diff --git a/Makefile b/Makefile index bab70523f..4e06ddb70 100644 --- a/Makefile +++ b/Makefile @@ -279,6 +279,22 @@ operator-sdk: chmod +x ${OPERATOR_SDK}; \ fi +.PHONY: bundle-old +bundle-old: operator-sdk manifests kustomize ## Generate bundle manifests and metadata, then validate generated files. + rm -fr ./bundle + ${OPERATOR_SDK} generate kustomize manifests --apis-dir api + cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG) worker=$(WORKER_IMG) + cd config/manager-base && $(KUSTOMIZE) edit set image must-gather=$(GATHER_IMG) signer=$(SIGNER_IMG) + cd config/webhook-server && $(KUSTOMIZE) edit set image webhook-server=$(WEBHOOK_IMG) + + OPERATOR_SDK="${OPERATOR_SDK}" \ + BUNDLE_GEN_FLAGS="${BUNDLE_GEN_FLAGS} --extra-service-accounts kmm-operator-module-loader,kmm-operator-device-plugin" \ + PKG=kernel-module-management \ + SOURCE_DIR=$(dir $(realpath $(lastword $(MAKEFILE_LIST)))) \ + ./hack/generate-bundle + + ${OPERATOR_SDK} bundle validate ./bundle + .PHONY: bundle bundle: operator-sdk manifests kustomize ## Generate bundle manifests and metadata, then validate generated files. rm -fr ./bundle @@ -291,9 +307,31 @@ bundle: operator-sdk manifests kustomize ## Generate bundle manifests and metada BUNDLE_GEN_FLAGS="${BUNDLE_GEN_FLAGS} --extra-service-accounts kmm-operator-module-loader,kmm-operator-device-plugin" \ PKG=kernel-module-management \ SOURCE_DIR=$(dir $(realpath $(lastword $(MAKEFILE_LIST)))) \ + INCLUDE_NETWORK_POLICIES=true \ ./hack/generate-bundle - ${OPERATOR_SDK} bundle validate ./bundle +.PHONY: bundle-hub-old +bundle-hub-old: operator-sdk manifests kustomize ## Generate bundle manifests and metadata, then validate generated files. + rm -fr bundle-hub + + ${OPERATOR_SDK} generate kustomize manifests \ + --apis-dir api-hub \ + --output-dir config/manifests-hub \ + --package kernel-module-management-hub \ + --input-dir config/manifests-hub + cd config/manager-hub && $(KUSTOMIZE) edit set image controller=$(HUB_IMG) + cd config/manager-base && $(KUSTOMIZE) edit set image must-gather=$(GATHER_IMG) signer=$(SIGNER_IMG) + cd config/webhook-server && $(KUSTOMIZE) edit set image webhook-server=$(WEBHOOK_IMG) + + OPERATOR_SDK="${OPERATOR_SDK}" \ + BUNDLE_GEN_FLAGS="${BUNDLE_GEN_FLAGS}" \ + MANIFESTS_DIR=config/manifests-hub \ + PKG=kernel-module-management-hub \ + SOURCE_DIR=$(dir $(realpath $(lastword $(MAKEFILE_LIST)))) \ + SUFFIX="-hub" \ + ./hack/generate-bundle + + ${OPERATOR_SDK} bundle validate ./bundle-hub .PHONY: bundle-hub bundle-hub: operator-sdk manifests kustomize ## Generate bundle manifests and metadata, then validate generated files. @@ -314,9 +352,9 @@ bundle-hub: operator-sdk manifests kustomize ## Generate bundle manifests and me PKG=kernel-module-management-hub \ SOURCE_DIR=$(dir $(realpath $(lastword $(MAKEFILE_LIST)))) \ SUFFIX="-hub" \ + INCLUDE_NETWORK_POLICIES=true \ ./hack/generate-bundle - ${OPERATOR_SDK} bundle validate ./bundle-hub .PHONY: bundle-build-hub bundle-build-hub: ## Build the bundle-hub image. diff --git a/PROJECT b/PROJECT index 105da5a89..1eb9e731c 100644 --- a/PROJECT +++ b/PROJECT @@ -1,6 +1,6 @@ domain: sigs.x-k8s.io layout: -- go.kubebuilder.io/v3 +- go.kubebuilder.io/v4 plugins: manifests.sdk.operatorframework.io/v2: {} scorecard.sdk.operatorframework.io/v2: {} diff --git a/bundle-hub/manifests/kernel-module-management-hub.clusterserviceversion.yaml b/bundle-hub/manifests/kernel-module-management-hub.clusterserviceversion.yaml index 2b89110c0..3866bcd7e 100644 --- a/bundle-hub/manifests/kernel-module-management-hub.clusterserviceversion.yaml +++ b/bundle-hub/manifests/kernel-module-management-hub.clusterserviceversion.yaml @@ -37,7 +37,7 @@ metadata: } ] capabilities: Seamless Upgrades - createdAt: "2025-07-15T14:14:25Z" + createdAt: "2025-08-26T14:37:47Z" operatorframework.io/suggested-namespace: openshift-kmm-hub operators.operatorframework.io/builder: operator-sdk-v1.32.0 operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 @@ -227,9 +227,6 @@ spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/component: kmm-hub - app.kubernetes.io/name: kmm-hub - app.kubernetes.io/part-of: kmm control-plane: controller strategy: {} template: @@ -237,9 +234,6 @@ spec: annotations: kubectl.kubernetes.io/default-container: manager labels: - app.kubernetes.io/component: kmm-hub - app.kubernetes.io/name: kmm-hub - app.kubernetes.io/part-of: kmm control-plane: controller spec: affinity: @@ -324,9 +318,6 @@ spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/component: kmm-hub - app.kubernetes.io/name: kmm-hub - app.kubernetes.io/part-of: kmm control-plane: webhook-server strategy: {} template: @@ -334,9 +325,6 @@ spec: annotations: kubectl.kubernetes.io/default-container: webhook-server labels: - app.kubernetes.io/component: kmm-hub - app.kubernetes.io/name: kmm-hub - app.kubernetes.io/part-of: kmm control-plane: webhook-server spec: affinity: diff --git a/bundle-hub/manifests/kmm-operator-hub-build-and-sign_networking.k8s.io_v1_networkpolicy.yaml b/bundle-hub/manifests/kmm-operator-hub-build-and-sign_networking.k8s.io_v1_networkpolicy.yaml new file mode 100644 index 000000000..4719c6030 --- /dev/null +++ b/bundle-hub/manifests/kmm-operator-hub-build-and-sign_networking.k8s.io_v1_networkpolicy.yaml @@ -0,0 +1,14 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: build-and-sign + namespace: system +spec: + podSelector: + matchExpressions: + - key: openshift.io/build.name + operator: Exists + policyTypes: + - Egress + egress: + - {} \ No newline at end of file diff --git a/bundle-hub/manifests/kmm-operator-hub-controller-metrics-service_v1_service.yaml b/bundle-hub/manifests/kmm-operator-hub-controller-metrics-service_v1_service.yaml index 18c1c56a9..0fcc3c274 100644 --- a/bundle-hub/manifests/kmm-operator-hub-controller-metrics-service_v1_service.yaml +++ b/bundle-hub/manifests/kmm-operator-hub-controller-metrics-service_v1_service.yaml @@ -17,9 +17,6 @@ spec: protocol: TCP targetPort: metrics selector: - app.kubernetes.io/component: kmm-hub - app.kubernetes.io/name: kmm-hub - app.kubernetes.io/part-of: kmm control-plane: controller status: loadBalancer: {} diff --git a/bundle-hub/manifests/kmm-operator-hub-controller_networking.k8s.io_v1_networkpolicy.yaml b/bundle-hub/manifests/kmm-operator-hub-controller_networking.k8s.io_v1_networkpolicy.yaml new file mode 100644 index 000000000..c9155b727 --- /dev/null +++ b/bundle-hub/manifests/kmm-operator-hub-controller_networking.k8s.io_v1_networkpolicy.yaml @@ -0,0 +1,36 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: controller + namespace: system +spec: + podSelector: + matchLabels: + control-plane: controller + policyTypes: + - Egress + - Ingress + ingress: + - ports: + - protocol: TCP # metrics port + port: 8443 + - protocol: TCP + port: 8081 # Healthz + egress: + - to: + - namespaceSelector: # DNS + matchLabels: + kubernetes.io/metadata.name: openshift-dns + podSelector: + matchLabels: + dns.operator.openshift.io/daemonset-dns: default + ports: + - protocol: UDP # DNS + port: 53 + - protocol: TCP # DNS + port: 53 + - ports: # kube api server + - protocol: TCP + port: 6443 + - protocol: TCP + port: 443 diff --git