HOSTEDCP-1064: Add egress policy for private-router

[muraee]

What this PR does / why we need it:
The private router should only be able to use the pod network to contact considered request serving components.

Which issue(s) this PR fixes (optional, use fixes #<issue_number>(, fixes #<issue_number>, ...) format, where issue_number might be a GitHub issue, or a Jira story:
Fixes #HOSTEDCP-1064

Checklist

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

[openshift-ci-robot]

@muraee: This pull request references HOSTEDCP-1064 which is a valid jira issue.

In response to this:

What this PR does / why we need it:
The private router should only be able to use the pod network to contact considered request serving components.

Which issue(s) this PR fixes (optional, use fixes #<issue_number>(, fixes #<issue_number>, ...) format, where issue_number might be a GitHub issue, or a Jira story:
Fixes #HOSTEDCP-1064

Checklist

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[muraee]

/retest-required

[muraee]

/retest-required

[muraee]

/retest-required

[netlify]

✅ Deploy Preview for hypershift-docs ready!

Name	Link
🔨 Latest commit	85815b7
🔍 Latest deploy log	https://app.netlify.com/sites/hypershift-docs/deploys/64d0f4444823c20008c38e22
😎 Deploy Preview	https://deploy-preview-2792--hypershift-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[muraee]

/retest-required

[muraee]

/retest-required

[muraee]

/retest-required

[muraee]

/retest-required

[muraee]

/retest-required

[muraee]

/retest-required

[muraee]

/test e2e-kubevirt-aws-ovn

[enxebre]

can we please add a t.run("EnsureEgressTrafficForPrivateRouter") within EnsureNetworkPolicies
And have positive/negative validation as in

hypershift/test/e2e/util/util.go

Lines 823 to 831 in 5f604fb

	stdOut, err := RunCommandInPod(ctx, c, "cluster-version-operator", hcpNamespace, command, "cluster-version-operator")
	g.Expect(err).To(HaveOccurred())
	// Expect curl to timeout https://curl.se/docs/manpage.html (exit code 28).
	if err != nil && !strings.Contains(err.Error(), "command terminated with exit code 28") {
	t.Errorf("cluster version pod was unexpectedly allowed to reach the management KAS. stdOut: %s. stdErr: %s", stdOut, err.Error())
	}
	stdOut, err = RunCommandInPod(ctx, c, "cluster-api", hcpNamespace, command, "manager")

lgtm otherwise

[enxebre]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: enxebre, muraee

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [enxebre]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[muraee]

/retest-required

[jparrill]

Should we cover IPv6 also in this PR? Could be done in a follow up one? same as we do in

hypershift/hypershift-operator/controllers/hostedcluster/network_policies.go

Line 241 in 7aad3c8

if len(ipv6CIDRs) > 0 {

[muraee]

I would rather we merged this as it is now, because it is needed for the ROSA security hardening epic.
We can have a follow-up for disconnected/ipv6 if it is needed

[jparrill]

/lgtm

[muraee]

/retest-required

[openshift-ci]

@muraee: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.