diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml index 88d1381730ab..584df533fd7a 100644 --- a/_topic_maps/_topic_map.yml +++ b/_topic_maps/_topic_map.yml @@ -1221,6 +1221,8 @@ Topics: File: cert-manager-securing-routes - Name: Integrating the cert-manager Operator with Istio-CSR File: cert-manager-operator-integrating-istio + - Name: Network policy configuration for cert-manager Operator + File: cert-manager-nw-policy - Name: Monitoring the cert-manager Operator for Red Hat OpenShift File: cert-manager-monitoring - Name: Configuring log levels for cert-manager and the cert-manager Operator for Red Hat OpenShift diff --git a/modules/cert-manager-nw-policy-examples.adoc b/modules/cert-manager-nw-policy-examples.adoc new file mode 100644 index 000000000000..8117ac727cf2 --- /dev/null +++ b/modules/cert-manager-nw-policy-examples.adoc @@ -0,0 +1,68 @@ +// Module included in the following assemblies: +// +// * security/cert_manager_operator/cert-manager-nw-policy.adoc +:_mod-docs-content-type: REFERENCE +[id="cert-manager-nw-policy-examples_{context}"] += Network policy configuration examples + +The following examples cover various scenarios related to enabling network policy and custom rules: + +.Example for enabling the network policy management + +[source, yaml] +---- +apiVersion: operator.openshift.io/v1alpha1 +kind: CertManager +metadata: + name: cluster +spec: + defaultNetworkPolicy: "true" +---- + +.Example for allowing egress to all external issuer providers + +[source, yaml] +---- +apiVersion: operator.openshift.io/v1alpha1 +kind: CertManager +metadata: + name: cluster +spec: + defaultNetworkPolicy: "true" + networkPolicies: + - name: allow-egress-to-all + componentName: CoreController + egress: + - {} +---- + +.Example for allowing egress to the specific issuer provider + +The following configuration allows the cert-manager Operator controller to perform the ACME challenge self-check. This process requires connections to the ACME provider, DNS API endpoints, and recursive DNS servers. + +[source, yaml] +---- +apiVersion: operator.openshift.io/v1alpha1 +kind: CertManager +metadata: + name: cluster +spec: + defaultNetworkPolicy: "true" + networkPolicies: + - name: allow-egress-to-acme-server + componentName: CoreController + egress: + - ports: + - port: 80 + protocol: TCP + - port: 443 + protocol: TCP + - name: allow-egress-to-dns-service + componentName: CoreController + egress: + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP +---- \ No newline at end of file diff --git a/modules/cert-manager-nw-policy-params.adoc b/modules/cert-manager-nw-policy-params.adoc new file mode 100644 index 000000000000..f7a94d63eb81 --- /dev/null +++ b/modules/cert-manager-nw-policy-params.adoc @@ -0,0 +1,43 @@ +// Module included in the following assemblies: +// +// * security/cert_manager_operator/cert-manager-nw-policy.adoc +:_mod-docs-content-type: REFERENCE +[id="cert-manager-nw-policy-params_{context}"] += Network policy configuration parameters + +You can enable and configure network policies for the cert-manager Operator components by updating the `CertManager` custom resource (CR). The CR includes the following parameters for enabling default network policies and defining custom egress rules. + +[cols="1,1,3", options="header"] +|=== +| Field +| Type +| Description + +|`spec.defaultNetworkPolicy` +|`boolean` +a|Specifies whether to enable the default network policy for the cert-manager Operator components. +[IMPORTANT] +==== +Once you enable default network policies, you cannot disable them. This restriction prevents accidental security degradation. Before enabling this setting, ensure that you plan the network policy requirements. +==== + +|`spec.networkPolicies` +|`object` +|Defines a list of custom network policy configuration. To apply the configuration, you must set `spec.defaultNetworkPolicy` to `true`. + +|`spec.networkPolicies.componentName` +|`string` +|Specifies the component that this network policy targets. The only valid value is `CoreController`. + +|`spec.networkPolicies.egress` +|`object` +|Defines the egress rules for the specified component. Set to `{}` to allow connections to all external providers. + +|`spec.networkPolicies.egress.ports` +|`object` +|Defines a list of network ports and protocols for the specified providers. + +|`spec.networkPolicies.name` +|`string` +|Specifies a unique name for the custom network policy, which is used to generate the `NetworkPolicy` resource name. +|=== \ No newline at end of file diff --git a/modules/cert-manager-nw-policy-rules.adoc b/modules/cert-manager-nw-policy-rules.adoc new file mode 100644 index 000000000000..9c24a88de7aa --- /dev/null +++ b/modules/cert-manager-nw-policy-rules.adoc @@ -0,0 +1,36 @@ +// Module included in the following assemblies: +// +// * security/cert_manager_operator/cert-manager-nw-policy.adoc +:_mod-docs-content-type: REFERENCE +[id="cert-manager-nw-policy-rules_{context}"] += Default ingress and egress rules + +The default network policy applies the following ingress and egress rules to each component. + +[cols="1,1,1,1",options="header"] +|=== +| Component +| Ingress ports +| Egress ports +| Description + +| `cert-manager` +| 9402 +| 6443, 5353 +| Allows ingress traffic to metrics server and egress traffic to OpenShift API server. + +| `cert-manager-webhook` +| 9402, 10250 +| 6443 +| Allows ingress traffic to metrics and webhook servers, and egress traffic to OpenShift API server and internal DNS server. + +| `cert-manager-cainjector` +| 9402 +| 6443 +| Allows ingress traffic to metrics server and egress traffic to OpenShift API server. + +| `istio-csr` +| 6443, 9402 +| 6443 +| Allows ingress traffic to the gRPC Istio certificate request API, metrics servers and egress traffic to OpenShift API server. +|=== \ No newline at end of file diff --git a/modules/cert-manager-nw-policy-verify.adoc b/modules/cert-manager-nw-policy-verify.adoc new file mode 100644 index 000000000000..16f232181d99 --- /dev/null +++ b/modules/cert-manager-nw-policy-verify.adoc @@ -0,0 +1,37 @@ +// Module included in the following assemblies: +// +// * security/cert_manager_operator/cert-manager-nw-policy.adoc +:_mod-docs-content-type: PROCEDURE +[id="verifying-network-policy-creation_{context}"] += Verifying the network policy creation + +You can verify that the default and custom `NetworkPolicy` resources are created. + +.Prerequisites + +* You have enabled network policy for {cert-manager-operator} in the `CertManager` custom resource. + +.Procedure + +* Verify the list of `NetworkPolicy` resources in the `cert-manager` namespace by running the following command: ++ +[source, terminal] +---- +$ oc get networkpolicy -n cert-manager +---- ++ +.Example output ++ +[source, terminal] +---- +NAME POD-SELECTOR AGE +cert-manager-allow-egress-to-api-server app.kubernetes.io/instance=cert-manager 7s +cert-manager-allow-egress-to-dns app=cert-manager 6s +cert-manager-allow-ingress-to-metrics app.kubernetes.io/instance=cert-manager 7s +cert-manager-allow-ingress-to-webhook app=webhook 6s +cert-manager-deny-all app.kubernetes.io/instance=cert-manager 8s +cert-manager-user-allow-egress-to-acme-server app=cert-manager 8s +cert-manager-user-allow-egress-to-dns-service app=cert-manager 7s +---- ++ +The output lists the default policies and any custom policies that you created. \ No newline at end of file diff --git a/security/cert_manager_operator/cert-manager-nw-policy.adoc b/security/cert_manager_operator/cert-manager-nw-policy.adoc new file mode 100644 index 000000000000..e87249294a32 --- /dev/null +++ b/security/cert_manager_operator/cert-manager-nw-policy.adoc @@ -0,0 +1,36 @@ +:_mod-docs-content-type: ASSEMBLY +[id="cert-manager-nw-policy"] += Network policy configuration for cert-manager Operator +include::_attributes/common-attributes.adoc[] +:context: cert-manager-nw-policy + +toc::[] + +The {cert-manager-operator} provides predefined `NetworkPolicy` resources to enhance security by controlling the ingress and egress traffic for its components. By default, this feature is disabled to prevent connectivity issues or breaking changes during an upgrade. To use this feature, you must enable it in the `CertManager` custom resource (CR). + +After enabling the default policies, you must manually configure additional egress rules to allow outbound traffic. These rules are required for {cert-manager-operator} to communicate with external services beyond the API server and internal DNS. + +The examples of services that require custom egress rules include the following: + +* ACME servers, for example, Let's Encrypt + +* DNS-01 challenge providers, for example, AWS Route53 or Cloudflare + +* External CAs, such as HashiCorp Vault + +[NOTE] +==== +Network policies are expected to be enabled by default in a future release, which could cause connectivity failures during an upgrade. To prepare for this change, configure the required egress policies. +==== + +// Egress and ingress rules +include::modules/cert-manager-nw-policy-rules.adoc[leveloffset=+1] + +//Network policy parameters +include::modules/cert-manager-nw-policy-params.adoc[leveloffset=+1] + +//Network policy examples +include::modules/cert-manager-nw-policy-examples.adoc[leveloffset=+1] + +//Verification +include::modules/cert-manager-nw-policy-verify.adoc[leveloffset=+1] \ No newline at end of file