Skip to content

CORENET-6816: Add NetworkPolicies for CNO and its operands #2892

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
openshift-merge-bot merged 1 commit into from
Apr 7, 2026
Merged

CORENET-6816: Add NetworkPolicies for CNO and its operands #2892

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions bindata/kube-proxy/000-ns.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,3 +13,16 @@ metadata:
openshift.io/node-selector: "" #override default node selector
openshift.io/description: "kubernetes service proxy"
workload.openshift.io/allowed: "management"
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: default-deny
namespace: openshift-kube-proxy
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress: []
egress: []
Comment thread
danwinship marked this conversation as resolved.
14 changes: 14 additions & 0 deletions bindata/network-diagnostics/000-ns.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,17 @@ metadata:
annotations:
openshift.io/node-selector: "" #override default node selector
workload.openshift.io/allowed: "management"
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: default-deny
namespace: openshift-network-diagnostics
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress: []
egress: []
Comment thread
danwinship marked this conversation as resolved.

41 changes: 41 additions & 0 deletions bindata/network-diagnostics/networkpolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: network-check-source
namespace: openshift-network-diagnostics
spec:
podSelector:
matchLabels:
app: network-check-source
policyTypes:
- Ingress
- Egress
ingress:
# Allow ingress to metrics
- ports:
- port: 17698
egress:
# Allow egress to network-check-target pods.
- to:
- podSelector:
matchLabels:
app: network-check-target
# Allow egress to apiserver
- {}
Comment thread
danwinship marked this conversation as resolved.
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: network-check-target
namespace: openshift-network-diagnostics
spec:
podSelector:
matchLabels:
app: network-check-target
policyTypes:
# network-check-target does no egress
- Ingress
ingress:
# Allow to the check-target port. For debuggability we don't restrict the source.
- ports:
- port: 8080
13 changes: 13 additions & 0 deletions bindata/network/frr-k8s/000-ns.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,3 +11,16 @@ metadata:
openshift.io/node-selector: ""
openshift.io/description: "FRR-K8s components"
workload.openshift.io/allowed: "management"
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: default-deny
namespace: openshift-frr-k8s
spec:
podSelector: {}
Comment thread
danwinship marked this conversation as resolved.
policyTypes:
- Ingress
- Egress
ingress: []
egress: []
Comment thread
danwinship marked this conversation as resolved.
14 changes: 14 additions & 0 deletions bindata/network/iptables-alerter/004-networkpolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: iptables-alerter
namespace: openshift-network-operator
spec:
podSelector:
matchLabels:
app: iptables-alerter
policyTypes:
- Egress
egress:
# Allow to apiserver
- {}
Comment thread
danwinship marked this conversation as resolved.
22 changes: 22 additions & 0 deletions bindata/network/multus-admission-controller/004-networkpolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: multus-admission-controller
namespace: openshift-multus
spec:
podSelector:
matchLabels:
app: multus-admission-controller
policyTypes:
- Ingress
- Egress
ingress:
# Allow from apiserver to webhook port
- ports:
- port: 6443
# Allow all to metrics port
- ports:
- port: 8443
Comment thread
danwinship marked this conversation as resolved.
egress:
# Allow to apiserver; currently requires allow all
- {}
13 changes: 13 additions & 0 deletions bindata/network/multus/000-ns.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,3 +13,16 @@ metadata:
openshift.io/node-selector: "" #override default node selector
openshift.io/description: "Multus network plugin components"
workload.openshift.io/allowed: "management"
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: default-deny
namespace: openshift-multus
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress: []
egress: []
Comment thread
danwinship marked this conversation as resolved.
19 changes: 19 additions & 0 deletions bindata/network/network-metrics/003-networkpolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: network-metrics
namespace: openshift-multus
spec:
podSelector:
matchLabels:
app: network-metrics-daemon
policyTypes:
- Ingress
- Egress
ingress:
# Allow ingress to metrics
- ports:
- port: 8443
Comment thread
danwinship marked this conversation as resolved.
egress:
# Allow egress to apiserver
- {}
13 changes: 13 additions & 0 deletions bindata/network/node-identity/common/001-node-identity-namespace.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,3 +14,16 @@ metadata:
openshift.io/node-selector: ""
openshift.io/description: "OpenShift network node identity namespace - a controller used to manage node identity components"
workload.openshift.io/allowed: "management"
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: default-deny
namespace: openshift-network-node-identity
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress: []
egress: []
13 changes: 13 additions & 0 deletions bindata/network/ovn-kubernetes/common/000-ns.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,3 +13,16 @@ metadata:
openshift.io/node-selector: ""
openshift.io/description: "OVN Kubernetes components"
workload.openshift.io/allowed: "management"
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: default-deny
namespace: openshift-ovn-kubernetes
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress: []
egress: []
14 changes: 13 additions & 1 deletion bindata/network/ovn-kubernetes/common/openshift-host-network-ns.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,16 @@ metadata:
annotations:
openshift.io/description: "Namespace for enabling network policy specification for host network traffic. Can be used to allow access to or from host network components"
workload.openshift.io/allowed: "management"