a/bundle-hub/manifests/kmm-operator-hub-default-deny_networking.k8s.io_v1_networkpolicy.yaml b/bundle-hub/manifests/kmm-operator-hub-default-deny_networking.k8s.io_v1_networkpolicy.yaml new file mode 100644 index 000000000..655b5da38 --- /dev/null +++ b/bundle-hub/manifests/kmm-operator-hub-default-deny_networking.k8s.io_v1_networkpolicy.yaml @@ -0,0 +1,10 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny + namespace: system +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress diff --git a/bundle-hub/manifests/kmm-operator-hub-webhook-service_v1_service.yaml b/bundle-hub/manifests/kmm-operator-hub-webhook-service_v1_service.yaml index 48e1766ea..2ec1d03e5 100644 --- a/bundle-hub/manifests/kmm-operator-hub-webhook-service_v1_service.yaml +++ b/bundle-hub/manifests/kmm-operator-hub-webhook-service_v1_service.yaml @@ -16,9 +16,6 @@ spec: protocol: TCP targetPort: 9443 selector: - app.kubernetes.io/component: kmm-hub - app.kubernetes.io/name: kmm-hub - app.kubernetes.io/part-of: kmm control-plane: webhook-server status: loadBalancer: {} diff --git a/bundle-hub/manifests/kmm-operator-hub-webhook_networking.k8s.io_v1_networkpolicy.yaml b/bundle-hub/manifests/kmm-operator-hub-webhook_networking.k8s.io_v1_networkpolicy.yaml new file mode 100644 index 000000000..c3ee42d7a --- /dev/null +++ b/bundle-hub/manifests/kmm-operator-hub-webhook_networking.k8s.io_v1_networkpolicy.yaml @@ -0,0 +1,22 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: webhook + namespace: system +spec: + podSelector: + matchLabels: + control-plane: webhook-server + policyTypes: + - Egress + - Ingress + ingress: + - ports: + - protocol: TCP + port: 9443 + egress: + - ports: # kube api server port + - protocol: TCP + port: 6443 + - protocol: TCP + port: 443 diff --git a/bundle/manifests/kernel-module-management.clusterserviceversion.yaml b/bundle/manifests/kernel-module-management.clusterserviceversion.yaml index 927ae688c..ef5aa0a37 100644 --- a/bundle/manifests/kernel-module-management.clusterserviceversion.yaml +++ b/bundle/manifests/kernel-module-management.clusterserviceversion.yaml @@ -47,7 +47,7 @@ metadata: } ] capabilities: Seamless Upgrades - createdAt: "2025-07-15T13:32:13Z" + createdAt: "2025-08-26T14:37:46Z" operatorframework.io/suggested-namespace: openshift-kmm operators.operatorframework.io/builder: operator-sdk-v1.32.0 operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 @@ -303,9 +303,6 @@ spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/component: kmm - app.kubernetes.io/name: kmm - app.kubernetes.io/part-of: kmm control-plane: controller strategy: {} template: @@ -313,9 +310,6 @@ spec: annotations: kubectl.kubernetes.io/default-container: manager labels: - app.kubernetes.io/component: kmm - app.kubernetes.io/name: kmm - app.kubernetes.io/part-of: kmm control-plane: controller spec: affinity: @@ -402,9 +396,6 @@ spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/component: kmm - app.kubernetes.io/name: kmm - app.kubernetes.io/part-of: kmm control-plane: webhook-server strategy: {} template: @@ -412,9 +403,6 @@ spec: annotations: kubectl.kubernetes.io/default-container: webhook-server labels: - app.kubernetes.io/component: kmm - app.kubernetes.io/name: kmm - app.kubernetes.io/part-of: kmm control-plane: webhook-server spec: affinity: diff --git a/bundle/manifests/kmm-operator-build-and-sign_networking.k8s.io_v1_networkpolicy.yaml b/bundle/manifests/kmm-operator-build-and-sign_networking.k8s.io_v1_networkpolicy.yaml new file mode 100644 index 000000000..4719c6030 --- /dev/null +++ b/bundle/manifests/kmm-operator-build-and-sign_networking.k8s.io_v1_networkpolicy.yaml @@ -0,0 +1,14 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: build-and-sign + namespace: system +spec: + podSelector: + matchExpressions: + - key: openshift.io/build.name + operator: Exists + policyTypes: + - Egress + egress: + - {} \ No newline at end of file diff --git a/bundle/manifests/kmm-operator-controller-metrics-service_v1_service.yaml b/bundle/manifests/kmm-operator-controller-metrics-service_v1_service.yaml index 7f2ac10b1..f48874b89 100644 --- a/bundle/manifests/kmm-operator-controller-metrics-service_v1_service.yaml +++ b/bundle/manifests/kmm-operator-controller-metrics-service_v1_service.yaml @@ -17,9 +17,6 @@ spec: protocol: TCP targetPort: metrics selector: - app.kubernetes.io/component: kmm - app.kubernetes.io/name: kmm - app.kubernetes.io/part-of: kmm control-plane: controller status: loadBalancer: {} diff --git a/bundle/manifests/kmm-operator-controller_networking.k8s.io_v1_networkpolicy.yaml b/bundle/manifests/kmm-operator-controller_networking.k8s.io_v1_networkpolicy.yaml new file mode 100644 index 000000000..c9155b727 --- /dev/null +++ b/bundle/manifests/kmm-operator-controller_networking.k8s.io_v1_networkpolicy.yaml @@ -0,0 +1,36 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: controller + namespace: system +spec: + podSelector: + matchLabels: + control-plane: controller + policyTypes: + - Egress + - Ingress + ingress: + - ports: + - protocol: TCP # metrics port + port: 8443 + - protocol: TCP + port: 8081 # Healthz + egress: + - to: + - namespaceSelector: # DNS + matchLabels: + kubernetes.io/metadata.name: openshift-dns + podSelector: + matchLabels: + dns.operator.openshift.io/daemonset-dns: default + ports: + - protocol: UDP # DNS + port: 53 + - protocol: TCP # DNS + port: 53 + - ports: # kube api server + - protocol: TCP + port: 6443 + - protocol: TCP + port: 443 diff --git a/bundle/manifests/kmm-operator-default-deny_networking.k8s.io_v1_networkpolicy.yaml b/bundle/manifests/kmm-operator-default-deny_networking.k8s.io_v1_networkpolicy.yaml new file mode 100644 index 000000000..655b5da38 --- /dev/null +++ b/bundle/manifests/kmm-operator-default-deny_networking.k8s.io_v1_networkpolicy.yaml @@ -0,0 +1,10 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny + namespace: system +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress diff --git a/bundle/manifests/kmm-operator-webhook-service_v1_service.yaml b/bundle/manifests/kmm-operator-webhook-service_v1_service.yaml index 637d82bbf..092d00e21 100644 --- a/bundle/manifests/kmm-operator-webhook-service_v1_service.yaml +++ b/bundle/manifests/kmm-operator-webhook-service_v1_service.yaml @@ -16,9 +16,6 @@ spec: protocol: TCP targetPort: 9443 selector: - app.kubernetes.io/component: kmm - app.kubernetes.io/name: kmm - app.kubernetes.io/part-of: kmm control-plane: webhook-server status: loadBalancer: {} diff --git a/bundle/manifests/kmm-operator-webhook_networking.k8s.io_v1_networkpolicy.yaml b/bundle/manifests/kmm-operator-webhook_networking.k8s.io_v1_networkpolicy.yaml new file mode 100644 index 000000000..c3ee42d7a --- /dev/null +++ b/bundle/manifests/kmm-operator-webhook_networking.k8s.io_v1_networkpolicy.yaml @@ -0,0 +1,22 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: webhook + namespace: system +spec: + podSelector: + matchLabels: + control-plane: webhook-server + policyTypes: + - Egress + - Ingress + ingress: + - ports: + - protocol: TCP + port: 9443 + egress: + - ports: # kube api server port + - protocol: TCP + port: 6443 + - protocol: TCP + port: 443 diff --git a/ci/e2e/kustomization.yaml b/ci/e2e/kustomization.yaml index