From e95de4225b8007dc8517e2b289c58faa3303ab06 Mon Sep 17 00:00:00 2001 From: kabicin <37311900+kabicin@users.noreply.github.com> Date: Wed, 28 May 2025 11:46:34 -0400 Subject: [PATCH 01/19] Add operator network policy helper --- utils/utils.go | 40 +++++++++++++++++++++++++++++++--------- 1 file changed, 31 insertions(+), 9 deletions(-) diff --git a/utils/utils.go b/utils/utils.go index 4e34b9cf..45b12796 100644 --- a/utils/utils.go +++ b/utils/utils.go @@ -340,6 +340,24 @@ func customizeProbeDefaults(config *corev1.Probe, defaultProbe *corev1.Probe) *c return probe } +func CustomizeOperatorNetworkPolicy(networkPolicy *networkingv1.NetworkPolicy, isOpenShift bool, operatorName string, operatorPodLabels map[string]string) { + networkPolicy.Spec.PolicyTypes = []networkingv1.PolicyType{networkingv1.PolicyTypeIngress} + + networkPolicy.Spec.PodSelector = metav1.LabelSelector{ + MatchLabels: operatorPodLabels, + } + + var rule networkingv1.NetworkPolicyIngressRule + + if isOpenShift { + rule = createOpenShiftNetworkPolicyIngressRule(operatorName, networkPolicy.Namespace, false, nil, false) + } else { + rule = createKubernetesNetworkPolicyIngressRule(operatorName, networkPolicy.Namespace, false, nil, false) + } + + networkPolicy.Spec.Ingress = []networkingv1.NetworkPolicyIngressRule{rule} +} + // CustomizeNetworkPolicy configures the network policy. func CustomizeNetworkPolicy(networkPolicy *networkingv1.NetworkPolicy, isOpenShift bool, ba common.BaseComponent) { obj := ba.(metav1.Object) @@ -362,16 +380,16 @@ func CustomizeNetworkPolicy(networkPolicy *networkingv1.NetworkPolicy, isOpenShi config.GetFromLabels() != nil && len(config.GetFromLabels()) == 0 { rule = createAllowAllNetworkPolicyIngressRule() } else if isOpenShift { - rule = createOpenShiftNetworkPolicyIngressRule(ba.GetApplicationName(), networkPolicy.Namespace, isExposed, config) + rule = createOpenShiftNetworkPolicyIngressRule(ba.GetApplicationName(), networkPolicy.Namespace, isExposed, config, true) } else { - rule = createKubernetesNetworkPolicyIngressRule(ba.GetApplicationName(), networkPolicy.Namespace, isExposed, config) + rule = createKubernetesNetworkPolicyIngressRule(ba.GetApplicationName(), networkPolicy.Namespace, isExposed, config, true) } customizeNetworkPolicyPorts(&rule, ba) networkPolicy.Spec.Ingress = []networkingv1.NetworkPolicyIngressRule{rule} } -func createOpenShiftNetworkPolicyIngressRule(appName string, namespace string, isExposed bool, config common.BaseComponentNetworkPolicy) networkingv1.NetworkPolicyIngressRule { +func createOpenShiftNetworkPolicyIngressRule(appName string, namespace string, isExposed bool, config common.BaseComponentNetworkPolicy, allowPodPeers bool) networkingv1.NetworkPolicyIngressRule { rule := networkingv1.NetworkPolicyIngressRule{} // Add peer to allow traffic from the OpenShift router @@ -395,10 +413,13 @@ func createOpenShiftNetworkPolicyIngressRule(appName string, namespace string, i ) } + rule.From = append(rule.From, + // Add peer to allow traffic from other pods belonging to the app + createNetworkPolicyPeer(appName, namespace, config), + ) + } + // default to allow traffic from OpenShift monitoring rule.From = append(rule.From, - // Add peer to allow traffic from other pods belonging to the app - createNetworkPolicyPeer(appName, namespace, config), - // Add peer to allow traffic from OpenShift monitoring networkingv1.NetworkPolicyPeer{ NamespaceSelector: &metav1.LabelSelector{ @@ -412,14 +433,15 @@ func createOpenShiftNetworkPolicyIngressRule(appName string, namespace string, i return rule } -func createKubernetesNetworkPolicyIngressRule(appName string, namespace string, isExposed bool, config common.BaseComponentNetworkPolicy) networkingv1.NetworkPolicyIngressRule { +func createKubernetesNetworkPolicyIngressRule(appName string, namespace string, isExposed bool, config common.BaseComponentNetworkPolicy, allowPodPeers bool) networkingv1.NetworkPolicyIngressRule { if isExposed { return createAllowAllNetworkPolicyIngressRule() } rule := networkingv1.NetworkPolicyIngressRule{} - rule.From = []networkingv1.NetworkPolicyPeer{ - createNetworkPolicyPeer(appName, namespace, config), + rule.From = []networkingv1.NetworkPolicyPeer{} + if allowPodPeers { + rule.From = append(rule.From, createNetworkPolicyPeer(appName, namespace, config)) } return rule } From 7ddd969e520510d9ed8990ade9f40fd5128eb78b Mon Sep 17 00:00:00 2001 From: kabicin <37311900+kabicin@users.noreply.github.com> Date: Wed, 28 May 2025 11:46:42 -0400 Subject: [PATCH 02/19] Update utils.go --- utils/utils.go | 1 + 1 file changed, 1 insertion(+) diff --git a/utils/utils.go b/utils/utils.go index 45b12796..041529f1 100644 --- a/utils/utils.go +++ b/utils/utils.go @@ -413,6 +413,7 @@ func createOpenShiftNetworkPolicyIngressRule(appName string, namespace string, i ) } + if allowPodPeers { rule.From = append(rule.From, // Add peer to allow traffic from other pods belonging to the app createNetworkPolicyPeer(appName, namespace, config), From 998bf143f9791541053013b1814719229ebd93ce Mon Sep 17 00:00:00 2001 From: kabicin <37311900+kabicin@users.noreply.github.com> Date: Fri, 30 May 2025 17:04:12 -0400 Subject: [PATCH 03/19] Support egress network policies --- api/v1/runtimecomponent_types.go | 62 +++++++++++++- .../rc.app.stacks_runtimecomponents.yaml | 33 +++++++- ...ntime-component.clusterserviceversion.yaml | 41 ++++++++- common/types.go | 8 +- .../rc.app.stacks_runtimecomponents.yaml | 33 +++++++- ...ntime-component.clusterserviceversion.yaml | 41 ++++++++- .../controller/runtimecomponent_controller.go | 7 +- .../deploy/kubectl/runtime-component-crd.yaml | 33 +++++++- .../daily/base/runtime-component-crd.yaml | 33 +++++++- utils/utils.go | 84 ++++++++++++------- 10 files changed, 332 insertions(+), 43 deletions(-) diff --git a/api/v1/runtimecomponent_types.go b/api/v1/runtimecomponent_types.go index 2e694dfc..e5492c35 100644 --- a/api/v1/runtimecomponent_types.go +++ b/api/v1/runtimecomponent_types.go @@ -328,13 +328,37 @@ type RuntimeComponentNetworkPolicy struct { // +operator-sdk:csv:customresourcedefinitions:order=46,type=spec,displayName="Disable",xDescriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch" Disable *bool `json:"disable,omitempty"` - // Specify the labels of namespaces that incoming traffic is allowed from. - // +operator-sdk:csv:customresourcedefinitions:order=47,type=spec,displayName="Namespace Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text" + // Disable the creation of the network policy ingress. Defaults to false. + // +operator-sdk:csv:customresourcedefinitions:order=47,type=spec,displayName="Disable Ingress",xDescriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch" + DisableIngress *bool `json:"disableIngress,omitempty"` + + // Disable the creation of the network policy egress. Defaults to false. + // +operator-sdk:csv:customresourcedefinitions:order=48,type=spec,displayName="Disable Egress",xDescriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch" + DisableEgress *bool `json:"disableEgress,omitempty"` + + // Deny outbound traffic of the application pod(s). Defaults to false. + // +operator-sdk:csv:customresourcedefinitions:order=49,type=spec,displayName="Deny Outbound Traffic",xDescriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch" + DenyOutboundTraffic *bool `json:"denyOutboundTraffic,omitempty"` + + // Deprecated. .spec.networkPolicy.fromNamespaceLabels should be used instead. If both are specified, .spec.networkPolicy.fromNamespaceLabels will override this. + // +operator-sdk:csv:customresourcedefinitions:order=50,type=spec,displayName="Namespace Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text" NamespaceLabels *map[string]string `json:"namespaceLabels,omitempty"` + // Specify the labels of namespaces that incoming traffic is allowed from. + // +operator-sdk:csv:customresourcedefinitions:order=51,type=spec,displayName="From Namespace Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text" + FromNamespaceLabels *map[string]string `json:"fromNamespaceLabels,omitempty"` + // Specify the labels of pod(s) that incoming traffic is allowed from. - // +operator-sdk:csv:customresourcedefinitions:order=48,type=spec,displayName="From Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text" + // +operator-sdk:csv:customresourcedefinitions:order=52,type=spec,displayName="From Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text" FromLabels *map[string]string `json:"fromLabels,omitempty"` + + // Specify the labels of namespaces that outgoing traffic is allowed to. + // +operator-sdk:csv:customresourcedefinitions:order=53,type=spec,displayName="To Namespace Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text" + ToNamespaceLabels *map[string]string `json:"toNamespaceLabels,omitempty"` + + // Specify the labels of pod(s) that outgoing traffic is allowed to. + // +operator-sdk:csv:customresourcedefinitions:order=54,type=spec,displayName="To Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text" + ToLabels *map[string]string `json:"toLabels,omitempty"` } // Defines the desired state and cycle of applications. @@ -910,7 +934,25 @@ func (ssa *RuntimeComponentServiceSessionAffinity) GetConfig() *corev1.SessionAf return ssa.Config } -func (np *RuntimeComponentNetworkPolicy) GetNamespaceLabels() map[string]string { +func (np *RuntimeComponentNetworkPolicy) GetToNamespaceLabels() map[string]string { + if np.ToNamespaceLabels != nil { + return *np.ToNamespaceLabels + } + return nil +} + +func (np *RuntimeComponentNetworkPolicy) GetToLabels() map[string]string { + if np.ToLabels != nil { + return *np.ToLabels + } + return nil +} + +func (np *RuntimeComponentNetworkPolicy) GetFromNamespaceLabels() map[string]string { + if np.FromNamespaceLabels != nil { + return *np.FromNamespaceLabels + } + // fallback to deprecated flag np.NamespaceLabels for when we only supported one type of network policy (ingress) if np.NamespaceLabels != nil { return *np.NamespaceLabels } @@ -928,6 +970,18 @@ func (np *RuntimeComponentNetworkPolicy) IsDisabled() bool { return np.Disable != nil && *np.Disable } +func (np *RuntimeComponentNetworkPolicy) IsIngressDisabled() bool { + return np.DisableIngress != nil && *np.DisableIngress +} + +func (np *RuntimeComponentNetworkPolicy) IsEgressDisabled() bool { + return np.DisableEgress != nil && *np.DisableEgress +} + +func (np *RuntimeComponentNetworkPolicy) IsDenyingOutboundTraffic() bool { + return np.DenyOutboundTraffic != nil && *np.DenyOutboundTraffic +} + // GetLabels returns labels to be added on ServiceMonitor func (m *RuntimeComponentMonitoring) GetLabels() map[string]string { return m.Labels diff --git a/bundle/manifests/rc.app.stacks_runtimecomponents.yaml b/bundle/manifests/rc.app.stacks_runtimecomponents.yaml index 96b7f218..a0e93fe6 100644 --- a/bundle/manifests/rc.app.stacks_runtimecomponents.yaml +++ b/bundle/manifests/rc.app.stacks_runtimecomponents.yaml @@ -3842,22 +3842,53 @@ spec: networkPolicy: description: Defines the network policy properties: + denyOutboundTraffic: + description: Deny outbound traffic of the application pod(s). + Defaults to false. + type: boolean disable: description: Disable the creation of the network policy. Defaults to false. type: boolean + disableEgress: + description: Disable the creation of the network policy egress. + Defaults to false. + type: boolean + disableIngress: + description: Disable the creation of the network policy ingress. + Defaults to false. + type: boolean fromLabels: additionalProperties: type: string description: Specify the labels of pod(s) that