---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: default-deny
namespace: openshift-host-network
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress: []
egress: []
Comment thread
danwinship marked this conversation as resolved.
13 changes: 13 additions & 0 deletions bindata/networking-console-plugin/000-namespace.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,16 @@ metadata:
annotations:
openshift.io/description: "Namespace for running the networking-console-plugin pods that enables the Networking console section"
workload.openshift.io/allowed: "management"
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: default-deny
namespace: openshift-network-console
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress: []
egress: []
Comment thread
danwinship marked this conversation as resolved.
19 changes: 19 additions & 0 deletions bindata/networking-console-plugin/005-networkpolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: networking-console-plugin
namespace: openshift-network-console
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: networking-console-plugin
policyTypes:
- Ingress
ingress:
# Allow from console
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: openshift-console
ports:
- port: 9443
15 changes: 14 additions & 1 deletion manifests/0000_70_cluster-network-operator_00_namespace.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,4 +14,17 @@ metadata:
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/warn: privileged
openshift.io/cluster-monitoring: "true"
openshift.io/cluster-monitoring: "true"
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: default-deny
Copy link
Copy Markdown

@asood-rh asood-rh Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@danwinship I do not see default deny policy in the namespace. I have a upgraded cluster.

Upgrade path

 oc get clusterversion -o json|jq ".items[0].status.history"
[
  {
    "acceptedRisks": "Target release version=\"\" image=\"registry.build10.ci.openshift.org/ci-ln-qziy2xb/release:latest\" cannot be verified, but continuing anyway because the update was forced: release images that are not accessed via digest cannot be verified\nForced through blocking failures: Multiple precondition checks failed:\n* Precondition \"ClusterVersionUpgradeable\" failed because of \"ClusterVersionOverridesSet\": Disabling ownership via cluster version overrides prevents upgrades. Please remove overrides before continuing.\n* Precondition \"ClusterVersionRecommendedUpdate\" failed because of \"UnknownUpdate\": RetrievedUpdates=False (VersionNotFound), so the recommended status of updating from 4.21.0-0.nightly-2026-04-02-002715 to 4.22.0-0-2026-04-06-143042-test-ci-ln-qziy2xb-latest is unknown.",
    "completionTime": "2026-04-06T16:18:07Z",
    "image": "registry.build10.ci.openshift.org/ci-ln-qziy2xb/release:latest",
    "startedTime": "2026-04-06T15:08:05Z",
    "state": "Completed",
    "verified": false,
    "version": "4.22.0-0-2026-04-06-143042-test-ci-ln-qziy2xb-latest"
  },
  {
    "completionTime": "2026-04-06T13:57:57Z",
    "image": "registry.ci.openshift.org/ocp/release@sha256:7f463370e2f79ada93b7953338f33fc13bee9ec911f63aa0baddf369ed785024",
    "startedTime": "2026-04-06T13:28:25Z",
    "state": "Completed",
    "verified": false,
    "version": "4.21.0-0.nightly-2026-04-02-002715"
  }
]

Policy

oc -n openshift-network-operator get networkpolicy
NAME               POD-SELECTOR           AGE
iptables-alerter   app=iptables-alerter   5h23m

namespace: openshift-network-operator
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress: []
egress: []
Comment thread
danwinship marked this conversation as resolved.
2 changes: 1 addition & 1 deletion pkg/network/kube_proxy_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -403,7 +403,7 @@ func TestRenderKubeProxy(t *testing.T) {
objs, err := renderStandaloneKubeProxy(c, &FakeKubeProxyBootstrapResult, manifestDir)
g.Expect(err).NotTo(HaveOccurred())

g.Expect(objs).To(HaveLen(10))
g.Expect(objs).To(HaveLen(11))

// Make sure the arguments to kube-proxy are reasonable
found := false
Expand Down
3 changes: 2 additions & 1 deletion pkg/network/multus_admission_controller_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,12 +74,13 @@ func TestRenderMultusAdmissionController(t *testing.T) {
g.Expect(objs).To(ContainElement(HaveKubernetesID("Deployment", "openshift-multus", "multus-admission-controller")))

// Check rendered object
g.Expect(len(objs)).To(Equal(10))
g.Expect(len(objs)).To(Equal(11))
Copy link
Copy Markdown

@asood-rh asood-rh Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@danwinship Is this counting additional object i.e. network policy? In openshift-multus there are two objects increased.

Copy link
Copy Markdown
Contributor Author

@danwinship danwinship Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This unit test is only calling renderMultusAdmissionController, without calling renderMultus first. So the only new object is the admission controller's new NetworkPolicy.

g.Expect(objs).To(ContainElement(HaveKubernetesID("Service", "openshift-multus", "multus-admission-controller")))
g.Expect(objs).To(ContainElement(HaveKubernetesID("ClusterRole", "", "multus-admission-controller-webhook")))
g.Expect(objs).To(ContainElement(HaveKubernetesID("ClusterRoleBinding", "", "multus-admission-controller-webhook")))
g.Expect(objs).To(ContainElement(HaveKubernetesID("ValidatingWebhookConfiguration", "", names.MULTUS_VALIDATING_WEBHOOK)))
g.Expect(objs).To(ContainElement(HaveKubernetesID("Deployment", "openshift-multus", "multus-admission-controller")))
g.Expect(objs).To(ContainElement(HaveKubernetesID("NetworkPolicy", "openshift-multus", "multus-admission-controller")))
}