e6fca9068..09e59f8b3 100644 --- a/ci/e2e/kustomization.yaml +++ b/ci/e2e/kustomization.yaml @@ -10,8 +10,10 @@ generatorOptions: configMapGenerator: - name: kmm-kmod-dockerfile + namespace: openshift-kmm files: [dockerfile=Dockerfile] secretGenerator: - name: build-secret + namespace: openshift-kmm literals: [ci-build-secret=super-secret-value] diff --git a/ci/e2e/module.yaml b/ci/e2e/module.yaml index cfa591df2..333f81355 100644 --- a/ci/e2e/module.yaml +++ b/ci/e2e/module.yaml @@ -3,6 +3,7 @@ apiVersion: kmm.sigs.x-k8s.io/v1beta1 kind: Module metadata: name: kmm-ci + namespace: openshift-kmm spec: moduleLoader: container: diff --git a/ci/prow/e2e-incluster-build b/ci/prow/e2e-incluster-build index 192c4905d..9b86a479c 100755 --- a/ci/prow/e2e-incluster-build +++ b/ci/prow/e2e-incluster-build @@ -6,10 +6,10 @@ POD_NAME='' wait_for_pod_and_print_logs () { # we can't exec a command nor get the logs on a pod that isn't `Running` yet. - oc wait "pod/${POD_NAME}" --for jsonpath='{.status.phase}'=Running --timeout=60s + oc wait -n openshift-kmm"pod/${POD_NAME}" --for jsonpath='{.status.phase}'=Running --timeout=60s echo "Print pod ${POD_NAME} logs..." - oc logs "pod/${POD_NAME}" -f + oc logs -n openshift-kmm "pod/${POD_NAME}" -f } check_module_not_loaded () { @@ -46,14 +46,14 @@ timeout 1m bash -c 'until oc apply -k ci/e2e; do sleep 3; done' # Wait for the build pod to be created. `kubectl wait` doesn't support such option, # see https://github.com/kubernetes/kubernetes/issues/83242. echo "Waiting for the build pod to be created..." -timeout 1m bash -c 'until oc get pods -o json | jq -er ".items[].metadata.name | select(.? | match(\"build\"))"; do sleep 1; done' -POD_NAME=$(oc get pods -o json | jq -r '.items[].metadata.name | select(.? | match("build"))') +timeout 1m bash -c 'until oc get pods -n openshift-kmm -o json | jq -er ".items[].metadata.name | select(.? | match(\"build\"))"; do sleep 1; done' +POD_NAME=$(oc get pods -n openshift-kmm -o json | jq -r '.items[].metadata.name | select(.? | match("build"))') wait_for_pod_and_print_logs echo "Waiting for the signing pod to be created..." -timeout 1m bash -c 'until oc get pods -o json | jq -er ".items[].metadata.name | select(.? | match(\"sign\"))"; do sleep 1; done' -POD_NAME=$(oc get pods -o json | jq -r '.items[].metadata.name | select(.? | match("sign"))') +timeout 1m bash -c 'until oc get pods -n openshift-kmm -o json | jq -er ".items[].metadata.name | select(.? | match(\"sign\"))"; do sleep 1; done' +POD_NAME=$(oc get pods -n openshift-kmm -o json | jq -r '.items[].metadata.name | select(.? | match("sign"))') wait_for_pod_and_print_logs @@ -66,7 +66,7 @@ oc debug "node/${NODE}" -- chroot host/ lsmod | grep kmm_ci_b check_module_not_loaded "dummy" echo "Remove the Module..." -oc delete modules.kmm.sigs.x-k8s.io/kmm-ci --wait=false +oc delete modules.kmm.sigs.x-k8s.io/kmm-ci --wait=false -n openshift-kmm echo "Check that the module gets unloaded from the node..." timeout 1m bash -c 'until ! oc debug node/${NODE} -- chroot host/ lsmod | grep kmm_ci_a; do sleep 3; done' @@ -75,4 +75,4 @@ echo "Check that the dependent module is also unloaded from the node..." check_module_not_loaded "kmm_ci_b" echo "Wait for the Module to be deleted..." -oc wait --for delete modules.kmm.sigs.x-k8s.io/kmm-ci +oc wait --for delete modules.kmm.sigs.x-k8s.io/kmm-ci -n openshift-kmm diff --git a/ci/sign-key-certs/kustomization.yaml b/ci/sign-key-certs/kustomization.yaml index 610755582..e9b221a25 100644 --- a/ci/sign-key-certs/kustomization.yaml +++ b/ci/sign-key-certs/kustomization.yaml @@ -6,6 +6,8 @@ generatorOptions: secretGenerator: - name: kmm-kmod-signing-cert + namespace: openshift-kmm files: [cert=signing-cert.pem] - name: kmm-kmod-signing-key + namespace: openshift-kmm files: [key=signing-key.pem] diff --git a/config/default-hub/kustomization.yaml b/config/default-hub/kustomization.yaml index 125202b20..8c221309e 100644 --- a/config/default-hub/kustomization.yaml +++ b/config/default-hub/kustomization.yaml @@ -17,7 +17,7 @@ components: configurations: - kustomizeconfig.yaml labels: -- includeSelectors: true +- includeSelectors: false pairs: app.kubernetes.io/component: kmm-hub app.kubernetes.io/name: kmm-hub diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index 7eb9760fa..2171c87cf 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -17,7 +17,7 @@ namePrefix: kmm-operator- configurations: - kustomizeconfig.yaml labels: -- includeSelectors: true +- includeSelectors: false pairs: app.kubernetes.io/component: kmm app.kubernetes.io/name: kmm diff --git a/config/deploy-hub/kustomization.yaml b/config/deploy-hub/kustomization.yaml index a8423f60a..cc260f444 100644 --- a/config/deploy-hub/kustomization.yaml +++ b/config/deploy-hub/kustomization.yaml @@ -9,6 +9,7 @@ resources: - ../manager-hub - ../webhook-hub - ../webhook-server +- ../network-policy patches: - target: diff --git a/config/deploy/kustomization.yaml b/config/deploy/kustomization.yaml index 7fdce732d..cd9520c49 100644 --- a/config/deploy/kustomization.yaml +++ b/config/deploy/kustomization.yaml @@ -10,6 +10,7 @@ resources: - ../prometheus - ../webhook - ../webhook-server +- ../network-policy patches: - target: diff --git a/config/manifests-hub/kustomization.yaml b/config/manifests-hub/kustomization.yaml index d8dd03e22..025a381d3 100644 --- a/config/manifests-hub/kustomization.yaml +++ b/config/manifests-hub/kustomization.yaml @@ -9,7 +9,7 @@ resources: - ../samples-hub - ../scorecard labels: -- includeSelectors: true +- includeSelectors: false pairs: app.kubernetes.io/component: kmm-hub app.kubernetes.io/name: kmm-hub diff --git a/config/manifests/kustomization.yaml b/config/manifests/kustomization.yaml index 237b3ff3c..e67b0e55a 100644 --- a/config/manifests/kustomization.yaml +++ b/config/manifests/kustomization.yaml @@ -9,7 +9,7 @@ resources: - ../samples - ../scorecard labels: -- includeSelectors: true +- includeSelectors: false pairs: app.kubernetes.io/component: kmm app.kubernetes.io/name: kmm diff --git a/config/network-policy/build-and-sign.yaml b/config/network-policy/build-and-sign.yaml new file mode 100644 index 000000000..4719c6030 --- /dev/null +++ b/config/network-policy/build-and-sign.yaml @@ -0,0 +1,14 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: build-and-sign + namespace: system +spec: + podSelector: + matchExpressions: + - key: openshift.io/build.name + operator: Exists + policyTypes: + - Egress + egress: + - {} \ No newline at end of file diff --git a/config/network-policy/controller.yaml b/config/network-policy/controller.yaml new file mode 100644 index 000000000..c9155b727 --- /dev/null +++ b/config/network-policy/controller.yaml @@ -0,0 +1,36 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: controller + namespace: system +spec: + podSelector: + matchLabels: + control-plane: controller + policyTypes: + - Egress + - Ingress + ingress: + - ports: + - protocol: TCP # metrics port + port: 8443 + - protocol: TCP + port: 8081 # Healthz + egress: + - to: + - namespaceSelector: # DNS + matchLabels: + kubernetes.io/metadata.name: openshift-dns + podSelector: + matchLabels: + dns.operator.openshift.io/daemonset-dns: default + ports: + - protocol: UDP # DNS + port: 53 + - protocol: TCP # DNS + port: 53 + - ports: # kube api server + - protocol: TCP + port: 6443 + - protocol: TCP + port: 443 diff --git a/config/network-policy/default-deny.yaml b/config/network-policy/default-deny.yaml new file mode 100644 index 000000000..655b5da38 --- /dev/null +++ b/config/network-policy/default-deny.yaml @@ -0,0 +1,10 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny + namespace: system +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress diff --git a/config/network-policy/kustomization.yaml b/config/network-policy/kustomization.yaml new file mode 100644 index 000000000..7903da173 --- /dev/null +++ b/config/network-policy/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- default-deny.yaml +- controller.yaml +- webhook.yaml +- build-and-sign.yaml \ No newline at end of file diff --git a/config/network-policy/webhook.yaml b/config/network-policy/webhook.yaml new file mode 100644 index 000000000..c3ee42d7a --- /dev/null +++ b/config/network-policy/webhook.yaml @@ -0,0 +1,22 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: webhook + namespace: system +spec: + podSelector: + matchLabels: + control-plane: webhook-server + policyTypes: + - Egress + - Ingress + ingress: + - ports: + - protocol: TCP + port: 9443 + egress: + - ports: # kube api server port + - protocol: TCP + port: 6443 + - protocol: TCP + port: 443 diff --git a/config/olm-hub/kustomization.yaml b/config/olm-hub/kustomization.yaml index e7d7b0f53..e749b89ee 100644 --- a/config/olm-hub/kustomization.yaml +++ b/config/olm-hub/kustomization.yaml @@ -10,7 +10,7 @@ namePrefix: kmm-operator-hub- resources: - ../deploy-hub labels: -- includeSelectors: true +- includeSelectors: false pairs: app.kubernetes.io/component: kmm-hub app.kubernetes.io/name: kmm-hub diff --git a/config/olm/kustomization.yaml b/config/olm/kustomization.yaml index 0c1feef8e..3a307e784 100644 --- a/config/olm/kustomization.yaml +++ b/config/olm/kustomization.yaml @@ -10,7 +10,7 @@ namePrefix: kmm-operator- resources: - ../deploy labels: -- includeSelectors: true +- includeSelectors: false pairs: app.kubernetes.io/component: kmm app.kubernetes.io/name: kmm diff --git a/config/webhook-server/kustomization.yaml b/config/webhook-server/kustomization.yaml index 80f94030d..82056a918 100644 --- a/config/webhook-server/kustomization.yaml +++ b/config/webhook-server/kustomization.yaml @@ -10,6 +10,5 @@ images: newName: quay.io/edge-infrastructure/kernel-module-management-webhook-server newTag: latest labels: -- includeSelectors: true - pairs: +- pairs: app.kubernetes.io/component: webhook-server diff --git a/hack/generate-bundle b/hack/generate-bundle index 85e06dfa8..6f0575091 100755 --- a/hack/generate-bundle +++ b/hack/generate-bundle @@ -8,6 +8,7 @@ set -euxo pipefail : "$PKG" : "$SOURCE_DIR" : "${SUFFIX:=}" +: "${INCLUDE_NETWORK_POLICIES:=false}" readonly BUNDLE_DIR="bundle${SUFFIX}" @@ -23,6 +24,16 @@ oc kustomize "$MANIFESTS_DIR" | "$OPERATOR_SDK" generate bundle \ --package "$PKG" \ $BUNDLE_GEN_FLAGS +# add network policies +if [ "$INCLUDE_NETWORK_POLICIES" = "true" ] && [ -d "$SOURCE_DIR/config/network-policy" ]; then + for np_file in "$SOURCE_DIR/config/network-policy"/*.yaml; do + if [ -f "$np_file" ] && [ "$(basename "$np_file")" != "kustomization.yaml" ]; then + filename=$(basename "$np_file" .yaml) + cp "$np_file" "$BUNDLE_DIR/manifests/kmm-operator${SUFFIX}-${filename}_networking.k8s.io_v1_networkpolicy.yaml" + fi + done +fi + mv "$BUNDLE_DIR" "$SOURCE_DIR/$BUNDLE_DIR" mv bundle.Dockerfile "$SOURCE_DIR/bundle${SUFFIX}.Dockerfile"