incoming traffic is allowed from. type: object - namespaceLabels: + fromNamespaceLabels: additionalProperties: type: string description: Specify the labels of namespaces that incoming traffic is allowed from. type: object + namespaceLabels: + additionalProperties: + type: string + description: Deprecated. .spec.networkPolicy.fromNamespaceLabels + should be used instead. If both are specified, .spec.networkPolicy.fromNamespaceLabels + will override this. + type: object + toLabels: + additionalProperties: + type: string + description: Specify the labels of pod(s) that outgoing traffic + is allowed to. + type: object + toNamespaceLabels: + additionalProperties: + type: string + description: Specify the labels of namespaces that outgoing traffic + is allowed to. + type: object type: object probes: description: Define health checks on application container to determine diff --git a/bundle/manifests/runtime-component.clusterserviceversion.yaml b/bundle/manifests/runtime-component.clusterserviceversion.yaml index a1847894..4b7573cd 100644 --- a/bundle/manifests/runtime-component.clusterserviceversion.yaml +++ b/bundle/manifests/runtime-component.clusterserviceversion.yaml @@ -492,18 +492,55 @@ spec: path: networkPolicy.disable x-descriptors: - urn:alm:descriptor:com.tectonic.ui:booleanSwitch - - description: Specify the labels of namespaces that incoming traffic is allowed - from. + - description: Disable the creation of the network policy ingress. Defaults + to false. + displayName: Disable Ingress + path: networkPolicy.disableIngress + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:booleanSwitch + - description: Disable the creation of the network policy egress. Defaults to + false. + displayName: Disable Egress + path: networkPolicy.disableEgress + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:booleanSwitch + - description: Deny outbound traffic of the application pod(s). Defaults to + false. + displayName: Deny Outbound Traffic + path: networkPolicy.denyOutboundTraffic + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:booleanSwitch + - description: Deprecated. .spec.networkPolicy.fromNamespaceLabels should be + used instead. If both are specified, .spec.networkPolicy.fromNamespaceLabels + will override this. displayName: Namespace Labels path: networkPolicy.namespaceLabels x-descriptors: - urn:alm:descriptor:com.tectonic.ui:text + - description: Specify the labels of namespaces that incoming traffic is allowed + from. + displayName: From Namespace Labels + path: networkPolicy.fromNamespaceLabels + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:text - description: Specify the labels of pod(s) that incoming traffic is allowed from. displayName: From Labels path: networkPolicy.fromLabels x-descriptors: - urn:alm:descriptor:com.tectonic.ui:text + - description: Specify the labels of namespaces that outgoing traffic is allowed + to. + displayName: To Namespace Labels + path: networkPolicy.toNamespaceLabels + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:text + - description: Specify the labels of pod(s) that outgoing traffic is allowed + to. + displayName: To Labels + path: networkPolicy.toLabels + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:text - description: Hide liveness probe's Exec field displayName: Livness Probe's Exec path: probes.liveness.exec diff --git a/common/types.go b/common/types.go index 42c54ff2..e0226d09 100644 --- a/common/types.go +++ b/common/types.go @@ -148,7 +148,13 @@ type BaseComponentCertificate interface { // BaseComponentNetworkPolicy represents a basic network policy configuration type BaseComponentNetworkPolicy interface { - GetNamespaceLabels() map[string]string + IsDisabled() bool + IsIngressDisabled() bool + IsEgressDisabled() bool + IsDenyingOutboundTraffic() bool + GetToNamespaceLabels() map[string]string + GetToLabels() map[string]string + GetFromNamespaceLabels() map[string]string GetFromLabels() map[string]string } diff --git a/config/crd/bases/rc.app.stacks_runtimecomponents.yaml b/config/crd/bases/rc.app.stacks_runtimecomponents.yaml index 3eb6cf95..80707657 100644 --- a/config/crd/bases/rc.app.stacks_runtimecomponents.yaml +++ b/config/crd/bases/rc.app.stacks_runtimecomponents.yaml @@ -3838,22 +3838,53 @@ spec: networkPolicy: description: Defines the network policy properties: + denyOutboundTraffic: + description: Deny outbound traffic of the application pod(s). + Defaults to false. + type: boolean disable: description: Disable the creation of the network policy. Defaults to false. type: boolean + disableEgress: + description: Disable the creation of the network policy egress. + Defaults to false. + type: boolean + disableIngress: + description: Disable the creation of the network policy ingress. + Defaults to false. + type: boolean fromLabels: additionalProperties: type: string description: Specify the labels of pod(s) that incoming traffic is allowed from. type: object - namespaceLabels: + fromNamespaceLabels: additionalProperties: type: string description: Specify the labels of namespaces that incoming traffic is allowed from. type: object + namespaceLabels: + additionalProperties: + type: string + description: Deprecated. .spec.networkPolicy.fromNamespaceLabels + should be used instead. If both are specified, .spec.networkPolicy.fromNamespaceLabels + will override this. + type: object + toLabels: + additionalProperties: + type: string + description: Specify the labels of pod(s) that outgoing traffic + is allowed to. + type: object + toNamespaceLabels: + additionalProperties: + type: string + description: Specify the labels of namespaces that outgoing traffic + is allowed to. + type: object type: object probes: description: Define health checks on application container to determine diff --git a/config/manifests/bases/runtime-component.clusterserviceversion.yaml b/config/manifests/bases/runtime-component.clusterserviceversion.yaml index 6ad43ee3..8201f162 100644 --- a/config/manifests/bases/runtime-component.clusterserviceversion.yaml +++ b/config/manifests/bases/runtime-component.clusterserviceversion.yaml @@ -426,18 +426,55 @@ spec: path: networkPolicy.disable x-descriptors: - urn:alm:descriptor:com.tectonic.ui:booleanSwitch - - description: Specify the labels of namespaces that incoming traffic is allowed - from. + - description: Disable the creation of the network policy ingress. Defaults + to false. + displayName: Disable Ingress + path: networkPolicy.disableIngress + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:booleanSwitch + - description: Disable the creation of the network policy egress. Defaults to + false. + displayName: Disable Egress + path: networkPolicy.disableEgress + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:booleanSwitch + - description: Deny outbound traffic of the application pod(s). Defaults to + false. + displayName: Deny Outbound Traffic + path: networkPolicy.denyOutboundTraffic + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:booleanSwitch + - description: Deprecated. .spec.networkPolicy.fromNamespaceLabels should be + used instead. If both are specified, .spec.networkPolicy.fromNamespaceLabels + will override this. displayName: Namespace Labels path: networkPolicy.namespaceLabels x-descriptors: - urn:alm:descriptor:com.tectonic.ui:text + - description: Specify the labels of namespaces that incoming traffic is allowed + from. + displayName: From Namespace Labels + path: networkPolicy.fromNamespaceLabels + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:text - description: Specify the labels of pod(s) that incoming traffic is allowed from. displayName: From Labels path: networkPolicy.fromLabels x-descriptors: - urn:alm:descriptor:com.tectonic.ui:text + - description: Specify the labels of namespaces that outgoing traffic is allowed + to. + displayName: To Namespace Labels + path: networkPolicy.toNamespaceLabels + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:text + - description: Specify the labels of pod(s) that outgoing traffic is allowed + to. + displayName: To Labels + path: networkPolicy.toLabels + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:text statusDescriptors: - description: Exposed URI of the application endpoint displayName: Application diff --git a/internal/controller/runtimecomponent_controller.go b/internal/controller/runtimecomponent_controller.go index 59c0546a..701fa172 100644 --- a/internal/controller/runtimecomponent_controller.go +++ b/internal/controller/runtimecomponent_controller.go @@ -351,7 +351,12 @@ func (r *RuntimeComponentReconciler) Reconcile(ctx context.Context, req ctrl.Req networkPolicy := &networkingv1.NetworkPolicy{ObjectMeta: defaultMeta} if np := instance.Spec.NetworkPolicy; np == nil || np != nil && !np.IsDisabled() { err = r.CreateOrUpdate(networkPolicy, instance, func() error { - appstacksutils.CustomizeNetworkPolicy(networkPolicy, r.IsOpenShift(), instance) + if np == nil || np != nil && !np.IsIngressDisabled() { + appstacksutils.CustomizeNetworkPolicyIngress(networkPolicy, r.IsOpenShift(), instance) + } + if np == nil || np != nil && !np.IsEgressDisabled() { + appstacksutils.CustomizeNetworkPolicyIngress(networkPolicy, r.IsOpenShift(), instance) + } return nil }) if err != nil { diff --git a/internal/deploy/kubectl/runtime-component-crd.yaml b/internal/deploy/kubectl/runtime-component-crd.yaml index 95784363..d44b25ca 100644 --- a/internal/deploy/kubectl/runtime-component-crd.yaml +++ b/internal/deploy/kubectl/runtime-component-crd.yaml @@ -3841,22 +3841,53 @@ spec: networkPolicy: description: Defines the network policy properties: + denyOutboundTraffic: + description: Deny outbound traffic of the application pod(s). + Defaults to false. + type: boolean disable: description: Disable the creation of the network policy. Defaults to false. type: boolean + disableEgress: + description: Disable the creation of the network policy egress. + Defaults to false. + type: boolean + disableIngress: + description: Disable the creation of the network policy ingress. + Defaults to false. + type: boolean fromLabels: additionalProperties: type: string description: Specify the labels of pod(s) that incoming traffic is allowed from. type: object - namespaceLabels: + fromNamespaceLabels: additionalProperties: type: string description: Specify the labels of namespaces that incoming traffic is allowed from. type: object + namespaceLabels: + additionalProperties: + type: string + description: Deprecated. .spec.networkPolicy.fromNamespaceLabels + should be used instead. If both are specified, .spec.networkPolicy.fromNamespaceLabels + will override this. + type: object + toLabels: + additionalProperties: + type: string + description: Specify the labels of pod(s) that outgoing traffic + is allowed to. + type: object + toNamespaceLabels: + additionalProperties: + type: string + description: Specify the labels of namespaces that outgoing traffic + is allowed to. + type: object type: object probes: description: Define health checks on application container to determine diff --git a/internal/deploy/kustomize/daily/base/runtime-component-crd.yaml b/internal/deploy/kustomize/daily/base/runtime-component-crd.yaml index 95784363..d44b25ca 100644 --- a/internal/deploy/kustomize/daily/base/runtime-component-crd.yaml +++ b/internal/deploy/kustomize/daily/base/runtime-component-crd.yaml @@ -3841,22 +3841,53 @@ spec: networkPolicy: description: Defines the network policy properties: + denyOutboundTraffic: + description: Deny outbound traffic of the application pod(s). + Defaults to false. + type: boolean