From d2b7e8000e0bd1274c89f3e50ed493f01598663d Mon Sep 17 00:00:00 2001 From: Jonathan Dobson Date: Mon, 13 Oct 2025 15:43:07 -0600 Subject: [PATCH 1/2] STOR-2331: Add NetworkPolicy manifests for LSO --- .../diskmaker-discovery-daemonset.yaml | 3 ++ .../diskmaker-manager-daemonset.yaml | 3 ++ ...torage-operator.clusterserviceversion.yaml | 3 ++ ...ork-policy-allow-egress-to-api-server.yaml | 20 +++++++++++++ .../network-policy-allow-egress-to-dns.yaml | 29 +++++++++++++++++++ ...cy-allow-ingress-to-diskmaker-metrics.yaml | 22 ++++++++++++++ ...icy-allow-ingress-to-operator-metrics.yaml | 22 ++++++++++++++ .../network-policy-default-deny-all.yaml | 15 ++++++++++ 8 files changed, 117 insertions(+) create mode 100644 config/manifests/stable/network-policy-allow-egress-to-api-server.yaml create mode 100644 config/manifests/stable/network-policy-allow-egress-to-dns.yaml create mode 100644 config/manifests/stable/network-policy-allow-ingress-to-diskmaker-metrics.yaml create mode 100644 config/manifests/stable/network-policy-allow-ingress-to-operator-metrics.yaml create mode 100644 config/manifests/stable/network-policy-default-deny-all.yaml diff --git a/assets/templates/diskmaker-discovery-daemonset.yaml b/assets/templates/diskmaker-discovery-daemonset.yaml index 387c7d61e..1b993f389 100644 --- a/assets/templates/diskmaker-discovery-daemonset.yaml +++ b/assets/templates/diskmaker-discovery-daemonset.yaml @@ -15,6 +15,9 @@ spec: target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' labels: app: diskmaker-discovery + openshift.storage.network-policy.dns: allow + openshift.storage.network-policy.api-server: allow + openshift.storage.network-policy.diskmaker-metrics: allow spec: containers: - args: diff --git a/assets/templates/diskmaker-manager-daemonset.yaml b/assets/templates/diskmaker-manager-daemonset.yaml index ac5613d1c..cd9e792bd 100644 --- a/assets/templates/diskmaker-manager-daemonset.yaml +++ b/assets/templates/diskmaker-manager-daemonset.yaml @@ -15,6 +15,9 @@ spec: target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' labels: app: diskmaker-manager + openshift.storage.network-policy.dns: allow + openshift.storage.network-policy.api-server: allow + openshift.storage.network-policy.diskmaker-metrics: allow spec: containers: - args: diff --git a/config/manifests/stable/local-storage-operator.clusterserviceversion.yaml b/config/manifests/stable/local-storage-operator.clusterserviceversion.yaml index 530522858..0886a3411 100644 --- a/config/manifests/stable/local-storage-operator.clusterserviceversion.yaml +++ b/config/manifests/stable/local-storage-operator.clusterserviceversion.yaml @@ -434,6 +434,9 @@ spec: target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' labels: name: local-storage-operator + openshift.storage.network-policy.dns: allow + openshift.storage.network-policy.api-server: allow + openshift.storage.network-policy.operator-metrics: allow spec: serviceAccountName: local-storage-operator priorityClassName: openshift-user-critical diff --git a/config/manifests/stable/network-policy-allow-egress-to-api-server.yaml b/config/manifests/stable/network-policy-allow-egress-to-api-server.yaml new file mode 100644 index 000000000..86f4830ec --- /dev/null +++ b/config/manifests/stable/network-policy-allow-egress-to-api-server.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-egress-to-api-server + annotations: + include.release.openshift.io/hypershift: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + capability.openshift.io/name: Storage +spec: + podSelector: + matchLabels: + openshift.storage.network-policy.api-server: allow + egress: + - ports: + - protocol: TCP + port: 6443 + policyTypes: + - Egress diff --git a/config/manifests/stable/network-policy-allow-egress-to-dns.yaml b/config/manifests/stable/network-policy-allow-egress-to-dns.yaml new file mode 100644 index 000000000..69f9ca02a --- /dev/null +++ b/config/manifests/stable/network-policy-allow-egress-to-dns.yaml @@ -0,0 +1,29 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-egress-to-dns + annotations: + include.release.openshift.io/hypershift: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + capability.openshift.io/name: Storage +spec: + podSelector: + matchLabels: + openshift.storage.network-policy.dns: allow + egress: + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: openshift-dns + podSelector: + matchLabels: + dns.operator.openshift.io/daemonset-dns: default + ports: + - protocol: TCP + port: dns-tcp + - protocol: UDP + port: dns + policyTypes: + - Egress diff --git a/config/manifests/stable/network-policy-allow-ingress-to-diskmaker-metrics.yaml b/config/manifests/stable/network-policy-allow-ingress-to-diskmaker-metrics.yaml new file mode 100644 index 000000000..5d260e330 --- /dev/null +++ b/config/manifests/stable/network-policy-allow-ingress-to-diskmaker-metrics.yaml @@ -0,0 +1,22 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-ingress-to-diskmaker-metrics + annotations: + include.release.openshift.io/hypershift: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + capability.openshift.io/name: Storage +spec: + podSelector: + matchLabels: + openshift.storage.network-policy.diskmaker-metrics: allow + ingress: + - ports: + - protocol: TCP + port: 8383 + - protocol: TCP + port: 9393 + policyTypes: + - Ingress diff --git a/config/manifests/stable/network-policy-allow-ingress-to-operator-metrics.yaml b/config/manifests/stable/network-policy-allow-ingress-to-operator-metrics.yaml new file mode 100644 index 000000000..914e17e11 --- /dev/null +++ b/config/manifests/stable/network-policy-allow-ingress-to-operator-metrics.yaml @@ -0,0 +1,22 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-ingress-to-operator-metrics + annotations: + include.release.openshift.io/hypershift: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + capability.openshift.io/name: Storage +spec: + podSelector: + matchLabels: + openshift.storage.network-policy.operator-metrics: allow + ingress: + - ports: + - protocol: TCP + port: 8080 + - protocol: TCP + port: 8081 + policyTypes: + - Ingress diff --git a/config/manifests/stable/network-policy-default-deny-all.yaml b/config/manifests/stable/network-policy-default-deny-all.yaml new file mode 100644 index 000000000..27c519940 --- /dev/null +++ b/config/manifests/stable/network-policy-default-deny-all.yaml @@ -0,0 +1,15 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny-all + annotations: + include.release.openshift.io/hypershift: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + capability.openshift.io/name: Storage +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress From b9d832add4375c80d767852a9d1132dbd4fe4757 Mon Sep 17 00:00:00 2001 From: Jonathan Dobson Date: Thu, 23 Oct 2025 17:24:07 -0600 Subject: [PATCH 2/2] add prefix to network policies to avoid naming conflicts --- assets/templates/diskmaker-discovery-daemonset.yaml | 6 +++--- assets/templates/diskmaker-manager-daemonset.yaml | 6 +++--- .../local-storage-operator.clusterserviceversion.yaml | 6 +++--- .../stable/network-policy-allow-egress-to-api-server.yaml | 4 ++-- .../stable/network-policy-allow-egress-to-dns.yaml | 4 ++-- .../network-policy-allow-ingress-to-diskmaker-metrics.yaml | 4 ++-- .../network-policy-allow-ingress-to-operator-metrics.yaml | 4 ++-- .../manifests/stable/network-policy-default-deny-all.yaml | 2 +- 8 files changed, 18 insertions(+), 18 deletions(-) diff --git a/assets/templates/diskmaker-discovery-daemonset.yaml b/assets/templates/diskmaker-discovery-daemonset.yaml index 1b993f389..ef062d4ff 100644 --- a/assets/templates/diskmaker-discovery-daemonset.yaml +++ b/assets/templates/diskmaker-discovery-daemonset.yaml @@ -15,9 +15,9 @@ spec: target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' labels: app: diskmaker-discovery - openshift.storage.network-policy.dns: allow - openshift.storage.network-policy.api-server: allow - openshift.storage.network-policy.diskmaker-metrics: allow + openshift.storage.network-policy.lso.dns: allow + openshift.storage.network-policy.lso.api-server: allow + openshift.storage.network-policy.lso.diskmaker-metrics: allow spec: containers: - args: diff --git a/assets/templates/diskmaker-manager-daemonset.yaml b/assets/templates/diskmaker-manager-daemonset.yaml index cd9e792bd..892f371b5 100644 --- a/assets/templates/diskmaker-manager-daemonset.yaml +++ b/assets/templates/diskmaker-manager-daemonset.yaml @@ -15,9 +15,9 @@ spec: target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' labels: app: diskmaker-manager - openshift.storage.network-policy.dns: allow - openshift.storage.network-policy.api-server: allow - openshift.storage.network-policy.diskmaker-metrics: allow + openshift.storage.network-policy.lso.dns: allow + openshift.storage.network-policy.lso.api-server: allow + openshift.storage.network-policy.lso.diskmaker-metrics: allow spec: containers: - args: diff --git a/config/manifests/stable/local-storage-operator.clusterserviceversion.yaml b/config/manifests/stable/local-storage-operator.clusterserviceversion.yaml