Skip to content

OTA-1608: Adding network policies #262

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
fao89 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

OTA-1608: Adding network policies #262

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions config/default/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,3 +5,4 @@ resources:
- ../crd
- ../rbac
- ../manager
# - ../networkpolicies
21 changes: 21 additions & 0 deletions config/networkpolicies/default-deny-all.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: openshift-update-service
annotations:
description: |
Default deny policy that blocks all ingress and egress traffic for all pods in the namespace.
This provides a secure baseline where only explicitly allowed traffic can flow.
Other network policies in this namespace will provide specific allow rules.
spec:
# Apply to all pods in the namespace
podSelector: {}
# Block all traffic types by specifying empty arrays
policyTypes:
- Ingress
- Egress
# No ingress rules = deny all ingress
ingress: []
# No egress rules = deny all egress
egress: []
41 changes: 41 additions & 0 deletions config/networkpolicies/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

metadata:
name: networkpolicies
annotations:
description: |
Network policies for Cincinnati Operator (OTA-1608)

These policies implement defense-in-depth security for the Cincinnati operator
and UpdateService operand workloads.

namespace: openshift-update-service

resources:
# Default deny policy - blocks all traffic by default
- default-deny-all.yaml

# Operator network policies
- operator-egress-openshift-api.yaml
- operator-egress-openshift-dns.yaml
- operator-ingress-prometheus.yaml

# Operand network policies
- operand-egress-openshift-api.yaml
- operand-egress-openshift-dns.yaml
- operand-egress-external-registries.yaml
- operand-egress-cluster-proxy.yaml
- operand-egress-internal-registry.yaml
- operand-ingress-openshift-router.yaml
- operand-ingress-prometheus.yaml

# Add management labels to the NetworkPolicy metadata only
labels:
- includeSelectors: false
pairs:
app.kubernetes.io/part-of: update-service-operator
network-policy.operator.openshift.io/managed-by: cincinnati-operator

# Set consistent naming convention
namePrefix: "osus-"
47 changes: 47 additions & 0 deletions config/networkpolicies/operand-egress-cluster-proxy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: operand-egress-cluster-proxy
namespace: openshift-update-service
annotations:
description: |
Allows UpdateService operand pods to access OpenShift cluster-wide proxy.
This enables the Cincinnati policy engine to access external registries
through the cluster's configured HTTP/HTTPS proxy in disconnected environments.
labels:
app.kubernetes.io/name: update-service
app.kubernetes.io/component: network-policy
spec:
# Target all operand pods (UpdateService workloads)
podSelector:
matchExpressions:
- key: deployment
operator: Exists # Matches any pod with a "deployment" label (operand pods)
policyTypes:
- Egress
egress:
# Allow access to cluster-wide proxy (if configured)
# This targets the proxy service in openshift-config-managed or similar
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: openshift-config-managed
ports:
- protocol: TCP
port: 3128 # Standard HTTP proxy port
- protocol: TCP
port: 8080 # Alternative proxy port

# Allow access to proxy pods in openshift-ingress or similar namespaces
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: openshift-ingress
podSelector:
matchLabels:
app.kubernetes.io/component: proxy
ports:
- protocol: TCP
port: 3128
- protocol: TCP
port: 8080
36 changes: 36 additions & 0 deletions config/networkpolicies/operand-egress-external-registries.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: operand-egress-external-registries
namespace: openshift-update-service
annotations:
description: |
Allows UpdateService operand pods to access container registries for graph data scraping.
This enables the Cincinnati policy engine to gather release metadata from registries.
Access may be via proxies in disconnected environments.
labels:
app.kubernetes.io/name: update-service
app.kubernetes.io/component: network-policy
spec:
# Target all operand pods (UpdateService workloads)
podSelector:
matchExpressions:
- key: deployment
operator: Exists # Matches any pod with a "deployment" label (operand pods)
policyTypes:
- Egress
egress:
# Allow HTTPS registry access (direct or via proxy)
- to: [] # Allow to any destination for registry access
ports:
- protocol: TCP
port: 443 # HTTPS for secure registry access
- protocol: TCP
port: 80 # HTTP for some registries/proxies
# Allow proxy access if configured
- to: []
ports:
- protocol: TCP
port: 8080 # Common proxy port
- protocol: TCP
port: 3128 # Squid proxy port
Comment on lines +22 to +36

@coderabbitai coderabbitai Bot Jan 30, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Egress to any destination is overly permissive.

Using to: [] allows egress to any IP address on these ports (80, 443, 8080, 3128), not just container registries. This effectively permits operand pods to reach any external endpoint on common HTTP/proxy ports, which is a significant security surface.