disable: description: Disable the creation of the network policy. Defaults to false. type: boolean + disableEgress: + description: Disable the creation of the network policy egress. + Defaults to false. + type: boolean + disableIngress: + description: Disable the creation of the network policy ingress. + Defaults to false. + type: boolean fromLabels: additionalProperties: type: string description: Specify the labels of pod(s) that incoming traffic is allowed from. type: object - namespaceLabels: + fromNamespaceLabels: additionalProperties: type: string description: Specify the labels of namespaces that incoming traffic is allowed from. type: object + namespaceLabels: + additionalProperties: + type: string + description: Deprecated. .spec.networkPolicy.fromNamespaceLabels + should be used instead. If both are specified, .spec.networkPolicy.fromNamespaceLabels + will override this. + type: object + toLabels: + additionalProperties: + type: string + description: Specify the labels of pod(s) that outgoing traffic + is allowed to. + type: object + toNamespaceLabels: + additionalProperties: + type: string + description: Specify the labels of namespaces that outgoing traffic + is allowed to. + type: object type: object probes: description: Define health checks on application container to determine diff --git a/utils/utils.go b/utils/utils.go index 041529f1..662dbeb7 100644 --- a/utils/utils.go +++ b/utils/utils.go @@ -340,26 +340,55 @@ func customizeProbeDefaults(config *corev1.Probe, defaultProbe *corev1.Probe) *c return probe } -func CustomizeOperatorNetworkPolicy(networkPolicy *networkingv1.NetworkPolicy, isOpenShift bool, operatorName string, operatorPodLabels map[string]string) { - networkPolicy.Spec.PolicyTypes = []networkingv1.PolicyType{networkingv1.PolicyTypeIngress} +// CustomizeNetworkPolicyEgress configures the network policy for outgoing traffic to other Pod(s) +func CustomizeNetworkPolicyEgress(networkPolicy *networkingv1.NetworkPolicy, isOpenShift bool, ba common.BaseComponent) { + obj := ba.(metav1.Object) + networkPolicy.Labels = ba.GetLabels() + networkPolicy.Annotations = MergeMaps(networkPolicy.Annotations, ba.GetAnnotations()) + + networkPolicy.Spec.PolicyTypes = []networkingv1.PolicyType{networkingv1.PolicyTypeEgress} networkPolicy.Spec.PodSelector = metav1.LabelSelector{ - MatchLabels: operatorPodLabels, + MatchLabels: map[string]string{ + common.GetComponentNameLabel(ba): obj.GetName(), + }, } - var rule networkingv1.NetworkPolicyIngressRule - - if isOpenShift { - rule = createOpenShiftNetworkPolicyIngressRule(operatorName, networkPolicy.Namespace, false, nil, false) + config := ba.GetNetworkPolicy() + var rule networkingv1.NetworkPolicyEgressRule + denyOutboundTraffic := config.IsDenyingOutboundTraffic() + if config != nil && config.GetToNamespaceLabels() != nil && len(config.GetToNamespaceLabels()) == 0 && + config.GetToLabels() != nil && len(config.GetToLabels()) == 0 { + rule = createAllowAllNetworkPolicyEgressRule() } else { - rule = createKubernetesNetworkPolicyIngressRule(operatorName, networkPolicy.Namespace, false, nil, false) + rule = createNetworkPolicyEgressRule(ba.GetApplicationName(), networkPolicy.Namespace, !denyOutboundTraffic, config) } - networkPolicy.Spec.Ingress = []networkingv1.NetworkPolicyIngressRule{rule} + networkPolicy.Spec.Egress = []networkingv1.NetworkPolicyEgressRule{rule} } -// CustomizeNetworkPolicy configures the network policy. -func CustomizeNetworkPolicy(networkPolicy *networkingv1.NetworkPolicy, isOpenShift bool, ba common.BaseComponent) { +func createNetworkPolicyEgressRule(appName string, namespace string, allowOutboundTraffic bool, config common.BaseComponentNetworkPolicy) networkingv1.NetworkPolicyEgressRule { + if allowOutboundTraffic { + return createAllowAllNetworkPolicyEgressRule() + } + rule := networkingv1.NetworkPolicyEgressRule{} + rule.To = append(rule.To, + // Add peer to allow traffic to other pods belonging to the app + createNetworkPolicyPeer(appName, namespace, config, config.GetFromNamespaceLabels, config.GetFromLabels), + ) + return rule +} + +func createAllowAllNetworkPolicyEgressRule() networkingv1.NetworkPolicyEgressRule { + return networkingv1.NetworkPolicyEgressRule{ + To: []networkingv1.NetworkPolicyPeer{{ + NamespaceSelector: &metav1.LabelSelector{}, + }}, + } +} + +// CustomizeNetworkPolicyIngress configures the network policy for incoming traffic from other Pod(s) +func CustomizeNetworkPolicyIngress(networkPolicy *networkingv1.NetworkPolicy, isOpenShift bool, ba common.BaseComponent) { obj := ba.(metav1.Object) networkPolicy.Labels = ba.GetLabels() networkPolicy.Annotations = MergeMaps(networkPolicy.Annotations, ba.GetAnnotations()) @@ -376,20 +405,20 @@ func CustomizeNetworkPolicy(networkPolicy *networkingv1.NetworkPolicy, isOpenShi isExposed := ba.GetExpose() != nil && *ba.GetExpose() var rule networkingv1.NetworkPolicyIngressRule - if config != nil && config.GetNamespaceLabels() != nil && len(config.GetNamespaceLabels()) == 0 && + if config != nil && config.GetFromNamespaceLabels() != nil && len(config.GetFromNamespaceLabels()) == 0 && config.GetFromLabels() != nil && len(config.GetFromLabels()) == 0 { rule = createAllowAllNetworkPolicyIngressRule() } else if isOpenShift { - rule = createOpenShiftNetworkPolicyIngressRule(ba.GetApplicationName(), networkPolicy.Namespace, isExposed, config, true) + rule = createOpenShiftNetworkPolicyIngressRule(ba.GetApplicationName(), networkPolicy.Namespace, isExposed, config) } else { - rule = createKubernetesNetworkPolicyIngressRule(ba.GetApplicationName(), networkPolicy.Namespace, isExposed, config, true) + rule = createKubernetesNetworkPolicyIngressRule(ba.GetApplicationName(), networkPolicy.Namespace, isExposed, config) } customizeNetworkPolicyPorts(&rule, ba) networkPolicy.Spec.Ingress = []networkingv1.NetworkPolicyIngressRule{rule} } -func createOpenShiftNetworkPolicyIngressRule(appName string, namespace string, isExposed bool, config common.BaseComponentNetworkPolicy, allowPodPeers bool) networkingv1.NetworkPolicyIngressRule { +func createOpenShiftNetworkPolicyIngressRule(appName string, namespace string, isExposed bool, config common.BaseComponentNetworkPolicy) networkingv1.NetworkPolicyIngressRule { rule := networkingv1.NetworkPolicyIngressRule{} // Add peer to allow traffic from the OpenShift router @@ -413,12 +442,10 @@ func createOpenShiftNetworkPolicyIngressRule(appName string, namespace string, i ) } - if allowPodPeers { - rule.From = append(rule.From, - // Add peer to allow traffic from other pods belonging to the app - createNetworkPolicyPeer(appName, namespace, config), - ) - } + rule.From = append(rule.From, + // Add peer to allow traffic from other pods belonging to the app + createNetworkPolicyPeer(appName, namespace, config, config.GetFromNamespaceLabels, config.GetFromLabels), + ) // default to allow traffic from OpenShift monitoring rule.From = append(rule.From, // Add peer to allow traffic from OpenShift monitoring @@ -434,15 +461,14 @@ func createOpenShiftNetworkPolicyIngressRule(appName string, namespace string, i return rule } -func createKubernetesNetworkPolicyIngressRule(appName string, namespace string, isExposed bool, config common.BaseComponentNetworkPolicy, allowPodPeers bool) networkingv1.NetworkPolicyIngressRule { +func createKubernetesNetworkPolicyIngressRule(appName string, namespace string, isExposed bool, config common.BaseComponentNetworkPolicy) networkingv1.NetworkPolicyIngressRule { if isExposed { return createAllowAllNetworkPolicyIngressRule() } rule := networkingv1.NetworkPolicyIngressRule{} - rule.From = []networkingv1.NetworkPolicyPeer{} - if allowPodPeers { - rule.From = append(rule.From, createNetworkPolicyPeer(appName, namespace, config)) + rule.From = []networkingv1.NetworkPolicyPeer{ + createNetworkPolicyPeer(appName, namespace, config, config.GetFromNamespaceLabels, config.GetFromLabels), } return rule } @@ -455,18 +481,18 @@ func createAllowAllNetworkPolicyIngressRule() networkingv1.NetworkPolicyIngressR } } -func createNetworkPolicyPeer(appName string, namespace string, networkPolicy common.BaseComponentNetworkPolicy) networkingv1.NetworkPolicyPeer { +func createNetworkPolicyPeer(appName string, namespace string, networkPolicy common.BaseComponentNetworkPolicy, getNamespaceLabels func() map[string]string, getLabels func() map[string]string) networkingv1.NetworkPolicyPeer { peer := networkingv1.NetworkPolicyPeer{ NamespaceSelector: &metav1.LabelSelector{}, PodSelector: &metav1.LabelSelector{}, } - if networkPolicy == nil || networkPolicy.GetNamespaceLabels() == nil { + if networkPolicy == nil || getNamespaceLabels() == nil { peer.NamespaceSelector.MatchLabels = map[string]string{ "kubernetes.io/metadata.name": namespace, } } else { - peer.NamespaceSelector.MatchLabels = networkPolicy.GetNamespaceLabels() + peer.NamespaceSelector.MatchLabels = getNamespaceLabels() } if networkPolicy == nil || networkPolicy.GetFromLabels() == nil { @@ -474,7 +500,7 @@ func createNetworkPolicyPeer(appName string, namespace string, networkPolicy com "app.kubernetes.io/part-of": appName, } } else { - peer.PodSelector.MatchLabels = networkPolicy.GetFromLabels() + peer.PodSelector.MatchLabels = getLabels() } return peer From da8c0c2306e722075bf3eb15d31a2f517bd1f1a4 Mon Sep 17 00:00:00 2001 From: kabicin <37311900+kabicin@users.noreply.github.com> Date: Mon, 2 Jun 2025 10:01:40 -0400 Subject: [PATCH 04/19] Add nil check for networkpolicy peer --- utils/utils.go | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/utils/utils.go b/utils/utils.go index 662dbeb7..22d266f2 100644 --- a/utils/utils.go +++ b/utils/utils.go @@ -372,10 +372,12 @@ func createNetworkPolicyEgressRule(appName string, namespace string, allowOutbou return createAllowAllNetworkPolicyEgressRule() } rule := networkingv1.NetworkPolicyEgressRule{} - rule.To = append(rule.To, - // Add peer to allow traffic to other pods belonging to the app - createNetworkPolicyPeer(appName, namespace, config, config.GetFromNamespaceLabels, config.GetFromLabels), - ) + if config != nil { + rule.To = append(rule.To, + // Add peer to allow traffic to other pods belonging to the app + createNetworkPolicyPeer(appName, namespace, config, config.GetFromNamespaceLabels, config.GetFromLabels), + ) + } return rule } @@ -442,10 +444,12 @@ func createOpenShiftNetworkPolicyIngressRule(appName string, namespace string, i ) } - rule.From = append(rule.From, - // Add peer to allow traffic from other pods belonging to the app - createNetworkPolicyPeer(appName, namespace, config, config.GetFromNamespaceLabels, config.GetFromLabels), - ) + if config != nil { + rule.From = append(rule.From, + // Add peer to allow traffic from other pods belonging to the app + createNetworkPolicyPeer(appName, namespace, config, config.GetFromNamespaceLabels, config.GetFromLabels), + ) + } // default to allow traffic from OpenShift monitoring rule.From = append(rule.From, // Add peer to allow traffic from OpenShift monitoring From b69e40b218682eb9199a641b7d00e8b4b55eef18 Mon Sep 17 00:00:00 2001 From: kabicin <37311900+kabicin@users.noreply.github.com> Date: Mon, 2 Jun 2025 12:25:39 -0400 Subject: [PATCH 05/19] Update utils.go --- utils/utils.go | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/utils/utils.go b/utils/utils.go index 22d266f2..4356a8f7 100644 --- a/utils/utils.go +++ b/utils/utils.go @@ -356,21 +356,17 @@ func CustomizeNetworkPolicyEgress(networkPolicy *networkingv1.NetworkPolicy, isO config := ba.GetNetworkPolicy() var rule networkingv1.NetworkPolicyEgressRule - denyOutboundTraffic := config.IsDenyingOutboundTraffic() if config != nil && config.GetToNamespaceLabels() != nil && len(config.GetToNamespaceLabels()) == 0 && config.GetToLabels() != nil && len(config.GetToLabels()) == 0 { rule = createAllowAllNetworkPolicyEgressRule() } else { - rule = createNetworkPolicyEgressRule(ba.GetApplicationName(), networkPolicy.Namespace, !denyOutboundTraffic, config) + rule = createNetworkPolicyEgressRule(ba.GetApplicationName(), networkPolicy.Namespace, config) } networkPolicy.Spec.Egress = []networkingv1.NetworkPolicyEgressRule{rule} } -func createNetworkPolicyEgressRule(appName string, namespace string, allowOutboundTraffic bool, config common.BaseComponentNetworkPolicy) networkingv1.NetworkPolicyEgressRule { - if allowOutboundTraffic { - return createAllowAllNetworkPolicyEgressRule() - } +func createNetworkPolicyEgressRule(appName string, namespace string, config common.BaseComponentNetworkPolicy) networkingv1.NetworkPolicyEgressRule { rule := networkingv1.NetworkPolicyEgressRule{} if config != nil { rule.To = append(rule.To, From b001ce37adac0f6abc9724c4727454e90d2babb6 Mon Sep 17 00:00:00 2001 From: kabicin <37311900+kabicin@users.noreply.github.com> Date: Mon, 2 Jun 2025 12:26:39 -0400 Subject: [PATCH 06/19] Remove networkpolicy deny flag --- api/v1/runtimecomponent_types.go | 18 +++++------------- .../rc.app.stacks_runtimecomponents.yaml | 4 ---- ...untime-component.clusterserviceversion.yaml | 6 ------ common/types.go | 1 - .../bases/rc.app.stacks_runtimecomponents.yaml | 4 ---- ...untime-component.clusterserviceversion.yaml | 6 ------ .../deploy/kubectl/runtime-component-crd.yaml | 4 ---- .../daily/base/runtime-component-crd.yaml | 4 ---- 8 files changed, 5 insertions(+), 42 deletions(-) diff --git a/api/v1/runtimecomponent_types.go b/api/v1/runtimecomponent_types.go index e5492c35..1f7bacc4 100644 --- a/api/v1/runtimecomponent_types.go +++ b/api/v1/runtimecomponent_types.go @@ -336,28 +336,24 @@ type RuntimeComponentNetworkPolicy struct { // +operator-sdk:csv:customresourcedefinitions:order=48,type=spec,displayName="Disable Egress",xDescriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch" DisableEgress *bool `json:"disableEgress,omitempty"` - // Deny outbound traffic of the application pod(s). Defaults to false. - // +operator-sdk:csv:customresourcedefinitions:order=49,type=spec,displayName="Deny Outbound Traffic",xDescriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch" - DenyOutboundTraffic *bool `json:"denyOutboundTraffic,omitempty"` - // Deprecated. .spec.networkPolicy.fromNamespaceLabels should be used instead. If both are specified, .spec.networkPolicy.fromNamespaceLabels will override this. - // +operator-sdk:csv:customresourcedefinitions:order=50,type=spec,displayName="Namespace Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text" + // +operator-sdk:csv:customresourcedefinitions:order=49,type=spec,displayName="Namespace Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text" NamespaceLabels *map[string]string `json:"namespaceLabels,omitempty"` // Specify the labels of namespaces that incoming traffic is allowed from. - // +operator-sdk:csv:customresourcedefinitions:order=51,type=spec,displayName="From Namespace Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text" + // +operator-sdk:csv:customresourcedefinitions:order=50,type=spec,displayName="From Namespace Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text" FromNamespaceLabels *map[string]string `json:"fromNamespaceLabels,omitempty"` // Specify the labels of pod(s) that incoming traffic is allowed from. - // +operator-sdk:csv:customresourcedefinitions:order=52,type=spec,displayName="From Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text" + // +operator-sdk:csv:customresourcedefinitions:order=51,type=spec,displayName="From Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text" FromLabels *map[string]string `json:"fromLabels,omitempty"` // Specify the labels of namespaces that outgoing traffic is allowed to. - // +operator-sdk:csv:customresourcedefinitions:order=53,type=spec,displayName="To Namespace Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text" + // +operator-sdk:csv:customresourcedefinitions:order=52,type=spec,displayName="To Namespace Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text" ToNamespaceLabels *map[string]string `json:"toNamespaceLabels,omitempty"` // Specify the labels of pod(s) that outgoing traffic is allowed to. - // +operator-sdk:csv:customresourcedefinitions:order=54,type=spec,displayName="To Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text" + // +operator-sdk:csv:customresourcedefinitions:order=53,type=spec,displayName="To Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text" ToLabels *map[string]string `json:"toLabels,omitempty"` } @@ -978,10 +974,6 @@ func (np *RuntimeComponentNetworkPolicy) IsEgressDisabled() bool { return np.DisableEgress != nil && *np.DisableEgress } -func (np *RuntimeComponentNetworkPolicy) IsDenyingOutboundTraffic() bool { - return np.DenyOutboundTraffic != nil && *np.DenyOutboundTraffic -} - // GetLabels returns labels to be added on ServiceMonitor func (m *RuntimeComponentMonitoring) GetLabels() map[string]string { return m.Labels diff --git a/bundle/manifests/rc.app.stacks_runtimecomponents.yaml b/bundle/manifests/rc.app.stacks_runtimecomponents.yaml index a0e93fe6..92fb1dc6 100644 --- a/bundle/manifests/rc.app.stacks_runtimecomponents.yaml +++ b/bundle/manifests/rc.app.stacks_runtimecomponents.yaml @@ -3842,10 +3842,6 @@ spec: networkPolicy: description: Defines the network policy properties: - denyOutboundTraffic: - description: Deny outbound traffic of the application pod(s). - Defaults to false. - type: boolean disable: description: Disable the creation of the network policy. Defaults to false. diff --git a/bundle/manifests/runtime-component.clusterserviceversion.yaml b/bundle/manifests/runtime-component.clusterserviceversion.yaml index 4b7573cd..82fe3a58 100644 --- a/bundle/manifests/runtime-component.clusterserviceversion.yaml +++ b/bundle/manifests/runtime-component.clusterserviceversion.yaml @@ -504,12 +504,6 @@ spec: path: networkPolicy.disableEgress x-descriptors: - urn:alm:descriptor:com.tectonic.ui:booleanSwitch - - description: Deny outbound traffic of the application pod(s). Defaults to - false. - displayName: Deny Outbound Traffic - path: networkPolicy.denyOutboundTraffic - x-descriptors: - - urn:alm:descriptor:com.tectonic.ui:booleanSwitch - description: Deprecated. .spec.networkPolicy.fromNamespaceLabels should be used instead. If both are specified, .spec.networkPolicy.fromNamespaceLabels will override this. diff --git a/common/types.go b/common/types.go index e0226d09..9922d192 100644 --- a/common/types.go +++ b/common/types.go @@ -151,7 +151,6 @@ type BaseComponentNetworkPolicy interface { IsDisabled() bool IsIngressDisabled() bool IsEgressDisabled() bool - IsDenyingOutboundTraffic() bool GetToNamespaceLabels() map[string]string GetToLabels() map[string]string GetFromNamespaceLabels() map[string]string diff --git a/config/crd/bases/rc.app.stacks_runtimecomponents.yaml b/config/crd/bases/rc.app.stacks_runtimecomponents.yaml index 80707657..707f3ebc 100644 --- a/config/crd/bases/rc.app.stacks_runtimecomponents.yaml +++ b/config/crd/bases/rc.app.stacks_runtimecomponents.yaml @@ -3838,10 +3838,6 @@ spec: networkPolicy: description: Defines the network policy properties: - denyOutboundTraffic: - description: Deny outbound traffic of the application pod(s). - Defaults to false. - type: boolean disable: description: Disable the creation of the network policy. Defaults to false. diff --git a/config/manifests/bases/runtime-component.clusterserviceversion.yaml b/config/manifests/bases/runtime-component.clusterserviceversion.yaml index 8201f162..3a864b6b 100644 --- a/config/manifests/bases/runtime-component.clusterserviceversion.yaml +++ b/config/manifests/bases/runtime-component.clusterserviceversion.yaml @@ -438,12 +438,6 @@ spec: path: networkPolicy.disableEgress x-descriptors: - urn:alm:descriptor:com.tectonic.ui:booleanSwitch - - description: Deny outbound traffic of the application pod(s). Defaults to - false. - displayName: Deny Outbound Traffic - path: networkPolicy.denyOutboundTraffic - x-descriptors: - - urn:alm:descriptor:com.tectonic.ui:booleanSwitch - description: Deprecated. .spec.networkPolicy.fromNamespaceLabels should be used instead. If both are specified, .spec.networkPolicy.fromNamespaceLabels will override this. diff --git a/internal/deploy/kubectl/runtime-component-crd.yaml b/internal/deploy/kubectl/runtime-component-crd.yaml index d44b25ca..ce4fac05 100644 --- a/internal/deploy/kubectl/runtime-component-crd.yaml +++ b/internal/deploy/kubectl/runtime-component-crd.yaml @@ -3841,10 +3841,6 @@ spec: networkPolicy: description: Defines the network policy properties: - denyOutboundTraffic: - description: Deny outbound traffic of the application pod(s). - Defaults to false. - type: boolean disable: description: Disable the creation of the network policy. Defaults to false. diff --git a/internal/deploy/kustomize/daily/base/runtime-component-crd.yaml b/internal/deploy/kustomize/daily/base/runtime-component-crd.yaml index d44b25ca..ce4fac05 100644 --- a/internal/deploy/kustomize/daily/base/runtime-component-crd.yaml +++ b/internal/deploy/kustomize/daily/base/runtime-component-crd.yaml @@ -3841,10 +3841,6 @@ spec: networkPolicy: description: Defines the network policy properties: - denyOutboundTraffic: - description: Deny outbound traffic of the application pod(s). - Defaults to false. - type: boolean disable: description: Disable the creation of the network policy. Defaults to false. From 2ed9450f518edb426357e4e922443dccc1d3a503 Mon Sep 17 00:00:00 2001 From: kabicin <37311900+kabicin@users.noreply.github.com> Date: Mon, 2 Jun 2025 14:18:42 -0400 Subject: [PATCH 07/19] Append network policy policyTypes in utils --- utils/utils.go | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/utils/utils.go b/utils/utils.go index 4356a8f7..1db85f3a 100644 --- a/utils/utils.go +++ b/utils/utils.go @@ -346,7 +346,9 @@ func CustomizeNetworkPolicyEgress(networkPolicy *networkingv1.NetworkPolicy, isO networkPolicy.Labels = ba.GetLabels() networkPolicy.Annotations = MergeMaps(networkPolicy.Annotations, ba.GetAnnotations()) - networkPolicy.Spec.PolicyTypes = []networkingv1.PolicyType{networkingv1.PolicyTypeEgress} + if !policyTypesContains(networkPolicy.Spec.PolicyTypes, networkingv1.PolicyTypeEgress) { + networkPolicy.Spec.PolicyTypes = append(networkPolicy.Spec.PolicyTypes, networkingv1.PolicyTypeEgress) + } networkPolicy.Spec.PodSelector = metav1.LabelSelector{ MatchLabels: map[string]string{ @@ -391,7 +393,9 @@ func CustomizeNetworkPolicyIngress(networkPolicy *networkingv1.NetworkPolicy, is networkPolicy.Labels = ba.GetLabels() networkPolicy.Annotations = MergeMaps(networkPolicy.Annotations, ba.GetAnnotations()) - networkPolicy.Spec.PolicyTypes = []networkingv1.PolicyType{networkingv1.PolicyTypeIngress} + if !policyTypesContains(networkPolicy.Spec.PolicyTypes, networkingv1.PolicyTypeIngress) { + networkPolicy.Spec.PolicyTypes = append(networkPolicy.Spec.PolicyTypes, networkingv1.PolicyTypeIngress) + } networkPolicy.Spec.PodSelector = metav1.LabelSelector{ MatchLabels: map[string]string{ @@ -543,6 +547,16 @@ func customizeNetworkPolicyPorts(ingress *networkingv1.NetworkPolicyIngressRule, } } +// returns true if policy is contained within the policyTypes array, false otherwise +func policyTypesContains(policyTypes []networkingv1.PolicyType, policy networkingv1.PolicyType) bool { + for _, currentPolicy := range policyTypes { + if currentPolicy == policy { + return true + } + } + return false +} + // CustomizeAffinity ... func CustomizeAffinity(affinity *corev1.Affinity, ba common.BaseComponent) { affinityConfig := ba.GetAffinity() From 274ed33890da33ae70666211e93b2469757c1eff Mon Sep 17 00:00:00 2001 From: kabicin <37311900+kabicin@users.noreply.github.com> Date: Mon, 2 Jun 2025 15:03:16 -0400 Subject: [PATCH 08/19] Update runtimecomponent_controller.go --- internal/controller/runtimecomponent_controller.