Skip to content

WIP: OCPNODE-4123: Add NetworkPolicy manifests for DAS operator#999

Open
harche wants to merge 2 commits intoopenshift:nextfrom
harche:OCPNODE-4123-add-network-policies
Open

WIP: OCPNODE-4123: Add NetworkPolicy manifests for DAS operator#999
harche wants to merge 2 commits intoopenshift:nextfrom
harche:OCPNODE-4123-add-network-policies

Conversation

@harche
Copy link
Contributor

@harche harche commented Feb 24, 2026
edited by openshift-ci bot
Loading

Summary

  • Add default-deny and allow NetworkPolicy resources to the das-operator namespace per OCPSTRAT-2061 / OCPSTRAT-819 requirements
  • Addresses CIS Kubernetes Benchmark 5.3.2 ("Ensure that all Namespaces have Network Policies defined") and Red Hat ProdSec guidance
  • Follows the same pattern used by kueue-operator and cluster-node-tuning-operator

Changes

New network policy manifests (bindata/assets/instaslice-operator/networkpolicy/):

  • 99-deny-all.yaml — Default deny all ingress and egress for all pods in the namespace
  • 10-allow-egress-api.yaml — Allow all DAS pods egress to kube-apiserver on port 6443
  • 10-allow-egress-cluster-dns.yaml — Allow all DAS pods egress to openshift-dns for name resolution
  • 10-allow-ingress-webhook.yaml — Allow ingress to webhook pods on port 8443 (admission webhook calls)

New helper (pkg/util/resourceapply/networking.go):

  • ReadNetworkPolicyV1OrDie() and ApplyNetworkPolicy() — ported from kueue-operator since library-go doesn't have NetworkPolicy apply support yet

Modified reconciler (pkg/operator/target_config_reconciler.go):

  • Added manageNetworkPolicies() function called during sync()
  • Added NetworkPolicies informer for reconciliation

Modified bindata (bindata/assets.go):

  • Added AssetDir() function to iterate over files in a directory

Jira

Test plan

  • Verify operator builds and starts successfully
  • Verify all 4 NetworkPolicy resources are created in the das-operator namespace
  • Verify webhook still receives admission requests with policies active
  • Verify scheduler can still schedule GPU workloads
  • Verify daemonset can still communicate with API server
  • Verify policy reconciliation (delete a policy, verify it is recreated)

🤖 Generated with Claude Code

@harche @claude
OCPNODE-4123: Add NetworkPolicy manifests for DAS operator
b8ad532 
Add default-deny and allow NetworkPolicy resources to the das-operator
namespace to restrict ingress and egress traffic per OCPSTRAT-2061
requirements. This addresses CIS Kubernetes Benchmark 5.3.2 and
Red Hat ProdSec guidance for control plane hardening.

Network policies added:
- 99-deny-all: Default deny all ingress and egress
- 10-allow-egress-api: Allow egress to kube-apiserver (port 6443)
- 10-allow-egress-cluster-dns: Allow egress to openshift-dns
- 10-allow-ingress-webhook: Allow ingress to webhook (port 8443)

The operator reconciles these policies as part of its sync loop,
following the same pattern used by kueue-operator.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@openshift-ci
Copy link

openshift-ci bot commented Feb 24, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 24, 2026
@openshift-ci
Copy link

openshift-ci bot commented Feb 24, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: harche

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Feb 24, 2026
@harche harche marked this pull request as ready for review February 24, 2026 19:31
@openshift-ci openshift-ci bot requested review from rphillips and tkashem February 24, 2026 19:31
@harche @claude
OCPNODE-4002: Add e2e tests for NetworkPolicy validation
23daddd 
Add e2e tests that verify:
- All 4 expected NetworkPolicy resources are created in the
  das-operator namespace after operator deployment
- The operator reconciles deleted NetworkPolicies (delete one,
  verify it gets recreated)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@harche
Copy link
Contributor Author

harche commented Feb 24, 2026

/test e2e-bundle-runc

@openshift-ci
Copy link

openshift-ci bot commented Feb 24, 2026

@harche: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-bundle-runc 23daddd link true /test e2e-bundle-runc

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@harche harche mentioned this pull request Feb 24, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rphillips rphillips Awaiting requested review from rphillips

@tkashem tkashem Awaiting requested review from tkashem

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@harche