Merge pull request #1396 from huali9/networkpolicy-v2

OCPCLOUD-2980: add ingress/egress network policy v2

Author: openshift-merge-bot[bot]

install/0000_90_machine-api-operator_05_networkpolicy-allow-all-egress.yaml

@@ -0,0 +1,18 @@
+# Allow all egress from apps in openshift-machine-api
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-all-egress
+  namespace: openshift-machine-api
+  annotations:
+    capability.openshift.io/name: MachineAPI
+    exclude.release.openshift.io/internal-openshift-hosted: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+spec:
+  egress:
+  # Allow all egress traffic - operators need broad access
+  - {} # Empty rule allows all egress
+  podSelector: {} # Empty selector means allow all pods
+  policyTypes:
+  - Egress

install/0000_90_machine-api-operator_05_networkpolicy-allow-ingress-cluster.yaml

@@ -0,0 +1,30 @@
+# Allow ingress to the openshift-machine-api namespace pods for internal cluster request
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-ingress-cluster
+  namespace: openshift-machine-api
+  annotations:
+    capability.openshift.io/name: MachineAPI
+    exclude.release.openshift.io/internal-openshift-hosted: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+spec:
+  ingress:
+  - ports:
+    - protocol: TCP
+      port: 9440
+      endPort: 9442
+  podSelector:
+    matchExpressions:
+    - key: k8s-app
+      operator: In
+      values:
+      - cluster-autoscaler
+      - cluster-autoscaler-operator
+      - cluster-baremetal-operator
+      - control-plane-machine-set-operator
+      - controller
+      - machine-api-operator
+  policyTypes:
+  - Ingress

install/0000_90_machine-api-operator_05_networkpolicy-allow-ingress-kubeapi.yaml

@@ -0,0 +1,29 @@
+# Allow ingress to the openshift-machine-api namespace pods for kubeapi requests
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-ingress-kubeapi
+  namespace: openshift-machine-api
+  annotations:
+    capability.openshift.io/name: MachineAPI
+    exclude.release.openshift.io/internal-openshift-hosted: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+spec:
+  ingress:
+  - ports:
+    - protocol: TCP
+      port: 9443
+  podSelector:
+    matchExpressions:
+    - key: k8s-app
+      operator: In
+      values:
+      - cluster-autoscaler
+      - cluster-autoscaler-operator
+      - cluster-baremetal-operator
+      - control-plane-machine-set-operator
+      - controller
+      - machine-api-operator
+  policyTypes:
+  - Ingress

install/0000_90_machine-api-operator_05_networkpolicy-allow-ingress-metal.yaml

@@ -0,0 +1,34 @@
+# Add ports for metal
+# As metal behavior can be quite different from other deployment because of the added services and network complexity
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-ingress-metal
+  namespace: openshift-machine-api
+  annotations:
+    capability.openshift.io/name: MachineAPI
+    exclude.release.openshift.io/internal-openshift-hosted: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+spec:
+  ingress:
+  - ports:
+    - protocol: TCP
+      port: 80 # httpd service
+    - protocol: TCP
+      port: 443 # secure httpd service      
+    - protocol: TCP
+      port: 6180 # ironic httpd port
+    - protocol: TCP
+      port: 6183 # secure ironic httpd port
+    - protocol: TCP
+      port: 6385 # ironic API
+    - protocol: TCP
+      port: 6388 # ironic API proxy
+    - protocol: TCP
+      port: 8084 # image customization service
+    - protocol: TCP
+      port: 9447 # bare metal webhook service
+  podSelector: {}
+  policyTypes:
+  - Ingress

install/0000_90_machine-api-operator_05_networkpolicy-allow-ingress-metrics.yaml

@@ -0,0 +1,35 @@
+# Allow ingress to the openshift-machine-api namespace pods for metrics request
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-ingress-metrics
+  namespace: openshift-machine-api
+  annotations:
+    capability.openshift.io/name: MachineAPI
+    exclude.release.openshift.io/internal-openshift-hosted: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+spec:
+  ingress:
+  - ports:
+    - protocol: TCP
+      port: 8085
+    - protocol: TCP
+      port: 8440
+      endPort: 8444
+    - protocol: TCP
+      port: 9191
+      endPort: 9192
+  podSelector:
+    matchExpressions:
+    - key: k8s-app
+      operator: In
+      values:
+      - cluster-autoscaler
+      - cluster-autoscaler-operator
+      - cluster-baremetal-operator
+      - control-plane-machine-set-operator
+      - controller
+      - machine-api-operator
+  policyTypes:
+  - Ingress

install/0000_90_machine-api-operator_05_networkpolicy-default-deny.yaml

@@ -0,0 +1,16 @@
+# Default deny all ingress and egress
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny
+  namespace: openshift-machine-api
+  annotations:
+    capability.openshift.io/name: MachineAPI
+    exclude.release.openshift.io/internal-openshift-hosted: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress