Skip to content

Add static NetworkPolicy for marketplace-operator #644

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add static NetworkPolicy for marketplace-operator #644

wants to merge 1 commit into from
+63 −0

Conversation

rashmigottipati
Copy link
Member

Description of the change:

Motivation for the change:

Reviewer Checklist

  • Implementation matches the proposed design, or proposal is updated to match implementation
  • Sufficient unit test coverage
  • Sufficient end-to-end test coverage
  • Docs updated or added to /docs
  • Commit messages sensible and descriptive

@openshift-ci openshift-ci bot requested review from anik120 and ankitathomas July 2, 2025 22:13
@rashmigottipati
Copy link
Member Author

/retest

1 similar comment
@rashmigottipati
Copy link
Member Author

/retest

perdasilva
perdasilva reviewed Jul 3, 2025
View reviewed changes
@perdasilva perdasilva self-requested a review July 3, 2025 16:17
@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 3, 2025
@perdasilva perdasilva removed the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 3, 2025
@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 3, 2025
@kuiwang02
Copy link

/test-required

@kuiwang02
Copy link

/retest-required

@kuiwang02
Copy link

/test e2e-gcp-operator

@kuiwang02
Copy link

/hold
for pre-testing

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 4, 2025
@kuiwang02
Copy link

@rashmigottipati
during pre-merge testing, I found two issues:
https://issues.redhat.com/browse/OCPBUGS-58388
https://issues.redhat.com/browse/OCPBUGS-58390

please help resolve them before the PR is merged. frankly they cause the function blocked, so they have to fixed in priority

Thanks

@rashmigottipati
Copy link
Member Author

/test e2e-gcp-operator

@kuiwang02
Copy link

@rashmigottipati
the fix for https://issues.redhat.com/browse/OCPBUGS-58388 does not work. the log is updated in the ticket. you could check it.
why your fix does not work: you add 443 port for maketplace-operator pod, not unpack pod, so it does not work.
maybe you do need to enable 443 for the all pod in this ns. it means you need enable port in deny all policy.
I am not sure if it is correct solution. please talk to SME on it how to fix it.

@kuiwang02
Copy link

@rashmigottipati
for https://issues.redhat.com/browse/OCPBUGS-58390, we can query metrics with the fix, but I do not think the fix is correct because the label openshift.io/cluster-monitoring: "true" is used wrongly. please check the update of the ticket.
I suggest to

  ingress:
    - ports:
        - protocol: TCP
          port: 8081

it is same to other NP on metric port.

please talk to SME on it.

@rashmigottipati rashmigottipati requested a review from kuiwang02 July 7, 2025 03:17
kuiwang02
kuiwang02 reviewed Jul 7, 2025
View reviewed changes
config/networkpolicy/marketplace-operator.yaml
port: 8081
egress:
- ports:
- protocol: TCP
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rashmigottipati I guess it is not needed

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rashmigottipati Hi, reminder! thanks

@kuiwang02
Copy link

@rashmigottipati with new rule, it still does not work for https://issues.redhat.com/browse/OCPBUGS-58388.

@rashmigottipati
Copy link
Member Author

/retest

@grokspawn
Copy link
Contributor

grokspawn commented Jul 7, 2025
edited
Loading

@rashmigottipati with new rule, it still does not work for https://issues.redhat.com/browse/OCPBUGS-58388.

These changes are for OCP only; HCP implements their own approach to default catalog availability

I see that there are changes in the NP to attempt to interact with the HCP API server. I'm not sure if these will be effective since it doesn't appear that HCP currently implements OLM-specific NPs, but at least my original comment isn't correct.

@kuiwang02
Copy link

@rashmigottipati with new rule, it still does not work for https://issues.redhat.com/browse/OCPBUGS-58388.

These changes are for OCP only; HCP implements their own approach to default catalog availability

I see that there are changes in the NP to attempt to interact with the HCP API server. I'm not sure if these will be effective since it doesn't appear that HCP currently implements OLM-specific NPs, but at least my original comment isn't correct.

