CNTRLPLANE-2610: Create network policies for AUTH components

[liouk]

This PR adds network policies to the authentication operator, oauth-server and oauth-apiserver. For each component, there are two policies:

• one to allow all Ingress/Egress known traffic for each component
• one to deny all other Ingress/Egress traffic for each component

All known and required connections must be reflected to respective allow rules.

Note that, in case of pods that require traffic to/from hostNetwork pods (such as the kube-apiserver), we need to allow all ingress/egress TCP traffic; NetworkPolicies do not affect pods on hostNetwork, but we still need a rule to allow ingress/egress from/to them.

In some cases there might be some overlap in the policy rules, but this is intentional for the sake of documentation/future reference.

[openshift-ci-robot]

@liouk: This pull request references CNTRLPLANE-2610 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.22.0" version, but no target version was set.

Details

In response to this:

This PR adds network policies to the authentication operator, oauth-server and oauth-apiserver. For each component, there are two policies:

• one to allow all Ingress/Egress known traffic for each component
• one to deny all other Ingress/Egress traffic for each component

All known and required connections must be reflected to respective allow rules.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

This pull request introduces Kubernetes NetworkPolicy resources for OpenShift authentication components across multiple namespaces. It adds default-deny-all policies and component-specific traffic rules for oauth-apiserver, oauth-openshift, and authentication-operator, along with code registration and corresponding test output files.

Changes

Cohort / File(s)	Summary
NetworkPolicy Manifests (Bindata) bindata/oauth-apiserver/networkpolicy_*, bindata/oauth-openshift/networkpolicy_*	Added four NetworkPolicy YAML files: two default-deny-all policies for openshift-oauth-apiserver and openshift-authentication namespaces; two component-specific policies (oauth-apiserver-networkpolicy and oauth-server-networkpolicy) with defined Ingress/Egress rules.
NetworkPolicy Manifests (Manifests Directory) manifests/0000_10_networkpolicy_*.yaml	Added two new manifest files: authentication-operator-networkpolicy and default-deny-all policy for openshift-authentication-operator namespace with corresponding Ingress/Egress rules.
Operator Code Registration pkg/cmd/mom/output_resources_command.go, pkg/operator/starter.go	Added entries to ExactResources list and expanded static resource provisioning to register four new NetworkPolicy resources (oauth-apiserver, oauth-server, and two default-deny-all policies).
Test Data - NetworkPolicy Resources test-data/apply-configuration/overall/*/networkpolicies/*.yaml	Added metadata and body YAML files for NetworkPolicy resources across openshift-authentication and openshift-oauth-apiserver namespaces, mirroring bindata manifest structure.
Test Data - Event Records test-data/apply-configuration/overall/*/events/*-body-authentication-operator.*.yaml, test-data/apply-configuration/overall/*/events/*-metadata-authentication-operator.*.yaml	Added and removed event manifests documenting NetworkPolicy creation events and configuration observations; includes deletions of obsolete oauthAPIServer/oauthServer config observation events and metadata name field updates.
Test Data - Certificate Signing Request test-data/apply-configuration/overall/minimal-cluster/*/certificatesigningrequests/d52a-body-system-COLON-openshift-COLON-openshift-authenticator-.yaml	Updated CSR request payload (base64 string change); no signature or field structure changes.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

No actionable comments were generated in the recent review. 🎉

🧹 Recent nitpick comments

test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-oauth-apiserver/networking.k8s.io/networkpolicies/bd95-body-oauth-apiserver-networkpolicy.yaml (1)

31-57: Duplicate ingress rule appears unnecessary.

The ingress rule at lines 55-57 is identical to the rule at lines 31-34 (both allow port 8443 TCP from any source without a from selector). While the PR notes intentional overlap for documentation, this particular duplication doesn't add documentation value since they're identical rules.

Consider removing the duplicate:

♻️ Suggested change

   - from:
     - namespaceSelector:
         matchLabels:
           kubernetes.io/metadata.name: openshift-authentication-operator
       podSelector:
         matchLabels:
           app: authentication-operator
     ports:
     - port: 8443
       protocol: TCP
-  - ports:
-    - port: 8443
-      protocol: TCP
   podSelector:

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[liouk]

/jira refresh

[openshift-ci-robot]

@liouk: This pull request references CNTRLPLANE-2610 which is a valid jira issue.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@liouk: This pull request references CNTRLPLANE-2610 which is a valid jira issue.

Details

In response to this:

This PR adds network policies to the authentication operator, oauth-server and oauth-apiserver. For each component, there are two policies:

• one to allow all Ingress/Egress known traffic for each component
• one to deny all other Ingress/Egress traffic for each component

All known and required connections must be reflected to respective allow rules.

Note that, in case of pods that require traffic to/from hostNetwork pods (such as the kube-apiserver), we need to allow all ingress/egress TCP traffic; NetworkPolicies do not affect pods on hostNetwork, but we still need a rule to allow ingress/egress from/to them

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[liouk]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[openshift-ci-robot]

@liouk: This pull request references CNTRLPLANE-2610 which is a valid jira issue.