// TestRenderMultusAdmissionController has some simple rendering tests
Expand Down
3 changes: 2 additions & 1 deletion pkg/network/multus_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,12 +46,13 @@ func TestRenderMultus(t *testing.T) {
g.Expect(objs).To(ContainElement(HaveKubernetesID("DaemonSet", "openshift-multus", "multus")))

// It's important that the namespace is first
g.Expect(len(objs)).To(Equal(32), "Expected 32 multus related objects")
g.Expect(len(objs)).To(Equal(34), "Expected 34 multus related objects")
Copy link
Copy Markdown

@asood-rh asood-rh Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@danwinship Could you clarify, in context of the previous response, how does a network policy results in increasing the count by 2?

Copy link
Copy Markdown
Contributor Author

@danwinship danwinship Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in this case, objs is the result of renderMultus, which renders the contents of bindata/network/multus and bindata/network/network-metrics, so it gets the new default-deny policy from the former and the new "allow ingress to metrics" NetworkPolicy from the latter.

g.Expect(objs[0]).To(HaveKubernetesID("CustomResourceDefinition", "", "network-attachment-definitions.k8s.cni.cncf.io"))
g.Expect(objs).To(ContainElement(HaveKubernetesID("Namespace", "", "openshift-multus")))
g.Expect(objs).To(ContainElement(HaveKubernetesID("ServiceAccount", "openshift-multus", "multus-ancillary-tools")))
g.Expect(objs).To(ContainElement(HaveKubernetesID("ClusterRole", "", "multus-ancillary-tools")))
g.Expect(objs).To(ContainElement(HaveKubernetesID("ClusterRoleBinding", "", "multus-ancillary-tools")))
g.Expect(objs).To(ContainElement(HaveKubernetesID("ClusterRole", "", "multus")))
g.Expect(objs).To(ContainElement(HaveKubernetesID("DaemonSet", "openshift-multus", "multus")))
g.Expect(objs).To(ContainElement(HaveKubernetesID("NetworkPolicy", "openshift-multus", "default-deny")))
}
2 changes: 1 addition & 1 deletion pkg/network/network_metrics_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ func TestRenderNetworkMetricsDaemon(t *testing.T) {

// Check rendered object

g.Expect(len(objs)).To(Equal(32), "Expected 32 multus related objects")
g.Expect(len(objs)).To(Equal(34), "Expected 34 multus related objects")
g.Expect(objs).To(ContainElement(HaveKubernetesID("DaemonSet", "openshift-multus", "network-metrics-daemon")))
g.Expect(objs).To(ContainElement(HaveKubernetesID("Service", "openshift-multus", "network-metrics-service")))
g.Expect(objs).To(ContainElement(HaveKubernetesID("ClusterRole", "", "metrics-daemon-role")))
Expand Down
8 changes: 4 additions & 4 deletions pkg/network/ovn_kubernetes_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4221,7 +4221,7 @@ func Test_renderOVNKubernetes(t *testing.T) {
client: cnofake.NewFakeClient(),
featureGates: noFeatureGates,
},
expectNumObjs: 50,
expectNumObjs: 52,
},
{
name: "render routeadvertisements",
Expand All @@ -4236,7 +4236,7 @@ func Test_renderOVNKubernetes(t *testing.T) {
client: cnofake.NewFakeClient(),
featureGates: noFeatureGates,
},
expectNumObjs: 51,
expectNumObjs: 53,
},
{
name: "render with UDN",
Expand All @@ -4247,7 +4247,7 @@ func Test_renderOVNKubernetes(t *testing.T) {
client: cnofake.NewFakeClient(),
featureGates: udnFeatureGate,
},
expectNumObjs: 50,
expectNumObjs: 52,
},
{
name: "render with PreconfiguredUDNAddresses, UDN, persistent-IP, and RA",
Expand All @@ -4261,7 +4261,7 @@ func Test_renderOVNKubernetes(t *testing.T) {
client: cnofake.NewFakeClient(),
featureGates: preDefUDNFeatureGates,
},
expectNumObjs: 51,
expectNumObjs: 53,
},
}
for _, tt := range tests {
Expand Down
4 changes: 2 additions & 2 deletions pkg/network/render_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -524,7 +524,7 @@ func Test_renderNetworkDiagnostics(t *testing.T) {
operConf: &operv1.NetworkSpec{DisableNetworkDiagnostics: true},
clusterConf: &configv1.NetworkSpec{NetworkDiagnostics: configv1.NetworkDiagnostics{Mode: configv1.NetworkDiagnosticsAll}},
},
want: 15,
want: 18,
expectedErr: nil,
},
}
Expand Down Expand Up @@ -568,7 +568,7 @@ func Test_renderAdditionalRoutingCapabilities(t *testing.T) {
},
},
},
want: 19,
want: 20,
expectedErr: nil,
},
}
Expand Down