index 0886a3411..cde44d590 100644 --- a/config/manifests/stable/local-storage-operator.clusterserviceversion.yaml +++ b/config/manifests/stable/local-storage-operator.clusterserviceversion.yaml @@ -434,9 +434,9 @@ spec: target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' labels: name: local-storage-operator - openshift.storage.network-policy.dns: allow - openshift.storage.network-policy.api-server: allow - openshift.storage.network-policy.operator-metrics: allow + openshift.storage.network-policy.lso.dns: allow + openshift.storage.network-policy.lso.api-server: allow + openshift.storage.network-policy.lso.operator-metrics: allow spec: serviceAccountName: local-storage-operator priorityClassName: openshift-user-critical diff --git a/config/manifests/stable/network-policy-allow-egress-to-api-server.yaml b/config/manifests/stable/network-policy-allow-egress-to-api-server.yaml index 86f4830ec..7a811c4df 100644 --- a/config/manifests/stable/network-policy-allow-egress-to-api-server.yaml +++ b/config/manifests/stable/network-policy-allow-egress-to-api-server.yaml @@ -1,7 +1,7 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: allow-egress-to-api-server + name: lso-allow-egress-to-api-server annotations: include.release.openshift.io/hypershift: "true" include.release.openshift.io/ibm-cloud-managed: "true" @@ -11,7 +11,7 @@ metadata: spec: podSelector: matchLabels: - openshift.storage.network-policy.api-server: allow + openshift.storage.network-policy.lso.api-server: allow egress: - ports: - protocol: TCP diff --git a/config/manifests/stable/network-policy-allow-egress-to-dns.yaml b/config/manifests/stable/network-policy-allow-egress-to-dns.yaml index 69f9ca02a..43c7a8467 100644 --- a/config/manifests/stable/network-policy-allow-egress-to-dns.yaml +++ b/config/manifests/stable/network-policy-allow-egress-to-dns.yaml @@ -1,7 +1,7 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: allow-egress-to-dns + name: lso-allow-egress-to-dns annotations: include.release.openshift.io/hypershift: "true" include.release.openshift.io/ibm-cloud-managed: "true" @@ -11,7 +11,7 @@ metadata: spec: podSelector: matchLabels: - openshift.storage.network-policy.dns: allow + openshift.storage.network-policy.lso.dns: allow egress: - to: - namespaceSelector: diff --git a/config/manifests/stable/network-policy-allow-ingress-to-diskmaker-metrics.yaml b/config/manifests/stable/network-policy-allow-ingress-to-diskmaker-metrics.yaml index 5d260e330..267ef3c07 100644 --- a/config/manifests/stable/network-policy-allow-ingress-to-diskmaker-metrics.yaml +++ b/config/manifests/stable/network-policy-allow-ingress-to-diskmaker-metrics.yaml @@ -1,7 +1,7 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: allow-ingress-to-diskmaker-metrics + name: lso-allow-ingress-to-diskmaker-metrics annotations: include.release.openshift.io/hypershift: "true" include.release.openshift.io/ibm-cloud-managed: "true" @@ -11,7 +11,7 @@ metadata: spec: podSelector: matchLabels: - openshift.storage.network-policy.diskmaker-metrics: allow + openshift.storage.network-policy.lso.diskmaker-metrics: allow ingress: - ports: - protocol: TCP diff --git a/config/manifests/stable/network-policy-allow-ingress-to-operator-metrics.yaml b/config/manifests/stable/network-policy-allow-ingress-to-operator-metrics.yaml index 914e17e11..de5ce9afe 100644 --- a/config/manifests/stable/network-policy-allow-ingress-to-operator-metrics.yaml +++ b/config/manifests/stable/network-policy-allow-ingress-to-operator-metrics.yaml @@ -1,7 +1,7 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: allow-ingress-to-operator-metrics + name: lso-allow-ingress-to-operator-metrics annotations: include.release.openshift.io/hypershift: "true" include.release.openshift.io/ibm-cloud-managed: "true" @@ -11,7 +11,7 @@ metadata: spec: podSelector: matchLabels: - openshift.storage.network-policy.operator-metrics: allow + openshift.storage.network-policy.lso.operator-metrics: allow ingress: - ports: - protocol: TCP diff --git a/config/manifests/stable/network-policy-default-deny-all.yaml b/config/manifests/stable/network-policy-default-deny-all.yaml index 27c519940..3c6e36576 100644 --- a/config/manifests/stable/network-policy-default-deny-all.yaml +++ b/config/manifests/stable/network-policy-default-deny-all.yaml @@ -1,7 +1,7 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: default-deny-all + name: lso-default-deny-all annotations: include.release.openshift.io/hypershift: "true" include.release.openshift.io/ibm-cloud-managed: "true"