Details

In response to this:

This PR adds network policies to the authentication operator, oauth-server and oauth-apiserver. For each component, there are two policies:

• one to allow all Ingress/Egress known traffic for each component
• one to deny all other Ingress/Egress traffic for each component

All known and required connections must be reflected to respective allow rules.

Note that, in case of pods that require traffic to/from hostNetwork pods (such as the kube-apiserver), we need to allow all ingress/egress TCP traffic; NetworkPolicies do not affect pods on hostNetwork, but we still need a rule to allow ingress/egress from/to them.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[liouk]

@coderabbitai help

[coderabbitai]

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

CodeRabbit commands

These commands are invoked using PR/Issue comments.

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai evaluate custom pre-merge check --instructions <custom-checks-instructions> --name <custom-checks-title> [--mode <error|warning>] to validate the custom pre-merge checks instructions. Defaults to error when --mode is omitted.
  • @coderabbitai ignore pre-merge checks to override pre-merge checks and get an approval on PR.
  • @coderabbitai run pre-merge checks to run pre-merge checks on the pull request.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve to resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai generate configuration to create a PR that adds the current resolved configuration as .coderabbit.yaml (or show it if already present).
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit configuration file (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• You can also validate your configuration using the online YAML validator.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, support, documentation and community

• Visit our status page to check the current availability of CodeRabbit.
• Create a ticket on our support page for assistance with any issues or questions.
• Visit our documentation site for detailed information on how to use CodeRabbit.
• Join our Discord community to connect with other users and get help from the community.
• Follow us on X/Twitter for updates and announcements.

[kaleemsiddiqu]

/retest

[liouk]

I'd like a review from a member of each of the auth and network policy feature teams -- holding until we get both.

Holding PR until we get:

• a review from the auth team
• a review from the network policies team
• successful tests using the upcoming conformance jobs Adding network policies ci jobs release#74016

/hold

[openshift-ci-robot]

@liouk: This pull request references CNTRLPLANE-2610 which is a valid jira issue.

Details

In response to this:

This PR adds network policies to the authentication operator, oauth-server and oauth-apiserver. For each component, there are two policies:

• one to allow all Ingress/Egress known traffic for each component
• one to deny all other Ingress/Egress traffic for each component

All known and required connections must be reflected to respective allow rules.

Note that, in case of pods that require traffic to/from hostNetwork pods (such as the kube-apiserver), we need to allow all ingress/egress TCP traffic; NetworkPolicies do not affect pods on hostNetwork, but we still need a rule to allow ingress/egress from/to them.

In some cases there might be some overlap in the policy rules, but this is intentional for the sake of documentation/future reference.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[everettraven]

Does MOM need to also know the manifests for deploying the cluster-authentication-operator itself?

[liouk]

Actually good point, I don't believe OM needs these operator manifests.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@bindata/oauth-openshift/networkpolicy_oauth-server.yaml`:
- Around line 44-68: The NetworkPolicy in networkpolicy_oauth-server.yaml
currently uses a wide namespaceSelector: {} allowing ingress to port 6443 from
any namespace and an egress rule with only ports: - protocol: TCP (no `to`)
permitting all TCP egress; tighten or document this: replace namespaceSelector:
{} with a scoped namespaceSelector/podSelector or ipBlock that targets known
oauth-proxy/sidecar namespaces or pods (reference the ingress block targeting
port 6443), and restrict the egress rule (the egress entry listing ports with
protocol: TCP) by adding specific `to:` destinations (podSelector,
namespaceSelector or ipBlock) for kube-apiserver and configured IDPs;
alternatively, if the broad scope is intentional, add an explicit comment in the
manifest near the ingress (port 6443) and the TCP-only egress rule explaining
the rationale and approved clients/endpoints.

🧹 Nitpick comments (1)

bindata/oauth-apiserver/networkpolicy_oauth-apiserver.yaml (1)

77-80: Egress rule allows all TCP ports to any destination.

This rule permits unrestricted TCP egress, which is quite permissive. The comment indicates this is for kube-apiserver communication, but kube-apiserver typically runs on port 6443. Consider whether this could be tightened to specific ports (e.g., 6443 for API server) to reduce attack surface, or document why unrestricted TCP is required.

[everettraven]

This LGTM in general.

We should probably run payload jobs for a sanity check that this won't cause component readiness issues and payload build failures.

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: everettraven, liouk

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [liouk]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[liouk]

We should probably run payload jobs for a sanity check that this won't cause component readiness issues and payload build failures.

Indeed -- I intend to get this reviewed and tested by QE first before running a payload job, to avoid having to repeat it unnecessarily.

[dusk125]

lgtm as well!

[openshift-ci]

New changes are detected. LGTM label has been removed.

[liouk]

Pushed changes to better align with the "Egress to the APIServer" guidance.

[dusk125]

Cesar warned against having these applied in hypershift since they already do their own network policies in the hosted control planes. I would suggest removing this include.release.openshift.io/ibm-cloud-managed: "true".

[dusk125]

Same: #825 (comment)

[liouk]

Pushed fixes as per comments from @dusk125 and also more alignment with guidance (allow all ingress to metrics, not just prometheus pods).