRole: EndpointSlice diff --git a/microshift-manifests/0000_90_olm_00-service-monitor.yaml b/microshift-manifests/0000_90_olm_00-service-monitor.yaml index 2fb5d13a2e..bcb43ae183 100644 --- a/microshift-manifests/0000_90_olm_00-service-monitor.yaml +++ b/microshift-manifests/0000_90_olm_00-service-monitor.yaml @@ -19,14 +19,6 @@ rules: - get - list - watch - - apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - get - - list - - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -80,7 +72,6 @@ spec: selector: matchLabels: app: olm-operator - serviceDiscoveryRole: EndpointSlice --- apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor @@ -115,4 +106,3 @@ spec: selector: matchLabels: app: catalog-operator - serviceDiscoveryRole: EndpointSlice