Skip to content

Adding network policies to kmm including to kmm bundle #1652

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
TomerNewman wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Adding network policies to kmm including to kmm bundle #1652

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 40 additions & 2 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -279,6 +279,22 @@ operator-sdk:
chmod +x ${OPERATOR_SDK}; \
fi

.PHONY: bundle-old
bundle-old: operator-sdk manifests kustomize ## Generate bundle manifests and metadata, then validate generated files.
rm -fr ./bundle
${OPERATOR_SDK} generate kustomize manifests --apis-dir api
cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG) worker=$(WORKER_IMG)
cd config/manager-base && $(KUSTOMIZE) edit set image must-gather=$(GATHER_IMG) signer=$(SIGNER_IMG)
cd config/webhook-server && $(KUSTOMIZE) edit set image webhook-server=$(WEBHOOK_IMG)

OPERATOR_SDK="${OPERATOR_SDK}" \
BUNDLE_GEN_FLAGS="${BUNDLE_GEN_FLAGS} --extra-service-accounts kmm-operator-module-loader,kmm-operator-device-plugin" \
PKG=kernel-module-management \
SOURCE_DIR=$(dir $(realpath $(lastword $(MAKEFILE_LIST)))) \
./hack/generate-bundle

${OPERATOR_SDK} bundle validate ./bundle

.PHONY: bundle
bundle: operator-sdk manifests kustomize ## Generate bundle manifests and metadata, then validate generated files.
rm -fr ./bundle
Expand All @@ -291,9 +307,31 @@ bundle: operator-sdk manifests kustomize ## Generate bundle manifests and metada
BUNDLE_GEN_FLAGS="${BUNDLE_GEN_FLAGS} --extra-service-accounts kmm-operator-module-loader,kmm-operator-device-plugin" \
PKG=kernel-module-management \
SOURCE_DIR=$(dir $(realpath $(lastword $(MAKEFILE_LIST)))) \
INCLUDE_NETWORK_POLICIES=true \
./hack/generate-bundle

${OPERATOR_SDK} bundle validate ./bundle
.PHONY: bundle-hub-old
bundle-hub-old: operator-sdk manifests kustomize ## Generate bundle manifests and metadata, then validate generated files.
rm -fr bundle-hub

${OPERATOR_SDK} generate kustomize manifests \
--apis-dir api-hub \
--output-dir config/manifests-hub \
--package kernel-module-management-hub \
--input-dir config/manifests-hub
cd config/manager-hub && $(KUSTOMIZE) edit set image controller=$(HUB_IMG)
cd config/manager-base && $(KUSTOMIZE) edit set image must-gather=$(GATHER_IMG) signer=$(SIGNER_IMG)
cd config/webhook-server && $(KUSTOMIZE) edit set image webhook-server=$(WEBHOOK_IMG)

OPERATOR_SDK="${OPERATOR_SDK}" \
BUNDLE_GEN_FLAGS="${BUNDLE_GEN_FLAGS}" \
MANIFESTS_DIR=config/manifests-hub \
PKG=kernel-module-management-hub \
SOURCE_DIR=$(dir $(realpath $(lastword $(MAKEFILE_LIST)))) \
SUFFIX="-hub" \
./hack/generate-bundle

${OPERATOR_SDK} bundle validate ./bundle-hub

.PHONY: bundle-hub
bundle-hub: operator-sdk manifests kustomize ## Generate bundle manifests and metadata, then validate generated files.
Expand All @@ -314,9 +352,9 @@ bundle-hub: operator-sdk manifests kustomize ## Generate bundle manifests and me
PKG=kernel-module-management-hub \
SOURCE_DIR=$(dir $(realpath $(lastword $(MAKEFILE_LIST)))) \
SUFFIX="-hub" \
INCLUDE_NETWORK_POLICIES=true \
./hack/generate-bundle

${OPERATOR_SDK} bundle validate ./bundle-hub

.PHONY: bundle-build-hub
bundle-build-hub: ## Build the bundle-hub image.
Expand Down
2 changes: 1 addition & 1 deletion PROJECT
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
domain: sigs.x-k8s.io
layout:
- go.kubebuilder.io/v3
- go.kubebuilder.io/v4
Copy link

@coderabbitai coderabbitai bot Aug 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Kubebuilder layout bumped to v4 — confirm toolchain compatibility.