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/controller/runtimecomponent_controller.go b/internal/controller/runtimecomponent_controller.go index 701fa172..04f4c6e4 100644 --- a/internal/controller/runtimecomponent_controller.go +++ b/internal/controller/runtimecomponent_controller.go @@ -355,7 +355,7 @@ func (r *RuntimeComponentReconciler) Reconcile(ctx context.Context, req ctrl.Req appstacksutils.CustomizeNetworkPolicyIngress(networkPolicy, r.IsOpenShift(), instance) } if np == nil || np != nil && !np.IsEgressDisabled() { - appstacksutils.CustomizeNetworkPolicyIngress(networkPolicy, r.IsOpenShift(), instance) + appstacksutils.CustomizeNetworkPolicyEgress(networkPolicy, r.IsOpenShift(), instance) } return nil }) From acfaa5a7b1aeab38d5f39205800c665f06c1088b Mon Sep 17 00:00:00 2001 From: kabicin <37311900+kabicin@users.noreply.github.com> Date: Mon, 2 Jun 2025 15:51:25 -0400 Subject: [PATCH 09/19] Create CustomizeNetworkPolicy helper --- api/v1/zz_generated.deepcopy.go | 43 +++++++++++++ .../controller/runtimecomponent_controller.go | 7 +-- utils/utils.go | 61 +++++++++++-------- 3 files changed, 81 insertions(+), 30 deletions(-) diff --git a/api/v1/zz_generated.deepcopy.go b/api/v1/zz_generated.deepcopy.go index 921a97e3..472e5478 100644 --- a/api/v1/zz_generated.deepcopy.go +++ b/api/v1/zz_generated.deepcopy.go @@ -286,6 +286,16 @@ func (in *RuntimeComponentNetworkPolicy) DeepCopyInto(out *RuntimeComponentNetwo *out = new(bool) **out = **in } + if in.DisableIngress != nil { + in, out := &in.DisableIngress, &out.DisableIngress + *out = new(bool) + **out = **in + } + if in.DisableEgress != nil { + in, out := &in.DisableEgress, &out.DisableEgress + *out = new(bool) + **out = **in + } if in.NamespaceLabels != nil { in, out := &in.NamespaceLabels, &out.NamespaceLabels *out = new(map[string]string) @@ -297,6 +307,17 @@ func (in *RuntimeComponentNetworkPolicy) DeepCopyInto(out *RuntimeComponentNetwo } } } + if in.FromNamespaceLabels != nil { + in, out := &in.FromNamespaceLabels, &out.FromNamespaceLabels + *out = new(map[string]string) + if **in != nil { + in, out := *in, *out + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + } if in.FromLabels != nil { in, out := &in.FromLabels, &out.FromLabels *out = new(map[string]string) @@ -308,6 +329,28 @@ func (in *RuntimeComponentNetworkPolicy) DeepCopyInto(out *RuntimeComponentNetwo } } } + if in.ToNamespaceLabels != nil { + in, out := &in.ToNamespaceLabels, &out.ToNamespaceLabels + *out = new(map[string]string) + if **in != nil { + in, out := *in, *out + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + } + if in.ToLabels != nil { + in, out := &in.ToLabels, &out.ToLabels + *out = new(map[string]string) + if **in != nil { + in, out := *in, *out + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuntimeComponentNetworkPolicy. diff --git a/internal/controller/runtimecomponent_controller.go b/internal/controller/runtimecomponent_controller.go index 04f4c6e4..59c0546a 100644 --- a/internal/controller/runtimecomponent_controller.go +++ b/internal/controller/runtimecomponent_controller.go @@ -351,12 +351,7 @@ func (r *RuntimeComponentReconciler) Reconcile(ctx context.Context, req ctrl.Req networkPolicy := &networkingv1.NetworkPolicy{ObjectMeta: defaultMeta} if np := instance.Spec.NetworkPolicy; np == nil || np != nil && !np.IsDisabled() { err = r.CreateOrUpdate(networkPolicy, instance, func() error { - if np == nil || np != nil && !np.IsIngressDisabled() { - appstacksutils.CustomizeNetworkPolicyIngress(networkPolicy, r.IsOpenShift(), instance) - } - if np == nil || np != nil && !np.IsEgressDisabled() { - appstacksutils.CustomizeNetworkPolicyEgress(networkPolicy, r.IsOpenShift(), instance) - } + appstacksutils.CustomizeNetworkPolicy(networkPolicy, r.IsOpenShift(), instance) return nil }) if err != nil { diff --git a/utils/utils.go b/utils/utils.go index 1db85f3a..26b7c8fb 100644 --- a/utils/utils.go +++ b/utils/utils.go @@ -340,24 +340,11 @@ func customizeProbeDefaults(config *corev1.Probe, defaultProbe *corev1.Probe) *c return probe } -// CustomizeNetworkPolicyEgress configures the network policy for outgoing traffic to other Pod(s) -func CustomizeNetworkPolicyEgress(networkPolicy *networkingv1.NetworkPolicy, isOpenShift bool, ba common.BaseComponent) { - obj := ba.(metav1.Object) - networkPolicy.Labels = ba.GetLabels() - networkPolicy.Annotations = MergeMaps(networkPolicy.Annotations, ba.GetAnnotations()) - - if !policyTypesContains(networkPolicy.Spec.PolicyTypes, networkingv1.PolicyTypeEgress) { - networkPolicy.Spec.PolicyTypes = append(networkPolicy.Spec.PolicyTypes, networkingv1.PolicyTypeEgress) - } - - networkPolicy.Spec.PodSelector = metav1.LabelSelector{ - MatchLabels: map[string]string{ - common.GetComponentNameLabel(ba): obj.GetName(), - }, - } - +// createNetworkPolicyEgressRules returns the network policy rules for outgoing traffic to other Pod(s) +func createNetworkPolicyEgressRules(networkPolicy *networkingv1.NetworkPolicy, isOpenShift bool, ba common.BaseComponent) []networkingv1.NetworkPolicyEgressRule { config := ba.GetNetworkPolicy() var rule networkingv1.NetworkPolicyEgressRule + if config != nil && config.GetToNamespaceLabels() != nil && len(config.GetToNamespaceLabels()) == 0 && config.GetToLabels() != nil && len(config.GetToLabels()) == 0 { rule = createAllowAllNetworkPolicyEgressRule() @@ -365,7 +352,7 @@ func CustomizeNetworkPolicyEgress(networkPolicy *networkingv1.NetworkPolicy, isO rule = createNetworkPolicyEgressRule(ba.GetApplicationName(), networkPolicy.Namespace, config) } - networkPolicy.Spec.Egress = []networkingv1.NetworkPolicyEgressRule{rule} + return []networkingv1.NetworkPolicyEgressRule{rule} } func createNetworkPolicyEgressRule(appName string, namespace string, config common.BaseComponentNetworkPolicy) networkingv1.NetworkPolicyEgressRule { @@ -387,22 +374,48 @@ func createAllowAllNetworkPolicyEgressRule() networkingv1.NetworkPolicyEgressRul } } -// CustomizeNetworkPolicyIngress configures the network policy for incoming traffic from other Pod(s) -func CustomizeNetworkPolicyIngress(networkPolicy *networkingv1.NetworkPolicy, isOpenShift bool, ba common.BaseComponent) { +func CustomizeNetworkPolicy(networkPolicy *networkingv1.NetworkPolicy, isOpenShift bool, ba common.BaseComponent) { obj := ba.(metav1.Object) networkPolicy.Labels = ba.GetLabels() networkPolicy.Annotations = MergeMaps(networkPolicy.Annotations, ba.GetAnnotations()) - if !policyTypesContains(networkPolicy.Spec.PolicyTypes, networkingv1.PolicyTypeIngress) { - networkPolicy.Spec.PolicyTypes = append(networkPolicy.Spec.PolicyTypes, networkingv1.PolicyTypeIngress) - } - networkPolicy.Spec.PodSelector = metav1.LabelSelector{ MatchLabels: map[string]string{ common.GetComponentNameLabel(ba): obj.GetName(), }, } + ingressDisabled := ba.GetNetworkPolicy() != nil && ba.GetNetworkPolicy().IsIngressDisabled() + hasIngressPolicy := policyTypesContains(networkPolicy.Spec.PolicyTypes, networkingv1.PolicyTypeIngress) + if ingressDisabled { + if hasIngressPolicy { + networkPolicy.Spec.PolicyTypes = networkPolicy.Spec.PolicyTypes[1:] // remove the first element + } + networkPolicy.Spec.Ingress = []networkingv1.NetworkPolicyIngressRule{} + } else { + if !hasIngressPolicy { + networkPolicy.Spec.PolicyTypes = append(networkPolicy.Spec.PolicyTypes, networkingv1.PolicyTypeIngress) + } + networkPolicy.Spec.Ingress = createNetworkPolicyIngressRules(networkPolicy, isOpenShift, ba) + } + + egressDisabled := ba.GetNetworkPolicy() != nil && ba.GetNetworkPolicy().IsEgressDisabled() + hasEgressPolicy := policyTypesContains(networkPolicy.Spec.PolicyTypes, networkingv1.PolicyTypeEgress) + if egressDisabled { + if hasEgressPolicy { + networkPolicy.Spec.PolicyTypes = networkPolicy.Spec.PolicyTypes[:len(networkPolicy.Spec.PolicyTypes)-1] // remove the last element + } + networkPolicy.Spec.Egress = []networkingv1.NetworkPolicyEgressRule{} + } else { + if !hasEgressPolicy { + networkPolicy.Spec.PolicyTypes = append(networkPolicy.Spec.PolicyTypes, networkingv1.PolicyTypeEgress) + } + networkPolicy.Spec.Egress = createNetworkPolicyEgressRules(networkPolicy, isOpenShift, ba) + } +} + +// createNetworkPolicyIngressRules returns the network policy rules for incoming traffic from other Pod(s) +func createNetworkPolicyIngressRules(networkPolicy *networkingv1.NetworkPolicy, isOpenShift bool, ba common.BaseComponent) []networkingv1.NetworkPolicyIngressRule { config := ba.GetNetworkPolicy() isExposed := ba.GetExpose() != nil && *ba.GetExpose() var rule networkingv1.NetworkPolicyIngressRule @@ -417,7 +430,7 @@ func CustomizeNetworkPolicyIngress(networkPolicy *networkingv1.NetworkPolicy, is } customizeNetworkPolicyPorts(&rule, ba) - networkPolicy.Spec.Ingress = []networkingv1.NetworkPolicyIngressRule{rule} + return []networkingv1.NetworkPolicyIngressRule{rule} } func createOpenShiftNetworkPolicyIngressRule(appName string, namespace string, isExposed bool, config common.BaseComponentNetworkPolicy) networkingv1.NetworkPolicyIngressRule { From 584486d6638398cdd735009a075c9e71e2a25b53 Mon Sep 17 00:00:00 2001 From: kabicin <37311900+kabicin@users.noreply.github.com> Date: Mon, 2 Jun 2025 16:15:29 -0400 Subject: [PATCH 10/19] Update utils.go --- utils/utils.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/utils/utils.go b/utils/utils.go index 26b7c8fb..9a74e5a9 100644 --- a/utils/utils.go +++ b/utils/utils.go @@ -345,8 +345,8 @@ func createNetworkPolicyEgressRules(networkPolicy *networkingv1.NetworkPolicy, i config := ba.GetNetworkPolicy() var rule networkingv1.NetworkPolicyEgressRule - if config != nil && config.GetToNamespaceLabels() != nil && len(config.GetToNamespaceLabels()) == 0 && - config.GetToLabels() != nil && len(config.GetToLabels()) == 0 { + if config == nil || ((config.GetToNamespaceLabels() == nil || (config.GetToNamespaceLabels() != nil && len(config.GetToNamespaceLabels()) == 0)) && + (config.GetToLabels() == nil || (config.GetToLabels() != nil && len(config.GetToLabels()) == 0))) { rule = createAllowAllNetworkPolicyEgressRule() } else { rule = createNetworkPolicyEgressRule(ba.GetApplicationName(), networkPolicy.Namespace, config) From 8f628ab46c90eaf29da64dfbbb876f5b073ae91b Mon Sep 17 00:00:00 2001 From: kabicin <37311900+kabicin@users.noreply.github.com> Date: Mon, 2 Jun 2025 16:48:54 -0400 Subject: [PATCH 11/19] Update utils.go --- utils/utils.go | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/utils/utils.go b/utils/utils.go index 9a74e5a9..48cf03c2 100644 --- a/utils/utils.go +++ b/utils/utils.go @@ -345,8 +345,8 @@ func createNetworkPolicyEgressRules(networkPolicy *networkingv1.NetworkPolicy, i config := ba.GetNetworkPolicy() var rule networkingv1.NetworkPolicyEgressRule - if config == nil || ((config.GetToNamespaceLabels() == nil || (config.GetToNamespaceLabels() != nil && len(config.GetToNamespaceLabels()) == 0)) && - (config.GetToLabels() == nil || (config.GetToLabels() != nil && len(config.GetToLabels()) == 0))) { + if config == nil || ((config.GetToNamespaceLabels() != nil && len(config.GetToNamespaceLabels()) == 0) && + (config.GetToLabels() != nil && len(config.GetToLabels()) == 0)) { rule = createAllowAllNetworkPolicyEgressRule() } else { rule = createNetworkPolicyEgressRule(ba.GetApplicationName(), networkPolicy.Namespace, config) @@ -367,11 +367,7 @@ func createNetworkPolicyEgressRule(appName string, namespace string, config comm } func createAllowAllNetworkPolicyEgressRule() networkingv1.NetworkPolicyEgressRule { - return networkingv1.NetworkPolicyEgressRule{ - To: []networkingv1.NetworkPolicyPeer{{ - NamespaceSelector: &metav1.LabelSelector{}, - }}, - } + return networkingv1.NetworkPolicyEgressRule{} // allow all egress } func CustomizeNetworkPolicy(networkPolicy *networkingv1.NetworkPolicy, isOpenShift bool, ba common.BaseComponent) { @@ -407,10 +403,19 @@ func CustomizeNetworkPolicy(networkPolicy *networkingv1.NetworkPolicy, isOpenShi } networkPolicy.Spec.Egress = []networkingv1.NetworkPolicyEgressRule{} } else { - if !hasEgressPolicy { - networkPolicy.Spec.PolicyTypes = append(networkPolicy.Spec.PolicyTypes, networkingv1.PolicyTypeEgress) + egressConfigured := ba.GetNetworkPolicy() != nil && (ba.GetNetworkPolicy().GetToLabels() != nil || ba.GetNetworkPolicy().GetToNamespaceLabels() != nil) + if egressConfigured { + if !hasEgressPolicy { + networkPolicy.Spec.PolicyTypes = append(networkPolicy.Spec.PolicyTypes, networkingv1.PolicyTypeEgress) + } + networkPolicy.Spec.Egress = createNetworkPolicyEgressRules(networkPolicy, isOpenShift, ba) + } else { + // if egress is not configured, consider the network policy disabled + if hasEgressPolicy { + networkPolicy.Spec.PolicyTypes = networkPolicy.Spec.PolicyTypes[:len(networkPolicy.Spec.PolicyTypes)-1] // remove the last element + } + networkPolicy.Spec.Egress = []networkingv1.NetworkPolicyEgressRule{} } - networkPolicy.Spec.Egress = createNetworkPolicyEgressRules(networkPolicy, isOpenShift, ba) } } From dc0297b29d3f41167c46283f50be474173999aaa Mon Sep 17 00:00:00 2001 From: kabicin <37311900+kabicin@users.noreply.github.com> Date: Mon, 2 Jun 2025 17:15:15 -0400 Subject: [PATCH 12/19] Update utils.go --- utils/utils.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/utils/utils.go b/utils/utils.go index 48cf03c2..61bb979c 100644 --- a/utils/utils.go +++ b/utils/utils.go @@ -360,7 +360,7 @@ func createNetworkPolicyEgressRule(appName string, namespace string, config comm if config != nil { rule.To = append(rule.To, // Add peer to allow traffic to other pods belonging to the app - createNetworkPolicyPeer(appName, namespace, config, config.GetFromNamespaceLabels, config.GetFromLabels), + createNetworkPolicyPeer(appName, namespace, config, config.GetToNamespaceLabels, config.GetToLabels), ) } return rule From 0b5485e00340d31dac8c34911de9fecfc0fad2dd Mon Sep 17 00:00:00 2001 From: kabicin <37311900+kabicin@users.noreply.github.com> Date: Mon, 2 Jun 2025 17:50:54 -0400 Subject: [PATCH 13/19] Update utils.go --- utils/utils.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/utils/utils.go b/utils/utils.go index 61bb979c..8c8d32de 100644 --- a/utils/utils.go +++ b/utils/utils.go @@ -367,7 +367,11 @@ func createNetworkPolicyEgressRule(appName string, namespace string, config comm } func createAllowAllNetworkPolicyEgressRule() networkingv1.NetworkPolicyEgressRule { - return networkingv1.NetworkPolicyEgressRule{} // allow all egress + return networkingv1.NetworkPolicyEgressRule{ + To: []networkingv1.NetworkPolicyPeer{{ + NamespaceSelector: &metav1.LabelSelector{}, + }}, + } } func CustomizeNetworkPolicy(networkPolicy *networkingv1.NetworkPolicy, isOpenShift bool, ba common.BaseComponent) { From 730f7778cde07fb9c3247b755eb04007cef311b4 Mon Sep 17 00:00:00 2001 From: kabicin <37311900+kabicin@users.noreply.github.com> Date: Tue, 3 Jun 2025 15:32:17 -0400 Subject: [PATCH 14/19] Use getters for retrieving network policy labels --- utils/utils.go | 41 ++++++++++++++++++++++++++++++----------- 1 file changed, 30 insertions(+), 11 deletions(-) diff --git a/utils/utils.go b/utils/utils.go index 8c8d32de..ca77a511 100644 --- a/utils/utils.go +++ b/utils/utils.go @@ -360,7 +360,7 @@ func createNetworkPolicyEgressRule(appName string, namespace string, config comm if config != nil { rule.To = append(rule.To, // Add peer to allow traffic to other pods belonging to the app - createNetworkPolicyPeer(appName, namespace, config, config.GetToNamespaceLabels, config.GetToLabels), + createNetworkPolicyPeer(appName, namespace, config, getNetworkPolicyEgressLabelGetters), ) } return rule @@ -466,14 +466,9 @@ func createOpenShiftNetworkPolicyIngressRule(appName string, namespace string, i ) } - if config != nil { - rule.From = append(rule.From, - // Add peer to allow traffic from other pods belonging to the app - createNetworkPolicyPeer(appName, namespace, config, config.GetFromNamespaceLabels, config.GetFromLabels), - ) - } - // default to allow traffic from OpenShift monitoring rule.From = append(rule.From, + // Add peer to allow traffic from other pods belonging to the app + createNetworkPolicyPeer(appName, namespace, config, getNetworkPolicyIngressLabelGetters), // Add peer to allow traffic from OpenShift monitoring networkingv1.NetworkPolicyPeer{ NamespaceSelector: &metav1.LabelSelector{ @@ -494,7 +489,7 @@ func createKubernetesNetworkPolicyIngressRule(appName string, namespace string, rule := networkingv1.NetworkPolicyIngressRule{} rule.From = []networkingv1.NetworkPolicyPeer{ - createNetworkPolicyPeer(appName, namespace, config, config.GetFromNamespaceLabels, config.GetFromLabels), + createNetworkPolicyPeer(appName, namespace, config, getNetworkPolicyIngressLabelGetters), } return rule } @@ -507,12 +502,12 @@ func createAllowAllNetworkPolicyIngressRule() networkingv1.NetworkPolicyIngressR } } -func createNetworkPolicyPeer(appName string, namespace string, networkPolicy common.BaseComponentNetworkPolicy, getNamespaceLabels func() map[string]string, getLabels func() map[string]string) networkingv1.NetworkPolicyPeer { +func createNetworkPolicyPeer(appName string, namespace string, networkPolicy common.BaseComponentNetworkPolicy, getNetworkPolicyLabelGetters func(common.BaseComponentNetworkPolicy) (func() map[string]string, func() map[string]string)) networkingv1.NetworkPolicyPeer { peer := networkingv1.NetworkPolicyPeer{ NamespaceSelector: &metav1.LabelSelector{}, PodSelector: &metav1.LabelSelector{}, } - + getNamespaceLabels, getLabels := getNetworkPolicyLabelGetters(networkPolicy) if networkPolicy == nil || getNamespaceLabels() == nil { peer.NamespaceSelector.MatchLabels = map[string]string{ "kubernetes.io/metadata.name": namespace, @@ -569,6 +564,30 @@ func customizeNetworkPolicyPorts(ingress *networkingv1.NetworkPolicyIngressRule, } } +func getNetworkPolicyIngressLabelGetters(config common.BaseComponentNetworkPolicy) (func() map[string]string, func() map[string]string) { + var getNamespaceLabels, getLabels func() map[string]string + if config != nil { + getNamespaceLabels = config.GetFromNamespaceLabels + getLabels = config.GetFromLabels + } else { + getNamespaceLabels = nil + getLabels = nil + } + return getNamespaceLabels, getLabels +} + +func getNetworkPolicyEgressLabelGetters(config common.BaseComponentNetworkPolicy) (func() map[string]string, func() map[string]string) { + var getNamespaceLabels, getLabels func() map[string]string + if config != nil { + getNamespaceLabels = config.GetToNamespaceLabels + getLabels = config.GetToLabels + } else { + getNamespaceLabels = nil + getLabels = nil + } + return getNamespaceLabels, getLabels +} + // returns true if policy is contained within the policyTypes array, false otherwise func policyTypesContains(policyTypes []networkingv1.PolicyType, policy networkingv1.PolicyType) bool { for _, currentPolicy := range policyTypes { From 80613c6431f447e6ab0cd4c225deffdc84bedd39 Mon Sep 17 00:00:00 2001 From: kabicin <37311900+kabicin@users.noreply.github.com> Date: Fri, 6 Jun 2025 16:01:23 -0400 Subject: [PATCH 15/19] Add bypass deny all egress flag --- api/v1/runtimecomponent_types.go | 18 ++-- api/v1/zz_generated.deepcopy.go | 5 ++ .../rc.app.stacks_runtimecomponents.yaml | 4 + common/types.go | 1 + .../rc.app.stacks_runtimecomponents.yaml | 4 + ...ntime-component.clusterserviceversion.yaml | 6 ++ .../controller/runtimecomponent_controller.go | 40 ++++++++- .../deploy/kubectl/runtime-component-crd.yaml | 4 + .../daily/base/runtime-component-crd.yaml | 4 + utils/utils.go | 86 +++++++++++++++++-- 10 files changed, 160 insertions(+), 12 deletions(-) diff --git a/api/v1/runtimecomponent_types.go b/api/v1/runtimecomponent_types.go index 1f7bacc4..ce883e0a 100644 --- a/api/v1/runtimecomponent_types.go +++ b/api/v1/runtimecomponent_types.go @@ -336,24 +336,28 @@ type RuntimeComponentNetworkPolicy struct { // +operator-sdk:csv:customresourcedefinitions:order=48,type=spec,displayName="Disable Egress",xDescriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch" DisableEgress *bool `json:"disableEgress,omitempty"` + // Bypasses deny all egress rules to allow API server and DNS access. Defaults to false. + // +operator-sdk:csv:customresourcedefinitions:order=49,type=spec,displayName="Bypass Deny All Egress",xDescriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch" + BypassDenyAllEgress *bool `json:"bypassDenyAllEgress,omitempty"` + // Deprecated. .spec.networkPolicy.fromNamespaceLabels should be used instead. If both are specified, .spec.networkPolicy.fromNamespaceLabels will override this. - // +operator-sdk:csv:customresourcedefinitions:order=49,type=spec,displayName="Namespace Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text" + // +operator-sdk:csv:customresourcedefinitions:order=50,type=spec,displayName="Namespace Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text" NamespaceLabels *map[string]string `json:"namespaceLabels,omitempty"` // Specify the labels of namespaces that incoming traffic is allowed from. - // +operator-sdk:csv:customresourcedefinitions:order=50,type=spec,displayName="From Namespace Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text" + // +operator-sdk:csv:customresourcedefinitions:order=51,type=spec,displayName="From Namespace Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text" FromNamespaceLabels *map[string]string `json:"fromNamespaceLabels,omitempty"` // Specify the labels of pod(s) that incoming traffic is allowed from. - // +operator-sdk:csv:customresourcedefinitions:order=51,type=spec,displayName="From Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text" + // +operator-sdk:csv:customresourcedefinitions:order=52,type=spec,displayName="From Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text" FromLabels *map[string]string `json:"fromLabels,omitempty"` // Specify the labels of namespaces that outgoing traffic is allowed to. - // +operator-sdk:csv:customresourcedefinitions:order=52,type=spec,displayName="To Namespace Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text" + // +operator-sdk:csv:customresourcedefinitions:order=53,type=spec,displayName="To Namespace Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text" ToNamespaceLabels *map[string]string `json:"toNamespaceLabels,omitempty"` // Specify the labels of pod(s) that outgoing traffic is allowed to. - // +operator-sdk:csv:customresourcedefinitions:order=53,type=spec,displayName="To Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text" + // +operator-sdk:csv:customresourcedefinitions:order=54,type=spec,displayName="To Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text" ToLabels *map[string]string `json:"toLabels,omitempty"` } @@ -974,6 +978,10 @@ func (np *RuntimeComponentNetworkPolicy) IsEgressDisabled() bool { return np.DisableEgress != nil && *np.DisableEgress } +func (np *RuntimeComponentNetworkPolicy) IsBypassingDenyAllEgress() bool { + return np.BypassDenyAllEgress != nil && *np.BypassDenyAllEgress +} + // GetLabels returns labels to be added on ServiceMonitor func (m *RuntimeComponentMonitoring) GetLabels() map[string]string { return m.Labels diff --git a/api/v1/zz_generated.deepcopy.go b/api/v1/zz_generated.deepcopy.go index 472e5478..2eaf5456 100644 --- a/api/v1/zz_generated.deepcopy.go +++ b/api/v1/zz_generated.deepcopy.go @@ -296,6 +296,11 @@ func (in *RuntimeComponentNetworkPolicy) DeepCopyInto(out *RuntimeComponentNetwo *out = new(bool) **out = **in } + if in.BypassDenyAllEgress != nil { + in, out := &in.BypassDenyAllEgress, &out.BypassDenyAllEgress + *out = new(bool) + **out = **in + } if in.NamespaceLabels != nil { in, out := &in.NamespaceLabels, &out.NamespaceLabels *out = new(map[string]string) diff --git a/bundle/manifests/rc.app.stacks_runtimecomponents.yaml b/bundle/manifests/rc.app.stacks_runtimecomponents.yaml index 92fb1dc6..2c42d852 100644 --- a/bundle/manifests/rc.app.stacks_runtimecomponents.yaml +++ b/bundle/manifests/rc.app.stacks_runtimecomponents.yaml @@ -3842,6 +3842,10 @@ spec: networkPolicy: description: Defines the network policy properties: + bypassDenyAllEgress: + description: Bypasses deny all egress rules to allow API server + and DNS access. Defaults to false. + type: boolean disable: description: Disable the creation of the network policy. Defaults to false. diff --git a/common/types.go b/common/types.go index 9922d192..af270e8a 100644 --- a/common/types.go +++ b/common/types.go @@ -151,6 +151,7 @@ type BaseComponentNetworkPolicy interface { IsDisabled() bool IsIngressDisabled() bool IsEgressDisabled() bool + IsBypassingDenyAllEgress() bool GetToNamespaceLabels() map[string]string GetToLabels() map[string]string GetFromNamespaceLabels() map[string]string diff --git a/config/crd/bases/rc.app.stacks_runtimecomponents.yaml b/config/crd/bases/rc.app.stacks_runtimecomponents.yaml index 707f3ebc..682c99a2 100644 --- a/config/crd/bases/rc.app.stacks_runtimecomponents.yaml +++ b/config/crd/bases/rc.app.stacks_runtimecomponents.yaml @@ -3838,6 +3838,10 @@ spec: networkPolicy: description: Defines the network policy properties: + bypassDenyAllEgress: + description: Bypasses deny all egress rules to allow API server + and DNS access. Defaults to false. + type: boolean disable: description: Disable the creation of the network policy. Defaults to false. diff --git a/config/manifests/bases/runtime-component.clusterserviceversion.yaml b/config/manifests/bases/runtime-component.clusterserviceversion.yaml index 3a864b6b..45df055c 100644 --- a/config/manifests/bases/runtime-component.clusterserviceversion.yaml +++ b/config/manifests/bases/runtime-component.clusterserviceversion.yaml @@ -438,6 +438,12 @@ spec: path: networkPolicy.disableEgress x-descriptors: - urn:alm:descriptor:com.tectonic.ui:booleanSwitch + - description: Bypasses deny all egress rules to allow API server and DNS access. + Defaults to false. + displayName: Bypass Deny All Egress + path: networkPolicy.bypassDenyAllEgress + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:booleanSwitch - description: Deprecated. .spec.networkPolicy.fromNamespaceLabels should be used instead. If both are specified, .spec.networkPolicy.fromNamespaceLabels will override this. diff --git a/internal/controller/runtimecomponent_controller.go b/internal/controller/runtimecomponent_controller.go index 59c0546a..6656fa4d 100644 --- a/internal/controller/runtimecomponent_controller.go +++ b/internal/controller/runtimecomponent_controller.go @@ -23,6 +23,7 @@ import ( "strings" "github.com/application-stacks/runtime-component-operator/common" + "github.com/application-stacks/runtime-component-operator/utils" "github.com/pkg/errors" kcontroller "sigs.k8s.io/controller-runtime/pkg/controller" @@ -351,7 +352,7 @@ func (r *RuntimeComponentReconciler) Reconcile(ctx context.Context, req ctrl.Req networkPolicy := &networkingv1.NetworkPolicy{ObjectMeta: defaultMeta} if np := instance.Spec.NetworkPolicy; np == nil || np != nil && !np.IsDisabled() { err = r.CreateOrUpdate(networkPolicy, instance, func() error { - appstacksutils.CustomizeNetworkPolicy(networkPolicy, r.IsOpenShift(), instance) + appstacksutils.CustomizeNetworkPolicy(networkPolicy, r.IsOpenShift(), r.getDNSEgressRule, r.getEndpoints, instance) return nil }) if err != nil { @@ -560,6 +561,43 @@ func (r *RuntimeComponentReconciler) Reconcile(ctx context.Context, req ctrl.Req return r.ManageSuccess(common.StatusConditionTypeReconciled, instance) } +func (r *RuntimeComponentReconciler) getEndpoints(serviceName string, namespace string) (*corev1.Endpoints, error) { + endpoints := &corev1.Endpoints{} + if err := r.GetClient().Get(context.TODO(), types.NamespacedName{Name: serviceName, Namespace: namespace}, endpoints); err != nil { + return nil, err + } else { + return endpoints, nil + } +} + +func (r *RuntimeComponentReconciler) getDNSEgressRule(endpointsName string, endpointsNamespace string) (bool, networkingv1.NetworkPolicyEgressRule) { + dnsRule := networkingv1.NetworkPolicyEgressRule{} + if dnsEndpoints, err := r.getEndpoints(endpointsName, endpointsNamespace); err == nil { + if len(dnsEndpoints.Subsets) > 0 { + if endpointPort := utils.GetEndpointPortByName(&dnsEndpoints.Subsets[0].Ports, "dns"); endpointPort != nil { + dnsRule.Ports = append(dnsRule.Ports, utils.CreateNetworkPolicyPortFromEndpointPort(endpointPort)) + } + if endpointPort := utils.GetEndpointPortByName(&dnsEndpoints.Subsets[0].Ports, "dns-tcp"); endpointPort != nil { + dnsRule.Ports = append(dnsRule.Ports, utils.CreateNetworkPolicyPortFromEndpointPort(endpointPort)) + } + } + peer := networkingv1.NetworkPolicyPeer{} + peer.NamespaceSelector = &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "kubernetes.io/metadata.name": endpointsNamespace, + }, + } + dnsRule.To = append(dnsRule.To, peer) + // reqLogger.Info("Found endpoints for " + endpointsName + " service in the " + endpointsNamespace + " namespace") + return false, dnsRule + } + // use permissive rule + // egress: + // - {} + // reqLogger.Info("Failed to retrieve endpoints for " + endpointsName + " service in the " + endpointsNamespace + " namespace. Using more permissive rule.") + return true, dnsRule +} + // SetupWithManager initializes reconciler func (r *RuntimeComponentReconciler) SetupWithManager(mgr ctrl.Manager) error { diff --git a/internal/deploy/kubectl/runtime-component-crd.yaml b/internal/deploy/kubectl/runtime-component-crd.yaml index ce4fac05..ef01e30c 100644 --- a/internal/deploy/kubectl/runtime-component-crd.yaml +++ b/internal/deploy/kubectl/runtime-component-crd.yaml @@ -3841,6 +3841,10 @@ spec: networkPolicy: description: Defines the network policy properties: + bypassDenyAllEgress: + description: Bypasses deny all egress rules to allow API server + and DNS access. Defaults to false. + type: boolean disable: description: Disable the creation of the network policy. Defaults to false. diff --git a/internal/deploy/kustomize/daily/base/runtime-component-crd.yaml b/internal/deploy/kustomize/daily/base/runtime-component-crd.yaml index ce4fac05..ef01e30c 100644 --- a/internal/deploy/kustomize/daily/base/runtime-component-crd.yaml +++ b/internal/deploy/kustomize/daily/base/runtime-component-crd.yaml @@ -3841,6 +3841,10 @@ spec: networkPolicy: description: Defines the network policy properties: + bypassDenyAllEgress: + description: Bypasses deny all egress rules to allow API server + and DNS access. Defaults to false. + type: boolean disable: description: Disable the creation of the network policy. Defaults to false. diff --git a/utils/utils.go b/utils/utils.go index ca77a511..97dbd404 100644 --- a/utils/utils.go +++ b/utils/utils.go @@ -340,19 +340,73 @@ func customizeProbeDefaults(config *corev1.Probe, defaultProbe *corev1.Probe) *c return probe } +func createEgressBypass(ba common.BaseComponent, isOpenShift bool, getDNSEgressRule func(string, string) (bool, networkingv1.NetworkPolicyEgressRule), getEndpoints func(string, string) (*corev1.Endpoints, error)) (bool, []networkingv1.NetworkPolicyEgressRule) { + egressRules := []networkingv1.NetworkPolicyEgressRule{} + + var dnsRule networkingv1.NetworkPolicyEgressRule + var usingPermissiveRule bool + // If allowed, add an Egress rule to access the OpenShift DNS or K8s CoreDNS. Otherwise, use a permissive cluster-wide Egress rule. + if isOpenShift { + usingPermissiveRule, dnsRule = getDNSEgressRule("dns-default", "openshift-dns") + } else { + usingPermissiveRule, dnsRule = getDNSEgressRule("kube-dns", "kube-system") + } + egressRules = append(egressRules, dnsRule) + + // If the DNS rule is a specific Egress rule also check if another Egress rule can be created for the API server. + // Otherwise, fallback to a permissive cluster-wide Egress rule. + if !usingPermissiveRule { + if apiServerEndpoints, err := getEndpoints("kubernetes", "default"); err == nil { + rule := networkingv1.NetworkPolicyEgressRule{} + // Define the port + port := networkingv1.NetworkPolicyPort{} + port.Protocol = &apiServerEndpoints.Subsets[0].Ports[0].Protocol + var portNumber intstr.IntOrString = intstr.FromInt((int)(apiServerEndpoints.Subsets[0].Ports[0].Port)) + port.Port = &portNumber + rule.Ports = append(rule.Ports, port) + + // Add the endpoint address as ipBlock entries + for _, endpoint := range apiServerEndpoints.Subsets { + for _, address := range endpoint.Addresses { + peer := networkingv1.NetworkPolicyPeer{} + ipBlock := networkingv1.IPBlock{} + ipBlock.CIDR = address.IP + "/32" + + peer.IPBlock = &ipBlock + rule.To = append(rule.To, peer) + } + } + egressRules = append(egressRules, rule) + } else { + // The operator couldn't create a rule for the K8s API server so add a permissive Egress rule + rule := networkingv1.NetworkPolicyEgressRule{} + egressRules = append(egressRules, rule) + } + } + return usingPermissiveRule, egressRules +} + // createNetworkPolicyEgressRules returns the network policy rules for outgoing traffic to other Pod(s) -func createNetworkPolicyEgressRules(networkPolicy *networkingv1.NetworkPolicy, isOpenShift bool, ba common.BaseComponent) []networkingv1.NetworkPolicyEgressRule { +func createNetworkPolicyEgressRules(networkPolicy *networkingv1.NetworkPolicy, isOpenShift bool, isBypassingDenyAllEgress bool, getDNSEgressRule func(string, string) (bool, networkingv1.NetworkPolicyEgressRule), getEndpoints func(string, string) (*corev1.Endpoints, error), ba common.BaseComponent) []networkingv1.NetworkPolicyEgressRule { config := ba.GetNetworkPolicy() + egressRules := []networkingv1.NetworkPolicyEgressRule{} + if isBypassingDenyAllEgress { + usingPermissiveRule, bypassRules := createEgressBypass(ba, isOpenShift, getDNSEgressRule, getEndpoints) + egressRules = append(egressRules, bypassRules...) + if usingPermissiveRule { + return egressRules // exit early because permissive egress is set + } + } + // configure the main application egress rule var rule networkingv1.NetworkPolicyEgressRule - if config == nil || ((config.GetToNamespaceLabels() != nil && len(config.GetToNamespaceLabels()) == 0) && (config.GetToLabels() != nil && len(config.GetToLabels()) == 0)) { rule = createAllowAllNetworkPolicyEgressRule() } else { rule = createNetworkPolicyEgressRule(ba.GetApplicationName(), networkPolicy.Namespace, config) } - - return []networkingv1.NetworkPolicyEgressRule{rule} + egressRules = append(egressRules, rule) + return egressRules } func createNetworkPolicyEgressRule(appName string, namespace string, config common.BaseComponentNetworkPolicy) networkingv1.NetworkPolicyEgressRule { @@ -374,7 +428,26 @@ func createAllowAllNetworkPolicyEgressRule() networkingv1.NetworkPolicyEgressRul } } -func CustomizeNetworkPolicy(networkPolicy *networkingv1.NetworkPolicy, isOpenShift bool, ba common.BaseComponent) { +func GetEndpointPortByName(endpointPorts *[]corev1.EndpointPort, name string) *corev1.EndpointPort { + if endpointPorts != nil { + for _, endpointPort := range *endpointPorts { + if endpointPort.Name == name { + return &endpointPort + } + } + } + return nil +} + +func CreateNetworkPolicyPortFromEndpointPort(endpointPort *corev1.EndpointPort) networkingv1.NetworkPolicyPort { + port := networkingv1.NetworkPolicyPort{} + port.Protocol = &endpointPort.Protocol + var portNumber intstr.IntOrString = intstr.FromInt((int)(endpointPort.Port)) + port.Port = &portNumber + return port +} + +func CustomizeNetworkPolicy(networkPolicy *networkingv1.NetworkPolicy, isOpenShift bool, getDNSEgressRule func(string, string) (bool, networkingv1.NetworkPolicyEgressRule), getEndpoints func(string, string) (*corev1.Endpoints, error), ba common.BaseComponent) { obj := ba.