WIP: API-1646: Add config-operator workload and namespaces network policies

[liouk]

This PR adds network policies to the namespaces managed by the cluster-config-operator. In particular:

• one to allow all Ingress/Egress known traffic for each component
• one to deny all other Ingress/Egress traffic for each component

All known and required connections must be reflected to respective allow rules.

Note that, in case of pods that require traffic to/from hostNetwork pods (such as the kube-apiserver), we need to allow all ingress/egress TCP traffic; NetworkPolicies do not affect pods on hostNetwork, but we still need a rule to allow ingress/egress from/to them.

In some cases there might be some overlap in the policy rules, but this is intentional for the sake of documentation/future reference.

[openshift-ci-robot]

@liouk: This pull request references API-1646 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Excluded labels (none allowed) (1)

• do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: liouk
Once this PR has been reviewed and has the lgtm label, please assign joelspeed for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@liouk: This pull request references API-1646 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.22.0" version, but no target version was set.

Details

In response to this:

This PR adds network policies to the namespaces managed by the cluster-config-operator. In particular:

• one to allow all Ingress/Egress known traffic for each component
• one to deny all other Ingress/Egress traffic for each component

All known and required connections must be reflected to respective allow rules.

Note that, in case of pods that require traffic to/from hostNetwork pods (such as the kube-apiserver), we need to allow all ingress/egress TCP traffic; NetworkPolicies do not affect pods on hostNetwork, but we still need a rule to allow ingress/egress from/to them.

In some cases there might be some overlap in the policy rules, but this is intentional for the sake of documentation/future reference.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@liouk: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-serial-1of2	f91f6d2	link	true	/test e2e-aws-serial-1of2
ci/prow/e2e-aws-serial-techpreview-1of2	f91f6d2	link	true	/test e2e-aws-serial-techpreview-1of2
ci/prow/e2e-aws-serial-techpreview-2of2	f91f6d2	link	true	/test e2e-aws-serial-techpreview-2of2
ci/prow/e2e-aws-serial-2of2	f91f6d2	link	true	/test e2e-aws-serial-2of2

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.