Layout v4 with config version "3" is fine, but ensure your pinned operator-sdk/kubebuilder versions in CI and dev images understand v4 layouts.

We can follow up with specific pin recommendations if needed.

🏁 Script executed:

#!/usr/bin/env bash
# If you pin operator-sdk/kubebuilder in Makefiles or images, surface them
rg -n -C2 -e 'operator-sdk|kubebuilder' Makefile hack/ Dockerfile* .github

Length of output: 2306

Action Required: Upgrade Operator-SDK and Kubebuilder CLI for go.kubebuilder.io/v4 support

The Makefile currently pins Operator-SDK to v1.32.0, which predates support for Kubebuilder v4 layouts (added in Operator-SDK v1.38.0) (newreleases.io, github.com). Without upgrading, commands like operator-sdk generate won’t recognize your layout: go.kubebuilder.io/v4 scaffold.

• Makefile (around line 278): change

- curl -Lo ${OPERATOR_SDK} 'https://github.com/operator-framework/operator-sdk/releases/download/v1.32.0/operator-sdk_linux_amd64'
+ curl -Lo ${OPERATOR_SDK} 'https://github.com/operator-framework/operator-sdk/releases/download/v1.38.0/operator-sdk_linux_amd64'

(or bump to the latest v1.38.0+ tag)
• Dev/CI images or Dockerfiles: if you install the Kubebuilder CLI directly, pin it to a compatible v4.x release (e.g., v4.6.0) so that kubebuilder commands understand the v4 layout (github.com).
• Verify your ENVTEST_K8S_VERSION = 1.23 remains appropriate for your target Kubernetes version; no change is needed here unless you also bump test-env to match newer K8s minor versions.

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents 
In PROJECT around line 3 and Makefile around line 278, the repo still targets
go.kubebuilder.io/v4 but the Makefile pins operator-sdk to v1.32.0 which lacks
Kubebuilder v4 support; update the Makefile to bump operator-sdk to v1.38.0 or
later (or to the latest v1.38+ tag), and in any Dev/CI Dockerfiles or scripts
that install the Kubebuilder CLI pin kubebuilder to a v4.x release (e.g.,
v4.6.0) so kubebuilder commands understand the v4 layout; after changes, run the
operator-sdk generate commands in CI/dev and verify ENVTEST_K8S_VERSION
(currently 1.23) still matches your target Kubernetes versions, adjusting only
if you also upgrade test-env/k8s versions.

plugins:
manifests.sdk.operatorframework.io/v2: {}
scorecard.sdk.operatorframework.io/v2: {}
Expand Down
14 changes: 1 addition & 13 deletions bundle-hub/manifests/kernel-module-management-hub.clusterserviceversion.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ metadata:
}
]
capabilities: Seamless Upgrades
createdAt: "2025-07-15T14:14:25Z"
createdAt: "2025-08-26T14:37:47Z"
operatorframework.io/suggested-namespace: openshift-kmm-hub
operators.operatorframework.io/builder: operator-sdk-v1.32.0
operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
Expand Down Expand Up @@ -227,19 +227,13 @@ spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: kmm-hub
app.kubernetes.io/name: kmm-hub
app.kubernetes.io/part-of: kmm
control-plane: controller
strategy: {}
template:
metadata:
annotations:
kubectl.kubernetes.io/default-container: manager
labels:
app.kubernetes.io/component: kmm-hub
app.kubernetes.io/name: kmm-hub
app.kubernetes.io/part-of: kmm
control-plane: controller
spec:
affinity:
Expand Down Expand Up @@ -324,19 +318,13 @@ spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: kmm-hub
app.kubernetes.io/name: kmm-hub
app.kubernetes.io/part-of: kmm
control-plane: webhook-server
strategy: {}
template:
metadata:
annotations:
kubectl.kubernetes.io/default-container: webhook-server
labels:
app.kubernetes.io/component: kmm-hub
app.kubernetes.io/name: kmm-hub
app.kubernetes.io/part-of: kmm
control-plane: webhook-server
spec:
affinity:
Expand Down
14 changes: 14 additions & 0 deletions bundle-hub/manifests/kmm-operator-hub-build-and-sign_networking.k8s.io_v1_networkpolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: build-and-sign
namespace: system
spec:
podSelector:
matchExpressions:
- key: openshift.io/build.name
operator: Exists
policyTypes:
- Egress
egress:
- {}
Comment on lines +7 to +14
Copy link