(metav1.Object) networkPolicy.Labels = ba.GetLabels() networkPolicy.Annotations = MergeMaps(networkPolicy.Annotations, ba.GetAnnotations()) @@ -412,7 +485,8 @@ func CustomizeNetworkPolicy(networkPolicy *networkingv1.NetworkPolicy, isOpenShi if !hasEgressPolicy { networkPolicy.Spec.PolicyTypes = append(networkPolicy.Spec.PolicyTypes, networkingv1.PolicyTypeEgress) } - networkPolicy.Spec.Egress = createNetworkPolicyEgressRules(networkPolicy, isOpenShift, ba) + egressBypass := ba.GetNetworkPolicy() != nil && ba.GetNetworkPolicy().IsBypassingDenyAllEgress() // check if egress should bypass deny all policy to access the API server and DNS + networkPolicy.Spec.Egress = createNetworkPolicyEgressRules(networkPolicy, isOpenShift, egressBypass, getDNSEgressRule, getEndpoints, ba) } else { // if egress is not configured, consider the network policy disabled if hasEgressPolicy { From 61da11bcaa1565405ed79655c636494e5fe563b7 Mon Sep 17 00:00:00 2001 From: kabicin <37311900+kabicin@users.noreply.github.com> Date: Fri, 6 Jun 2025 16:04:44 -0400 Subject: [PATCH 16/19] Update runtime-component.clusterserviceversion.yaml --- .../manifests/runtime-component.clusterserviceversion.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/bundle/manifests/runtime-component.clusterserviceversion.yaml b/bundle/manifests/runtime-component.clusterserviceversion.yaml index 82fe3a58..1f2e87fa 100644 --- a/bundle/manifests/runtime-component.clusterserviceversion.yaml +++ b/bundle/manifests/runtime-component.clusterserviceversion.yaml @@ -504,6 +504,12 @@ spec: path: networkPolicy.disableEgress x-descriptors: - urn:alm:descriptor:com.tectonic.ui:booleanSwitch + - description: Bypasses deny all egress rules to allow API server and DNS access. + Defaults to false. + displayName: Bypass Deny All Egress + path: networkPolicy.bypassDenyAllEgress + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:booleanSwitch - description: Deprecated. .spec.networkPolicy.fromNamespaceLabels should be used instead. If both are specified, .spec.networkPolicy.fromNamespaceLabels will override this. From 3b206a73067233eead77ced47bd7aa80863a4b40 Mon Sep 17 00:00:00 2001 From: kabicin <37311900+kabicin@users.noreply.github.com> Date: Fri, 6 Jun 2025 16:57:22 -0400 Subject: [PATCH 17/19] Update utils.go --- utils/utils.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/utils/utils.go b/utils/utils.go index 97dbd404..4dab6dbe 100644 --- a/utils/utils.go +++ b/utils/utils.go @@ -481,11 +481,12 @@ func CustomizeNetworkPolicy(networkPolicy *networkingv1.NetworkPolicy, isOpenShi networkPolicy.Spec.Egress = []networkingv1.NetworkPolicyEgressRule{} } else { egressConfigured := ba.GetNetworkPolicy() != nil && (ba.GetNetworkPolicy().GetToLabels() != nil || ba.GetNetworkPolicy().GetToNamespaceLabels() != nil) - if egressConfigured { + egressBypass := ba.GetNetworkPolicy() != nil && ba.GetNetworkPolicy().IsBypassingDenyAllEgress() // check if egress should bypass deny all policy to access the API server and DNS + if egressConfigured || egressBypass { if !hasEgressPolicy { networkPolicy.Spec.PolicyTypes = append(networkPolicy.Spec.PolicyTypes, networkingv1.PolicyTypeEgress) } - egressBypass := ba.GetNetworkPolicy() != nil && ba.GetNetworkPolicy().IsBypassingDenyAllEgress() // check if egress should bypass deny all policy to access the API server and DNS + networkPolicy.Spec.Egress = createNetworkPolicyEgressRules(networkPolicy, isOpenShift, egressBypass, getDNSEgressRule, getEndpoints, ba) } else { // if egress is not configured, consider the network policy disabled From c11cd057e01e4a2224bd13f8a16ba0f270056e93 Mon Sep 17 00:00:00 2001 From: kabicin <37311900+kabicin@users.noreply.github.com> Date: Fri, 6 Jun 2025 17:15:23 -0400 Subject: [PATCH 18/19] Add endpoints permissions --- .../runtime-component.clusterserviceversion.yaml | 8 ++++++++ config/rbac/role.yaml | 8 ++++++++ internal/controller/runtimecomponent_controller.go | 1 + internal/deploy/kubectl/runtime-component-operator.yaml | 8 ++++++++ .../deploy/kubectl/runtime-component-rbac-watch-all.yaml | 8 ++++++++ .../kubectl/runtime-component-rbac-watch-another.yaml | 8 ++++++++ .../kustomize/daily/base/runtime-component-roles.yaml | 8 ++++++++ .../overlays/watch-all-namespaces/cluster-roles.yaml | 8 ++++++++ .../rco-watched-ns/watched-roles.yaml | 8 ++++++++ 9 files changed, 65 insertions(+) diff --git a/bundle/manifests/runtime-component.clusterserviceversion.yaml b/bundle/manifests/runtime-component.clusterserviceversion.yaml index 1f2e87fa..05b8e76f 100644 --- a/bundle/manifests/runtime-component.clusterserviceversion.yaml +++ b/bundle/manifests/runtime-component.clusterserviceversion.yaml @@ -1228,6 +1228,14 @@ spec: - list - update - watch + - apiGroups: + - "" + resources: + - endpoints + verbs: + - get + - list + - watch - apiGroups: - "" resources: diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 414ff68f..113bd278 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -61,6 +61,14 @@ rules: - list - update - watch +- apiGroups: + - "" + resources: + - endpoints + verbs: + - get + - list + - watch - apiGroups: - "" resources: diff --git a/internal/controller/runtimecomponent_controller.go b/internal/controller/runtimecomponent_controller.go index 6656fa4d..5f5bb668 100644 --- a/internal/controller/runtimecomponent_controller.go +++ b/internal/controller/runtimecomponent_controller.go @@ -71,6 +71,7 @@ type RuntimeComponentReconciler struct { // +kubebuilder:rbac:groups=apps,resources=deployments;statefulsets,verbs=get;list;watch;create;update;delete,namespace=runtime-component-operator // +kubebuilder:rbac:groups=apps,resources=deployments/finalizers;statefulsets,verbs=update,namespace=runtime-component-operator // +kubebuilder:rbac:groups=core,resources=services;secrets;serviceaccounts;configmaps,verbs=get;list;watch;create;update;delete,namespace=runtime-component-operator +// +kubebuilder:rbac:groups=core,resources=endpoints,verbs=get;list;watch,namespace=runtime-component-operator // +kubebuilder:rbac:groups=autoscaling,resources=horizontalpodautoscalers,verbs=get;list;watch;create;update;delete,namespace=runtime-component-operator // +kubebuilder:rbac:groups=networking.k8s.io,resources=ingresses;networkpolicies,verbs=get;list;watch;create;update;delete,namespace=runtime-component-operator // +kubebuilder:rbac:groups=route.openshift.io,resources=routes;routes/custom-host,verbs=get;list;watch;create;update;delete,namespace=runtime-component-operator diff --git a/internal/deploy/kubectl/runtime-component-operator.yaml b/internal/deploy/kubectl/runtime-component-operator.yaml index 4fe537cf..c4764b65 100644 --- a/internal/deploy/kubectl/runtime-component-operator.yaml +++ b/internal/deploy/kubectl/runtime-component-operator.yaml @@ -118,6 +118,14 @@ rules: - list - update - watch +- apiGroups: + - "" + resources: + - endpoints + verbs: + - get + - list + - watch - apiGroups: - "" resources: diff --git a/internal/deploy/kubectl/runtime-component-rbac-watch-all.yaml b/internal/deploy/kubectl/runtime-component-rbac-watch-all.yaml index 16077a59..d065c6f9 100644 --- a/internal/deploy/kubectl/runtime-component-rbac-watch-all.yaml +++ b/internal/deploy/kubectl/runtime-component-rbac-watch-all.yaml @@ -110,6 +110,14 @@ rules: - list - update - watch +- apiGroups: + - "" + resources: + - endpoints + verbs: + - get + - list + - watch - apiGroups: - "" resources: diff --git a/internal/deploy/kubectl/runtime-component-rbac-watch-another.yaml b/internal/deploy/kubectl/runtime-component-rbac-watch-another.yaml index cdbedd48..859f9879 100644 --- a/internal/deploy/kubectl/runtime-component-rbac-watch-another.yaml +++ b/internal/deploy/kubectl/runtime-component-rbac-watch-another.yaml @@ -112,6 +112,14 @@ rules: - list - update - watch +- apiGroups: + - "" + resources: + - endpoints + verbs: + - get + - list + - watch - apiGroups: - "" resources: diff --git a/internal/deploy/kustomize/daily/base/runtime-component-roles.yaml b/internal/deploy/kustomize/daily/base/runtime-component-roles.yaml index 1e0b23d8..cabf1d6d 100644 --- a/internal/deploy/kustomize/daily/base/runtime-component-roles.yaml +++ b/internal/deploy/kustomize/daily/base/runtime-component-roles.yaml @@ -121,6 +121,14 @@ rules: - list - update - watch +- apiGroups: + - "" + resources: + - endpoints + verbs: + - get + - list + - watch - apiGroups: - "" resources: diff --git a/internal/deploy/kustomize/daily/overlays/watch-all-namespaces/cluster-roles.yaml b/internal/deploy/kustomize/daily/overlays/watch-all-namespaces/cluster-roles.yaml index e55f677e..36bad8ab 100644 --- a/internal/deploy/kustomize/daily/overlays/watch-all-namespaces/cluster-roles.yaml +++ b/internal/deploy/kustomize/daily/overlays/watch-all-namespaces/cluster-roles.yaml @@ -110,6 +110,14 @@ rules: - list - update - watch +- apiGroups: + - "" + resources: + - endpoints + verbs: + - get + - list + - watch - apiGroups: - "" resources: diff --git a/internal/deploy/kustomize/daily/overlays/watch-another-namespace/rco-watched-ns/watched-roles.yaml b/internal/deploy/kustomize/daily/overlays/watch-another-namespace/rco-watched-ns/watched-roles.yaml index 4605591d..f55a58eb 100644 --- a/internal/deploy/kustomize/daily/overlays/watch-another-namespace/rco-watched-ns/watched-roles.yaml +++ b/internal/deploy/kustomize/daily/overlays/watch-another-namespace/rco-watched-ns/watched-roles.yaml @@ -112,6 +112,14 @@ rules: - list - update - watch +- apiGroups: + - "" + resources: + - endpoints + verbs: + - get + - list + - watch - apiGroups: - "" resources: From e6e1b50e91f3f195143f9825a5c4725687f50615 Mon Sep 17 00:00:00 2001 From: kabicin <37311900+kabicin@users.noreply.github.com> Date: Mon, 9 Jun 2025 09:57:58 -0400 Subject: [PATCH 19/19] Update utils.go --- utils/utils.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/utils/utils.go b/utils/utils.go index 4dab6dbe..4faf226d 100644 --- a/utils/utils.go +++ b/utils/utils.go @@ -591,7 +591,7 @@ func createNetworkPolicyPeer(appName string, namespace string, networkPolicy com peer.NamespaceSelector.MatchLabels = getNamespaceLabels() } - if networkPolicy == nil || networkPolicy.GetFromLabels() == nil { + if networkPolicy == nil || getLabels() == nil { peer.PodSelector.MatchLabels = map[string]string{ "app.kubernetes.io/part-of": appName, }