@grokspawn
1, the networkpolicy in this PR will appear on hosted cluster of hypershift env besides OCP cluster.
2, the apiserver for this hosted cluster is located in control plan ns of hypershift mgmt cluster. the connection between mgmt cluster and hosted cluster is done by konnectivity. it has svc in default ns of hosted cluster.

[root@preserve-olm-env2 OPRUN-3896]# oc -n default get svc
NAME                        TYPE           CLUSTER-IP       EXTERNAL-IP                            PORT(S)   AGE
kubernetes                  ClusterIP      172.31.0.1       <none>                                 443/TCP   24m
openshift                   ExternalName   <none>           kubernetes.default.svc.cluster.local   <none>    20m
openshift-apiserver         ClusterIP      172.31.205.130   <none>                                 443/TCP   23m
openshift-oauth-apiserver   ClusterIP      172.31.98.193    <none>                                 443/TCP   23m
packageserver               ClusterIP      172.31.131.55    <none>                                 443/TCP   23m
[root@preserve-olm-env2 OPRUN-3896]# oc -n default get svc kubernetes -o yaml
apiVersion: v1
kind: Service
metadata:
  creationTimestamp: "2025-07-07T01:07:49Z"
  labels:
    component: apiserver
    provider: kubernetes
  name: kubernetes
  namespace: default
  resourceVersion: "275"
  uid: 9c4ae8ee-1533-490c-8ff2-12fce8ca9a36
spec:
  clusterIP: 172.31.0.1
  clusterIPs:
  - 172.31.0.1
  internalTrafficPolicy: Cluster
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  ports:
  - name: https
    port: 443
    protocol: TCP
    targetPort: 6443
  sessionAffinity: None
  type: ClusterIP
status:
  loadBalancer: {}

So, I am not sure if https://issues.redhat.com/browse/OCPBUGS-58388 is hypershift to fix (for me, I think it is olm to fix it).
but I am sure currently we can not merge such network policy because it cause installation from default catsrc fails on hosted cluster.

by the way, why I guess olm need to fix https://issues.redhat.com/browse/OCPBUGS-58388:
current networkpolicy block the unpack pod on hosted cluster access the apiserver on mgmt cluster, so if we enable such port for unpack pod dynamically, it is ok to access the apiserver on mgmt cluster.

maybe we could remove deny-all rule currently as workaround if there is no good solution on it.

cc @oceanc80 @rashmigottipati

@kuiwang02
Copy link

kuiwang02 commented Jul 8, 2025
edited
Loading

@rashmigottipati @grokspawn @oceanc80
I did more checking and find the apiserver proxy of hosted cluster take 6443.

