OCPBUGS-83800: add remaining CNO NetworkPolicies [take 2]

[danwinship]

#2959 was reverted because it broke upgrades; we can't have CVO create the CNCC "deny" policy and then have CNO create the "allow" policy, because that creates a gap where everything is denied. This just moves the default-deny policy from manifests to bindata so they're both applied at the same time.

/assign @jcaamano

Summary by CodeRabbit

• Chores
  • Added network security policies to control ingress and egress traffic for the cloud network configuration controller
  • Updated cluster network operator policies with release management annotations for improved deployment consistency across environments

[openshift-ci-robot]

@danwinship: This pull request references Jira Issue OCPBUGS-83800, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @anuragthehatter

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

#2959 was reverted because it broke upgrades; we can't have CVO create the CNCC "deny" policy and then have CNO create the "allow" policy, because that creates a gap where everything is denied. This just moves the default-deny policy from manifests to bindata so they're both applied at the same time.

/assign @jcaamano

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c8943238-9358-4a49-afbc-9b1e11d405c6

📥 Commits

Reviewing files that changed from the base of the PR and between 5794883 and 050d838.

📒 Files selected for processing (2)

• bindata/cloud-network-config-controller/self-hosted/networkpolicies.yaml
• manifests/0000_70_cluster-network-operator_00_namespace.yaml

---

Walkthrough

This pull request adds network policy manifests for the cloud-network-config-controller component and updates release management annotations on an existing network policy in the cluster-network-operator namespace.

Changes

Network Policy Implementation

Layer / File(s)	Summary
New NetworkPolicy Definitions bindata/cloud-network-config-controller/self-hosted/networkpolicies.yaml	Creates two NetworkPolicy resources: default-deny (blocks all ingress and egress) and cloud-network-config-controller (allows all egress for pods labeled app: cloud-network-config-controller).
Release Management Annotations manifests/0000_70_cluster-network-operator_00_namespace.yaml	Adds three OpenShift/IBM release-inclusion annotations to the existing default-deny NetworkPolicy in the openshift-network-operator namespace.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly references the bug number (OCPBUGS-83800) and describes the main change: adding remaining CNO NetworkPolicies, which aligns with the actual changes of adding NetworkPolicy manifests to both CNO and CNCC.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies only Kubernetes YAML manifest files, not Ginkgo test files. The custom check for stable test names is not applicable as no test code is present or modified.
Test Structure And Quality	✅ Passed	This PR contains only Kubernetes YAML manifest changes (NetworkPolicy resources) with no test code. The custom check is specifically for Ginkgo test code quality, which is not applicable here.
Microshift Test Compatibility	✅ Passed	This PR adds no Ginkgo e2e tests, only Kubernetes manifest files and standard Go unit tests. The MicroShift compatibility check applies only to Ginkgo e2e tests.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests added. Changes are only Kubernetes manifest files (YAML). SNO compatibility check only applies to e2e tests.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only adds NetworkPolicy resources and release annotations. NetworkPolicies control network traffic, not pod scheduling. No affinity, nodeSelector, or topology constraints are introduced.
Ote Binary Stdout Contract	✅ Passed	PR only modifies YAML manifest files (NetworkPolicy resources). No Go source code changes that could write to stdout were made. Check not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR adds/modifies only Kubernetes manifest YAML files (NetworkPolicy resources), not Ginkgo e2e tests. The custom check is specifically for new Ginkgo e2e tests, which are not present in this PR.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@danwinship: This pull request references Jira Issue OCPBUGS-83800, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @anuragthehatter

Details

In response to this:

#2959 was reverted because it broke upgrades; we can't have CVO create the CNCC "deny" policy and then have CNO create the "allow" policy, because that creates a gap where everything is denied. This just moves the default-deny policy from manifests to bindata so they're both applied at the same time.

/assign @jcaamano

Summary by CodeRabbit

• Chores
• Added network security policies to control ingress and egress traffic for the cloud network configuration controller
• Updated cluster network operator policies with release management annotations for improved deployment consistency across environments

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: danwinship

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [danwinship]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@danwinship: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn-rhcos10-techpreview	050d838	link	false	/test e2e-aws-ovn-rhcos10-techpreview
ci/prow/e2e-metal-ipi-ovn-dualstack-bgp-local-gw	050d838	link	true	/test e2e-metal-ipi-ovn-dualstack-bgp-local-gw
ci/prow/e2e-metal-ipi-ovn-ipv6	050d838	link	true	/test e2e-metal-ipi-ovn-ipv6
ci/prow/e2e-azure-ovn-upgrade	050d838	link	true	/test e2e-azure-ovn-upgrade
ci/prow/e2e-aws-ovn-windows	050d838	link	true	/test e2e-aws-ovn-windows
ci/prow/4.22-upgrade-from-stable-4.21-e2e-aws-ovn-upgrade	050d838	link	false	/test 4.22-upgrade-from-stable-4.21-e2e-aws-ovn-upgrade
ci/prow/e2e-aws-ovn-serial-2of2	050d838	link	true	/test e2e-aws-ovn-serial-2of2
ci/prow/4.22-upgrade-from-stable-4.21-e2e-azure-ovn-upgrade	050d838	link	false	/test 4.22-upgrade-from-stable-4.21-e2e-azure-ovn-upgrade
ci/prow/4.22-upgrade-from-stable-4.21-e2e-gcp-ovn-upgrade	050d838	link	false	/test 4.22-upgrade-from-stable-4.21-e2e-gcp-ovn-upgrade
ci/prow/security	050d838	link	false	/test security

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.