NO-JIRA: Fix NetworkPolicy for openshift-capi-operator namespace

[miyadav]

/hold

Summary by CodeRabbit

• Chores
  • Added per-namespace default-deny network policies to strengthen platform security for operator and cluster API namespaces.
  • Configured ingress rules to allow metrics access for CAPI operator and controller pods (including ports 8443 and 8442 where applicable).
  • Added an egress policy to permit outbound traffic from operator pods for required communications.

[openshift-ci-robot]

@miyadav: This pull request explicitly references no jira issue.

Details

In response to this:

/hold

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds three Kubernetes NetworkPolicy manifests: an egress-allow for capi-operator, ingress rules permitting metrics on ports 8443 (and 8442 for migration) for operator/controller pods, and default-deny policies applied separately to openshift-cluster-api-operator and openshift-cluster-api namespaces.

Changes

Cohort / File(s)	Summary
Allow policies (egress & ingress) manifests/0000_30_cluster-api_14_allow-egress-capi-operators.yaml, manifests/0000_30_cluster-api_14_allow-ingress-to-metrics-operators.yaml	Adds an egress NetworkPolicy selecting pods labeled k8s-app: capi-operator that permits all outbound traffic; adds ingress NetworkPolicies allowing port 8443 (and additionally 8442 for machine-api-migration) for capi-operator and capi-controllers, with updated podSelector and metadata annotations.
Default-deny policies manifests/0000_30_cluster-api_17_default-deny.yaml	Adds per-namespace default-deny NetworkPolicies in openshift-cluster-api-operator and openshift-cluster-api namespaces (empty podSelector, no ingress/egress rules) to enforce deny-by-default behavior.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 I hopped through YAML, tidy and spry,
Egress set free beneath the sky,
Metrics ears open on ports that chime,
Default-deny fences, neat and prime,
A rabbit's nod — secure by design.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly describes the main change: adding/fixing NetworkPolicy resources for the openshift-cluster-api-operator namespace, which aligns with all three manifest file modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[miyadav]

/test e2e-aws-capi-techpreview

[openshift-ci-robot]

@miyadav: This pull request explicitly references no jira issue.

Details

In response to this:

/hold

Summary by CodeRabbit

• Chores
• Added network policies for cluster API operators to strengthen platform security with default-deny rules across operator and cluster API namespaces.
• Configured ingress rules to allow metrics access on specific ports for CAPI operators and controllers.
• Established egress policies to enable operator outbound traffic for required communications.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[miyadav]

/unhold - follow up to #453
@damdo @mdbooth , PTAL if ok to trigger tests

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign nrb for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[miyadav]

/test e2e-aws-capi-techpreview

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@manifests/0000_30_cluster-api_14_allow-egress-capi-operators.yaml`:
- Around line 1-27: The YAML manifest for the NetworkPolicy is malformed due to
incorrect indentation under the metadata and spec blocks; move annotations, name
and namespace to be direct children of metadata (annotations: and
name:/namespace: as siblings), and normalize the spec block indentation so spec:
contains podSelector (with matchLabels: k8s-app: capi-operator), policyTypes: -
Egress, and egress: - {} as children at the same indentation level; ensure all
mapping keys (metadata, annotations, name, namespace, spec, podSelector,
matchLabels, policyTypes, egress) are properly aligned so the parser can read
the NetworkPolicy resource named allow-egress-capi-operator in namespace
openshift-cluster-api-operator.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical: YAML syntax error due to incorrect indentation.

The manifest has malformed YAML structure that will fail to parse:

1. annotations: (line 4) must be indented under metadata:
2. name: and namespace: (lines 9-10) must be siblings of annotations: under metadata:, not children of annotations
3. The spec: contents also have inconsistent indentation

The static analyzer confirms: "mapping values are not allowed here" at line 9.

🐛 Proposed fix for YAML indentation

-  apiVersion: networking.k8s.io/v1                                                                                                                                                                                   
-  kind: NetworkPolicy
-  metadata:
-  annotations:
-    exclude.release.openshift.io/internal-openshift-hosted: "true"
-    include.release.openshift.io/self-managed-high-availability: "true"
-    include.release.openshift.io/single-node-developer: "true"
-    release.openshift.io/feature-set: CustomNoUpgrade,TechPreviewNoUpgrade                                                                                                                                                                                                         
-      name: allow-egress-capi-operator                                                                                                                                                                             
-      namespace: openshift-cluster-api-operator
-  spec:
-      # Select pods with the label k8s-app=capi-operator
-      # This policy will apply only to pods matching these labels
-      podSelector:
-        matchLabels:
-          k8s-app: capi-operator
-
-      # Define that this policy controls egress (outbound) traffic
-      # Without this, the policy would also deny all egress by default
-      policyTypes:
-      - Egress
-
-      # Egress rules - define what outbound traffic is allowed
-      egress:
-      - {}  # Empty rule allows ALL egress traffic to any destination
-            # This permits the capi-operator pods to make outbound connections
-            # to any IP address on any port and protocol
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  annotations:
+    exclude.release.openshift.io/internal-openshift-hosted: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+    release.openshift.io/feature-set: CustomNoUpgrade,TechPreviewNoUpgrade
+  name: allow-egress-capi-operator
+  namespace: openshift-cluster-api-operator
+spec:
+  # Select pods with the label k8s-app=capi-operator
+  # This policy will apply only to pods matching these labels
+  podSelector:
+    matchLabels:
+      k8s-app: capi-operator
+  # Define that this policy controls egress (outbound) traffic
+  # Without this, the policy would also deny all egress by default
+  policyTypes:
+  - Egress
+  # Egress rules - define what outbound traffic is allowed
+  egress:
+  - {}  # Empty rule allows ALL egress traffic to any destination
+        # This permits the capi-operator pods to make outbound connections
+        # to any IP address on any port and protocol

🧰 Tools

🪛 YAMLlint (1.38.0)

[error] 9-9: syntax error: mapping values are not allowed here

(syntax)

🤖 Prompt for AI Agents

In `@manifests/0000_30_cluster-api_14_allow-egress-capi-operators.yaml` around
lines 1 - 27, The YAML manifest for the NetworkPolicy is malformed due to
incorrect indentation under the metadata and spec blocks; move annotations, name
and namespace to be direct children of metadata (annotations: and
name:/namespace: as siblings), and normalize the spec block indentation so spec:
contains podSelector (with matchLabels: k8s-app: capi-operator), policyTypes: -
Egress, and egress: - {} as children at the same indentation level; ensure all
mapping keys (metadata, annotations, name, namespace, spec, podSelector,
matchLabels, policyTypes, egress) are properly aligned so the parser can read
the NetworkPolicy resource named allow-egress-capi-operator in namespace
openshift-cluster-api-operator.

[miyadav]

/close

since already been worked on ( duplicate )