[root@preserve-olm-env2 OPRUN-3896]# oc -n kube-system get pod
NAME                                                              READY   STATUS    RESTARTS   AGE
konnectivity-agent-kq67s                                          1/1     Running   0          130m
konnectivity-agent-lvnll                                          1/1     Running   0          130m
konnectivity-agent-pxl65                                          1/1     Running   0          130m
kube-apiserver-proxy-ip-10-0-143-235.us-east-2.compute.internal   1/1     Running   0          130m
kube-apiserver-proxy-ip-10-0-144-78.us-east-2.compute.internal    1/1     Running   0          130m
kube-apiserver-proxy-ip-10-0-171-79.us-east-2.compute.internal    1/1     Running   0          130m
[root@preserve-olm-env2 OPRUN-3896]# oc -n kube-system get pod kube-apiserver-proxy-ip-10-0-143-235.us-east-2.compute.internal -o yaml
apiVersion: v1
kind: Pod
metadata:
  annotations:
    kubernetes.io/config.hash: a62cd84106bc7e639dbebf92ca2bcac9
    kubernetes.io/config.mirror: a62cd84106bc7e639dbebf92ca2bcac9
    kubernetes.io/config.seen: "2025-07-08T02:50:32.831271083Z"
    kubernetes.io/config.source: file
  creationTimestamp: "2025-07-08T02:50:34Z"
  labels:
    k8s-app: kube-apiserver-proxy
  name: kube-apiserver-proxy-ip-10-0-143-235.us-east-2.compute.internal
  namespace: kube-system
  ownerReferences:
  - apiVersion: v1
    controller: true
    kind: Node
    name: ip-10-0-143-235.us-east-2.compute.internal
    uid: 1302e9f2-809d-4c42-ac79-e5f91f9ac4ce
  resourceVersion: "5611"
  uid: c9cabec3-a9d3-4948-ba08-86190a71ee89
spec:
  containers:
  - command:
    - haproxy
    - -f
    - /usr/local/etc/haproxy
    image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:517e6ecc165325a5f772ff3df06471bb7763e097c6658f68ea04253262341e02
    imagePullPolicy: IfNotPresent
    livenessProbe:
      failureThreshold: 3
      httpGet:
        host: 172.20.0.1
        path: /version
        port: 6443
        scheme: HTTPS
      initialDelaySeconds: 120
      periodSeconds: 120
      successThreshold: 1
      timeoutSeconds: 1
    name: haproxy
    ports:
    - containerPort: 6443
      hostPort: 6443
      name: apiserver
      protocol: TCP
    resources:
      requests:
        cpu: 13m
        memory: 16Mi
    securityContext:
      runAsUser: 1001
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    - mountPath: /usr/local/etc/haproxy
      name: config
  dnsPolicy: ClusterFirst
  enableServiceLinks: true
  hostNetwork: true
  nodeName: ip-10-0-143-235.us-east-2.compute.internal
  preemptionPolicy: PreemptLowerPriority
  priority: 2000001000
  priorityClassName: system-node-critical
  restartPolicy: Always
  schedulerName: default-scheduler
  securityContext: {}
  terminationGracePeriodSeconds: 30
  tolerations:
  - effect: NoExecute
    operator: Exists
  - effect: NoSchedule
    key: node.kubernetes.io/memory-pressure
    operator: Exists
  volumes:
  - hostPath:
      path: /etc/kubernetes/apiserver-proxy-config
      type: ""
    name: config
status:
  conditions:
  - lastProbeTime: null
    lastTransitionTime: "2025-07-08T02:51:16Z"
    status: "True"
    type: PodReadyToStartContainers
  - lastProbeTime: null
    lastTransitionTime: "2025-07-08T02:50:33Z"
    status: "True"
    type: Initialized
  - lastProbeTime: null
    lastTransitionTime: "2025-07-08T02:51:16Z"
    status: "True"
    type: Ready
  - lastProbeTime: null
    lastTransitionTime: "2025-07-08T02:51:16Z"
    status: "True"
    type: ContainersReady
  - lastProbeTime: null
    lastTransitionTime: "2025-07-08T02:50:33Z"
    status: "True"
    type: PodScheduled
  containerStatuses:
  - containerID: cri-o://e7e41d2fa8d3b125dbcd12e8601751345f9ca5e6568f0bb2f656277eb2d41fad
    image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:517e6ecc165325a5f772ff3df06471bb7763e097c6658f68ea04253262341e02
    imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:517e6ecc165325a5f772ff3df06471bb7763e097c6658f68ea04253262341e02
    lastState: {}
    name: haproxy
    ready: true
    restartCount: 0
    started: true
    state:
      running:
        startedAt: "2025-07-08T02:51:15Z"
    volumeMounts:
    - mountPath: /usr/local/etc/haproxy
      name: config
  hostIP: 10.0.143.235
  hostIPs:
  - ip: 10.0.143.235
  phase: Running
  podIP: 10.0.143.235
  podIPs:
  - ip: 10.0.143.235
  qosClass: Burstable
  startTime: "2025-07-08T02:50:33Z"

So, I tried the policy for 6443, and it works.
(thought the error is 443, actutally the svc kubenets target to 6443 provided by kube-apiserver-proxy)

[root@preserve-olm-env2 OPRUN-3896]# oc -n openshift-marketplace get networkpolicy -o yaml
apiVersion: v1
items:
- apiVersion: networking.k8s.io/v1
  kind: NetworkPolicy
  metadata:
    annotations:
      kubectl.kubernetes.io/last-applied-configuration: |
        {"apiVersion":"networking.k8s.io/v1","kind":"NetworkPolicy","metadata":{"annotations":{},"name":"default-deny-all","namespace":"openshift-marketplace"},"spec":{"egress":[{"ports":[{"port":443,"protocol":"TCP"}],"to":[{"ipBlock":{"cidr":"172.31.0.1/32"}}]}],"podSelector":{},"policyTypes":["Ingress","Egress"]}}
    creationTimestamp: "2025-07-08T03:08:44Z"
    generation: 3
    name: default-deny-all
    namespace: openshift-marketplace
    resourceVersion: "49438"
    uid: 03e44016-4bcc-41f8-8bcf-0b0360eee0ed
  spec:
    egress:
    - ports:
      - port: 6443
        protocol: TCP
    podSelector: {}
    policyTypes:
    - Ingress
    - Egress
- apiVersion: networking.k8s.io/v1
  kind: NetworkPolicy
  metadata:
    annotations:
      kubectl.kubernetes.io/last-applied-configuration: |
        {"apiVersion":"networking.k8s.io/v1","kind":"NetworkPolicy","metadata":{"annotations":{},"name":"marketplace-operator","namespace":"openshift-marketplace"},"spec":{"egress":[{"ports":[{"port":6443,"protocol":"TCP"},{"port":53,"protocol":"TCP"},{"port":53,"protocol":"UDP"}]}],"ingress":[{"ports":[{"port":8081,"protocol":"TCP"}]}],"podSelector":{"matchLabels":{"name":"marketplace-operator"}},"policyTypes":["Ingress","Egress"]}}
    creationTimestamp: "2025-07-08T03:08:48Z"
    generation: 1
    name: marketplace-operator
    namespace: openshift-marketplace
    resourceVersion: "14314"
    uid: 50bbd9cb-abe7-47ed-a9a1-1dfd893099d9
  spec:
    egress:
    - ports:
      - port: 6443
        protocol: TCP
      - port: 53
        protocol: TCP
      - port: 53
        protocol: UDP
    ingress:
    - ports:
      - port: 8081
        protocol: TCP
    podSelector:
      matchLabels:
        name: marketplace-operator
    policyTypes:
    - Ingress
    - Egress
kind: List
metadata:
  resourceVersion: ""

So, please make the rule as the following:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
  name: default-deny-all
  namespace: openshift-marketplace
spec:
  egress:
  - ports:
    - port: 6443
      protocol: TCP
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: marketplace-operator
  namespace: openshift-marketplace
spec:
  egress:
  - ports:
    - port: 6443
      protocol: TCP
    - port: 53
      protocol: TCP
    - port: 53
      protocol: UDP
  ingress:
  - ports:
    - port: 8081
      protocol: TCP
  podSelector:
    matchLabels:
      name: marketplace-operator
  policyTypes:
  - Ingress
  - Egress

and then it will make both https://issues.redhat.com/browse/OCPBUGS-58388 and https://issues.redhat.com/browse/OCPBUGS-58390 works.

@kuiwang02
Copy link

@rashmigottipati @grokspawn @oceanc80
the above yaml is not good. here are the good rules. suggest to take them to update the PR.
1, keep default-deny-all to deny all ingress and egress

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
  name: default-deny-all
  namespace: openshift-marketplace
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress

2, remove 443 from marketplace-operator rule

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: marketplace-operator
  namespace: openshift-marketplace
spec:
  egress:
  - ports:
    - port: 6443
      protocol: TCP
    - port: 53
      protocol: TCP
    - port: 53
      protocol: UDP
  ingress:
  - ports:
    - port: 8081
      protocol: TCP
  podSelector:
    matchLabels:
      name: marketplace-operator
  policyTypes:
  - Ingress
  - Egress