@coderabbitai coderabbitai bot Aug 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Fix YAML lint issues (indentation, trailing newline) and keep minimal style.

YAMLLint flagged indentation under policyTypes and missing newline at EOF. Also normalize list indentation under matchExpressions.

 spec:
-  podSelector:
-    matchExpressions:
-    - key: openshift.io/build.name
-      operator: Exists
-  policyTypes:
-    - Egress
-  egress:
-  - {}
+  podSelector:
+    matchExpressions:
+      - key: openshift.io/build.name
+        operator: Exists
+  policyTypes:
+  - Egress
+  egress:
+  - {}
+
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
podSelector:
matchExpressions:
- key: openshift.io/build.name
operator: Exists
policyTypes:
- Egress
egress:
- {}
podSelector:
matchExpressions:
- key: openshift.io/build.name
operator: Exists
policyTypes:
- Egress
egress:
- {}
🧰 Tools
🪛 YAMLlint (1.37.1)

[warning] 12-12: wrong indentation: expected 2 but found 4

(indentation)

[error] 14-14: no new line character at the end of file

(new-line-at-end-of-file)

🤖 Prompt for AI Agents 
In
bundle-hub/manifests/kmm-operator-hub-build-and-sign_networking.k8s.io_v1_networkpolicy.yaml
around lines 7 to 14, the YAML has lint problems: incorrect indentation for the
policyTypes and list items under matchExpressions, and missing trailing newline.
Fix by aligning list items two spaces under their parent keys (ensure
matchExpressions items are indented to match podSelector and the dash items are
properly indented), place policyTypes and its list at the same indentation level
as podSelector and egress, and ensure the file ends with a single trailing
newline; keep the minimal style (no extra blank lines or comments).

3 changes: 0 additions & 3 deletions bundle-hub/manifests/kmm-operator-hub-controller-metrics-service_v1_service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,6 @@ spec:
protocol: TCP
targetPort: metrics
selector:
app.kubernetes.io/component: kmm-hub
app.kubernetes.io/name: kmm-hub
app.kubernetes.io/part-of: kmm
control-plane: controller
status:
loadBalancer: {}
36 changes: 36 additions & 0 deletions bundle-hub/manifests/kmm-operator-hub-controller_networking.k8s.io_v1_networkpolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: controller
namespace: system
spec:
podSelector:
matchLabels:
control-plane: controller
policyTypes:
- Egress
- Ingress
ingress:
- ports:
- protocol: TCP # metrics port
port: 8443
- protocol: TCP
port: 8081 # Healthz
egress:
- to:
- namespaceSelector: # DNS
matchLabels:
kubernetes.io/metadata.name: openshift-dns
podSelector:
matchLabels:
dns.operator.openshift.io/daemonset-dns: default
ports:
- protocol: UDP # DNS
port: 53
- protocol: TCP # DNS
port: 53
- ports: # kube api server
- protocol: TCP
port: 6443
- protocol: TCP
port: 443
10 changes: 10 additions & 0 deletions bundle-hub/manifests/kmm-operator-hub-default-deny_networking.k8s.io_v1_networkpolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
namespace: system
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
3 changes: 0 additions & 3 deletions bundle-hub/manifests/kmm-operator-hub-webhook-service_v1_service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,6 @@ spec:
protocol: TCP
targetPort: 9443
selector:
app.kubernetes.io/component: kmm-hub
app.kubernetes.io/name: kmm-hub
app.kubernetes.io/part-of: kmm
control-plane: webhook-server
status:
loadBalancer: {}
22 changes: 22 additions & 0 deletions bundle-hub/manifests/kmm-operator-hub-webhook_networking.k8s.io_v1_networkpolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: webhook
namespace: system
spec:
podSelector:
matchLabels:
control-plane: webhook-server
policyTypes:
Comment on lines +7 to +10
Copy link

@coderabbitai coderabbitai bot Aug 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Selector likely mismatched with current webhook pod labels

NetworkPolicy selects pods via control-plane: webhook-server, while config/webhook-server/kustomization.yaml applies app.kubernetes.io/component: webhook-server. Unless the Deployment also sets control-plane: webhook-server on the Pod template, this policy won’t select the webhook pods and will be a no-op.

Apply one of the following to align:

Option A — make the policy match the kustomize-applied label:

 spec:
   podSelector:
     matchLabels:
-      control-plane: webhook-server
+      app.kubernetes.io/component: webhook-server

Option B — keep the policy as-is but add the missing pod label via kustomize (see my comment on config/webhook-server/kustomization.yaml).

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
podSelector:
matchLabels:
control-plane: webhook-server
policyTypes:
spec:
podSelector:
matchLabels:
app.kubernetes.io/component: webhook-server
policyTypes:

- Egress
- Ingress
ingress:
- ports:
- protocol: TCP
port: 9443
Comment on lines +13 to +16
Copy link

@coderabbitai coderabbitai bot Aug 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Ingress currently allows from anywhere; restrict to API server

With an ingress rule that only lists ports and no from peers, traffic on 9443 is allowed from any source. For admission webhooks we should scope ingress to the API server namespaces to reduce blast radius.

Example tightening (covers both vanilla and OpenShift):

   ingress:
-  - ports:
-    - protocol: TCP
-      port: 9443
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: kube-system
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: openshift-kube-apiserver
+    ports:
+    - protocol: TCP
+      port: 9443

If you prefer stricter scoping, we can further constrain with podSelector labels on the apiserver pods in those namespaces.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
ingress:
- ports:
- protocol: TCP
port: 9443
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: openshift-kube-apiserver
ports:
- protocol: TCP
port: 9443
🤖 Prompt for AI Agents 
In
bundle-hub/manifests/kmm-operator-hub-webhook_networking.k8s.io_v1_networkpolicy.yaml
lines 13-16, the ingress rule lists only ports so port 9443 is open to any
source; add explicit from peers to restrict traffic to API server namespaces.
Modify the ingress stanza to include from entries for the API server namespaces
(e.g., a namespaceSelector with matchLabels: kubernetes.io/metadata.name:
kube-system and a second from entry for OpenShift API namespace like
matchLabels: kubernetes.io/metadata.name: openshift-apiserver / or
openshift-kube-apiserver as appropriate), and optionally add a podSelector
within those from entries to limit to apiserver pods; ensure multiple from
blocks are used so only requests originating from those namespaces/pods can
reach port 9443.

egress:
- ports: # kube api server port
- protocol: TCP
port: 6443
- protocol: TCP
port: 443
14 changes: 1 addition & 13 deletions bundle/manifests/kernel-module-management.clusterserviceversion.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ metadata:
}
]
capabilities: Seamless Upgrades
createdAt: "2025-07-15T13:32:13Z"
createdAt: "2025-08-26T14:37:46Z"
operatorframework.io/suggested-namespace: openshift-kmm
operators.operatorframework.io/builder: operator-sdk-v1.32.0
operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
Expand Down Expand Up @@ -303,19 +303,13 @@ spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: kmm
app.kubernetes.io/name: kmm
app.kubernetes.io/part-of: kmm
control-plane: controller
strategy: {}
template:
metadata:
annotations:
kubectl.kubernetes.io/default-container: manager
labels:
app.kubernetes.io/component: kmm
app.kubernetes.io/name: kmm
app.kubernetes.io/part-of: kmm
control-plane: controller
spec:
affinity:
Expand Down Expand Up @@ -402,19 +396,13 @@ spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: kmm
app.kubernetes.io/name: kmm
app.kubernetes.io/part-of: kmm
control-plane: webhook-server
strategy: {}
template:
metadata:
annotations:
kubectl.kubernetes.io/default-container: webhook-server
labels:
app.kubernetes.io/component: kmm
app.kubernetes.io/name: kmm
app.kubernetes.io/part-of: kmm
control-plane: webhook-server
spec:
affinity:
Expand Down
14 changes: 14 additions & 0 deletions bundle/manifests/kmm-operator-build-and-sign_networking.k8s.io_v1_networkpolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: build-and-sign
namespace: system
spec:
podSelector:
matchExpressions:
- key: openshift.io/build.name
operator: Exists
policyTypes:
- Egress
egress:
- {}
Comment on lines +11 to +14
Copy link

@coderabbitai coderabbitai bot Aug 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Fix YAML indentation and ensure newline at EOF to satisfy linters/CI.

Yamllint flagged indentation and missing newline. Apply:

 spec:
   podSelector:
     matchExpressions:
-    - key: openshift.io/build.name
-      operator: Exists
-  policyTypes:
-    - Egress
-  egress:
-  - {}
+    - key: openshift.io/build.name
+      operator: Exists
+  policyTypes:
+  - Egress
+  egress:
+  - {}
+

Committable suggestion skipped: line range outside the PR's diff.

🧰 Tools
🪛 YAMLlint (1.37.1)

[warning] 12-12: wrong indentation: expected 2 but found 4

(indentation)

[error] 14-14: no new line character at the end of file

(new-line-at-end-of-file)

🤖 Prompt for AI Agents 
In
bundle/manifests/kmm-operator-build-and-sign_networking.k8s.io_v1_networkpolicy.yaml
around lines 11 to 14, the YAML has incorrect indentation for the
policyTypes/egress block and is missing a newline at EOF; fix the indentation so
that "policyTypes:" and "egress:" are top-level entries with their lists
properly indented (e.g. policyTypes: followed by an indented "- Egress" and
egress: followed by an indented "- {}" or a proper rule), and ensure the file
ends with a single trailing newline character.

3 changes: 0 additions & 3 deletions bundle/manifests/kmm-operator-controller-metrics-service_v1_service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,6 @@ spec:
protocol: TCP
targetPort: metrics
selector:
app.kubernetes.io/component: kmm
app.kubernetes.io/name: kmm
app.kubernetes.io/part-of: kmm
control-plane: controller
status:
loadBalancer: {}
36 changes: 36 additions & 0 deletions bundle/manifests/kmm-operator-controller_networking.k8s.io_v1_networkpolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: controller
namespace: system
spec:
Comment on lines +3 to +6
Copy link

@coderabbitai coderabbitai bot Aug 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Bundle manifest should not hardcode metadata.namespace: system.

OLM typically applies bundle objects into the operator’s install namespace. Shipping a hardcoded namespace can cause install-time failures or resources landing in the wrong namespace. Recommend dropping the field in the bundled file (or have the bundle generator strip it).

 metadata:
   name: controller
-  namespace: system

🏁 Script executed:

#!/usr/bin/env bash
# Locate the NetworkPolicy manifest and print its metadata section
manifest="bundle/manifests/kmm-operator-controller_networking.k8s.io_v1_networkpolicy.yaml"
if [ -f "$manifest" ]; then
  echo "Showing lines 1-20 of $manifest:"
  sed -n '1,20p' "$manifest"
else
  echo "$manifest not found."
fi

Length of output: 871

Remove hardcoded namespace from NetworkPolicy manifest

The bundle’s NetworkPolicy manifest explicitly sets metadata.namespace: system, which will force the resource into the system namespace regardless of the operator’s install namespace. This can lead to install-time failures or resources landing in the wrong namespace. OLM by default applies namespaced objects into the operator’s install namespace, so you should omit the namespace field.

Please update the file as follows:

• File: bundle/manifests/kmm-operator-controller_networking.k8s.io_v1_networkpolicy.yaml
• Remove or comment out the namespace: system line under metadata.

Suggested diff:

 metadata:
   name: controller
-  namespace: system
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
metadata:
name: controller
namespace: system
spec:
metadata:
name: controller
spec:
🤖 Prompt for AI Agents 
In
bundle/manifests/kmm-operator-controller_networking.k8s.io_v1_networkpolicy.yaml
around lines 3 to 6, remove the hardcoded metadata.namespace: system line so the
NetworkPolicy does not force the resource into a specific namespace; delete or
comment out that namespace entry under metadata and leave metadata.name only so
OLM can apply the object into the operator’s install namespace.

podSelector:
matchLabels:
control-plane: controller
policyTypes:
- Egress
- Ingress
ingress:
- ports:
- protocol: TCP # metrics port
port: 8443
- protocol: TCP
port: 8081 # Healthz
egress:
- to:
- namespaceSelector: # DNS
matchLabels:
kubernetes.io/metadata.name: openshift-dns
podSelector:
matchLabels:
dns.operator.openshift.io/daemonset-dns: default
ports:
- protocol: UDP # DNS
port: 53
- protocol: TCP # DNS
port: 53
- ports: # kube api server
- protocol: TCP
port: 6443
- protocol: TCP
port: 443
10 changes: 10 additions & 0 deletions bundle/manifests/kmm-operator-default-deny_networking.k8s.io_v1_networkpolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
namespace: system
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
3 changes: 0 additions & 3 deletions bundle/manifests/kmm-operator-webhook-service_v1_service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,6 @@ spec:
protocol: TCP
targetPort: 9443
selector:
app.kubernetes.io/component: kmm
app.kubernetes.io/name: kmm
app.kubernetes.io/part-of: kmm
control-plane: webhook-server
status:
loadBalancer: {}
22 changes: 22 additions & 0 deletions bundle/manifests/kmm-operator-webhook_networking.k8s.io_v1_networkpolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: webhook
namespace: system
Copy link

@coderabbitai coderabbitai bot Aug 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Hard-coded namespace "system" in a bundle may not match install namespace.

OLM typically installs namespaced resources into the operator’s target namespace. A hard-coded "system" can cause install failures or drift if the operator is installed into openshift-kmm (as your default overlay suggests).

Two safe options:

  • Prefer omitting metadata.namespace in the source NP so the bundle inherits the install namespace.
  • Or ensure the bundle generation step rewrites namespace to the operator’s install namespace.

Proposed change (if you choose to drop explicit namespace in source before bundling):

-  namespace: system

If you’d rather rewrite at bundle time, adjust hack/generate-bundle to strip or replace the namespace on copied NetworkPolicy YAMLs.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
namespace: system
🤖 Prompt for AI Agents 
In bundle/manifests/kmm-operator-webhook_networking.k8s.io_v1_networkpolicy.yaml
around line 5 the NetworkPolicy has a hard-coded namespace: system which can
break installs into a different operator namespace; fix this by either removing
the metadata.namespace entry from the source NetworkPolicy so it inherits the
install namespace, or if you must keep per-bundle YAMLs, update
hack/generate-bundle to strip or replace metadata.namespace for NetworkPolicy
files during bundle generation (identify files by kind: NetworkPolicy and remove
or set namespace to the operator install namespace variable).

spec:
podSelector:
matchLabels:
control-plane: webhook-server
policyTypes:
- Egress
- Ingress
ingress:
- ports:
- protocol: TCP
port: 9443
egress:
- ports: # kube api server port
- protocol: TCP
port: 6443
- protocol: TCP
port: 443
2 changes: 2 additions & 0 deletions ci/e2e/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,10 @@ generatorOptions:

configMapGenerator:
- name: kmm-kmod-dockerfile
namespace: openshift-kmm
files: [dockerfile=Dockerfile]

secretGenerator:
- name: build-secret
namespace: openshift-kmm
literals: [ci-build-secret=super-secret-value]
Loading
Loading