3, add unpack-bundle rule to enable unpack pod of hosted cluster to access apiserver of mgmt cluster

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: unpack-bundles
  namespace: openshift-marketplace
spec:
  egress:
  - ports:
    - port: 6443
      protocol: TCP
  podSelector:
    matchExpressions:
    - key: operatorframework.io/bundle-unpack-ref
      operator: Exists
    - key: olm.managed
      operator: In
      values:
      - "true"
  policyTypes:
  - Ingress
  - Egress

with the above three rules, it works.

[root@preserve-olm-env2 OPRUN-3896]# oc get nodes
NAME                                         STATUS   ROLES    AGE     VERSION
ip-10-0-130-5.us-east-2.compute.internal     Ready    worker   6m4s    v1.32.5
ip-10-0-154-14.us-east-2.compute.internal    Ready    worker   6m55s   v1.32.5
ip-10-0-169-157.us-east-2.compute.internal   Ready    worker   7m7s    v1.32.5
[root@preserve-olm-env2 OPRUN-3896]# oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.20.0-0.nightly-2025-07-01-051543   True        False         84s     Cluster version is 4.20.0-0.nightly-2025-07-01-051543
[root@preserve-olm-env2 OPRUN-3896]# oc -n openshift-marketplace get networkpolicy -o yaml
apiVersion: v1
items:
- apiVersion: networking.k8s.io/v1
  kind: NetworkPolicy
  metadata:
    annotations:
      kubectl.kubernetes.io/last-applied-configuration: |
        {"apiVersion":"networking.k8s.io/v1","kind":"NetworkPolicy","metadata":{"annotations":{},"name":"default-deny-all","namespace":"openshift-marketplace"},"spec":{"podSelector":{},"policyTypes":["Ingress","Egress"]}}
    creationTimestamp: "2025-07-08T05:30:10Z"
    generation: 1
    name: default-deny-all
    namespace: openshift-marketplace
    resourceVersion: "11995"
    uid: d6a84e5a-5786-482c-8e82-efb6047d8cc7
  spec:
    podSelector: {}
    policyTypes:
    - Ingress
    - Egress
- apiVersion: networking.k8s.io/v1
  kind: NetworkPolicy
  metadata:
    annotations:
      kubectl.kubernetes.io/last-applied-configuration: |
        {"apiVersion":"networking.k8s.io/v1","kind":"NetworkPolicy","metadata":{"annotations":{},"name":"marketplace-operator","namespace":"openshift-marketplace"},"spec":{"egress":[{"ports":[{"port":6443,"protocol":"TCP"},{"port":53,"protocol":"TCP"},{"port":53,"protocol":"UDP"}]}],"ingress":[{"ports":[{"port":8081,"protocol":"TCP"}]}],"podSelector":{"matchLabels":{"name":"marketplace-operator"}},"policyTypes":["Ingress","Egress"]}}
    creationTimestamp: "2025-07-08T05:30:22Z"
    generation: 1
    name: marketplace-operator
    namespace: openshift-marketplace
    resourceVersion: "12045"
    uid: 65ccdeef-086e-4337-b48d-27297aa67a96
  spec:
    egress:
    - ports:
      - port: 6443
        protocol: TCP
      - port: 53
        protocol: TCP
      - port: 53
        protocol: UDP
    ingress:
    - ports:
      - port: 8081
        protocol: TCP
    podSelector:
      matchLabels:
        name: marketplace-operator
    policyTypes:
    - Ingress
    - Egress
- apiVersion: networking.k8s.io/v1
  kind: NetworkPolicy
  metadata:
    annotations:
      kubectl.kubernetes.io/last-applied-configuration: |
        {"apiVersion":"networking.k8s.io/v1","kind":"NetworkPolicy","metadata":{"annotations":{},"name":"unpack-bundles","namespace":"openshift-marketplace"},"spec":{"egress":[{"ports":[{"port":6443,"protocol":"TCP"}]}],"podSelector":{"matchExpressions":[{"key":"operatorframework.io/bundle-unpack-ref","operator":"Exists"},{"key":"olm.managed","operator":"In","values":["true"]}]},"policyTypes":["Ingress","Egress"]}}
    creationTimestamp: "2025-07-08T05:30:38Z"
    generation: 1
    name: unpack-bundles
    namespace: openshift-marketplace
    resourceVersion: "12120"
    uid: ccce057e-ac9e-4873-891e-f9601fc50379
  spec:
    egress:
    - ports:
      - port: 6443
        protocol: TCP
    podSelector:
      matchExpressions:
      - key: operatorframework.io/bundle-unpack-ref
        operator: Exists
      - key: olm.managed
        operator: In
        values:
        - "true"
    policyTypes:
    - Ingress
    - Egress
kind: List
metadata:
  resourceVersion: ""
[root@preserve-olm-env2 OPRUN-3896]# oc create ns test3896
namespace/test3896 created
[root@preserve-olm-env2 OPRUN-3896]# oc apply -f og.yaml 
operatorgroup.operators.coreos.com/og-81389 created
[root@preserve-olm-env2 OPRUN-3896]# oc apply -f sub.yaml 
subscription.operators.coreos.com/sub-81389 created
[root@preserve-olm-env2 OPRUN-3896]# oc apply -f catsrc.yaml 
catalogsource.operators.coreos.com/catsrc-operator created
[root@preserve-olm-env2 OPRUN-3896]# oc create ns testnod
namespace/testnod created
[root@preserve-olm-env2 OPRUN-3896]# oc apply -f noog.yaml 
operatorgroup.operators.coreos.com/og-singlenamespace created
[root@preserve-olm-env2 OPRUN-3896]# oc apply -f nosub.yaml 
subscription.operators.coreos.com/nginx-ok-v23170 created
[root@preserve-olm-env2 OPRUN-3896]# oc -n openshift-marketplace get pod
NAME                                                              READY   STATUS      RESTARTS   AGE
b72447df9c7b416ef9dbeb099605a6f744ea2a6a181256d12f4023e46dxjqb8   0/1     Completed   0          9m43s
catsrc-operator-jqdtj                                             1/1     Running     0          8m11s
e6ed4023a8bdc26b42a6a3b525b25fe2fdf1ef34ab1f427129671a6471jmmw4   0/1     Completed   0          7m49s
[root@preserve-olm-env2 OPRUN-3896]# oc get csv -A
NAMESPACE   NAME                      DISPLAY                           VERSION   REPLACES                  PHASE
test3896    postgresoperator.v5.8.2   Crunchy Postgres for Kubernetes   5.8.2     postgresoperator.v5.8.1   Succeeded
testnod     nginx-ok-v23170.v0.0.1    vokv23170                         0.0.1                               Succeeded

@rashmigottipati rashmigottipati force-pushed the add-static-networkpolicy branch from 2d2c288 to d8efb4c Compare July 8, 2025 21:05
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Jul 8, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: grokspawn, perdasilva, rashmigottipati

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [grokspawn,perdasilva]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@rashmigottipati
Add static NetworkPolicy for marketplace-operator
c7c4f9c 
Signed-off-by: Rashmi Gottipati <rgottipa@redhat.com>
@rashmigottipati rashmigottipati force-pushed the add-static-networkpolicy branch from d8efb4c to c7c4f9c Compare July 8, 2025 21:17
@grokspawn
Copy link
Contributor

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jul 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kuiwang02 kuiwang02 kuiwang02 left review comments

@grokspawn grokspawn grokspawn approved these changes

@anik120 anik120 Awaiting requested review from anik120

@ankitathomas ankitathomas Awaiting requested review from ankitathomas

@perdasilva perdasilva Awaiting requested review from perdasilva

Assignees

@grokspawn grokspawn

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@rashmigottipati @kuiwang02 @grokspawn @perdasilva