Consider whether you can restrict destinations to known registry CIDRs or use more specific ipBlock rules. If full flexibility is required for disconnected/proxy environments, ensure this permissiveness is an accepted risk.

🤖 Prompt for AI Agents 
In `@config/networkpolicies/operand-egress-external-registries.yaml` around lines
22 - 36, The egress rules currently use unrestricted destinations via the two
entries with "- to: []" (the egress block allowing ports 443, 80, 8080, 3128),
which is overly permissive; change those "- to: []" entries to explicit
destination restrictions by replacing them with targeted ipBlock CIDRs or
specific IP ranges/hosts for your container registries or proxy endpoints (or
use namespace/peer selectors if applicable) for each port group (HTTPS 443, HTTP
80, proxy 8080/3128); if full open egress is required for disconnected/proxy
scenarios, add a clear comment and a configurable allowlist variable so the
permissiveness is explicit and auditable.

45 changes: 45 additions & 0 deletions config/networkpolicies/operand-egress-internal-registry.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: operand-egress-internal-registry
namespace: openshift-update-service
annotations:
description: |
Allows UpdateService operand pods to access OpenShift internal image registry.
This enables the Cincinnati policy engine to query the internal registry
for OpenShift release image metadata and graph data.
labels:
app.kubernetes.io/name: update-service
app.kubernetes.io/component: network-policy
spec:
# Target all operand pods (UpdateService workloads)
podSelector:
matchExpressions:
- key: deployment
operator: Exists # Matches any pod with a "deployment" label (operand pods)
policyTypes:
- Egress
egress:
# Allow access to OpenShift internal image registry
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: openshift-image-registry
podSelector:
matchLabels:
docker-registry: default
ports:
- protocol: TCP
port: 5000 # Internal registry port

# Allow access to registry console (if enabled)
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: openshift-image-registry
podSelector:
matchLabels:
name: registry-console
ports:
- protocol: TCP
port: 9000
42 changes: 42 additions & 0 deletions config/networkpolicies/operand-egress-openshift-api.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: operand-egress-openshift-api
namespace: openshift-update-service
annotations:
description: |
Allows UpdateService operand pods to communicate with the OpenShift API server.
This is required for the Cincinnati policy engine to query cluster information and release data.
labels:
app.kubernetes.io/name: update-service
app.kubernetes.io/component: network-policy
spec:
# Target all operand pods (UpdateService workloads)
podSelector:
matchExpressions:
- key: deployment
operator: Exists # Matches any pod with a "deployment" label (operand pods)
policyTypes:
- Egress
egress:
# Allow OpenShift API server communication via kubernetes service
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: default
podSelector:
matchLabels:
component: apiserver
ports:
- protocol: TCP
port: 443 # HTTPS API server (kubernetes service)
- protocol: TCP
port: 6443 # Direct API server port
Comment thread
coderabbitai[bot] marked this conversation as resolved.
# Allow OpenShift API server pods (master nodes)
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: openshift-kube-apiserver
ports:
- protocol: TCP
port: 6443
34 changes: 34 additions & 0 deletions config/networkpolicies/operand-egress-openshift-dns.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: operand-egress-openshift-dns
namespace: openshift-update-service
annotations:
description: |
Allows UpdateService operand pods to perform DNS resolution.
This enables the Cincinnati policy engine to resolve external registry URLs and services.
labels:
app.kubernetes.io/name: update-service
app.kubernetes.io/component: network-policy
spec:
# Target all operand pods (UpdateService workloads)
podSelector:
matchExpressions:
- key: deployment
operator: Exists # Matches any pod with a "deployment" label (operand pods)
policyTypes:
- Egress
egress:
# Allow DNS resolution to openshift-dns namespace
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: openshift-dns
podSelector:
matchLabels:
dns.operator.openshift.io/daemonset-dns: default
ports:
- protocol: UDP
port: 5353
- protocol: TCP
port: 5353
31 changes: 31 additions & 0 deletions config/networkpolicies/operand-ingress-openshift-router.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: operand-ingress-openshift-router
namespace: openshift-update-service
annotations:
description: |
Allows OpenShift router to forward traffic to UpdateService operand pods.
This enables external clients to access the Cincinnati policy engine API.
labels:
app.kubernetes.io/name: update-service
app.kubernetes.io/component: network-policy
spec:
# Target all operand pods (UpdateService workloads)
podSelector:
matchExpressions:
- key: deployment
operator: Exists # Matches any pod with a "deployment" label (operand pods)
policyTypes:
- Ingress
ingress:
# Allow traffic from OpenShift router
- from:
- namespaceSelector:
matchLabels:
policy-group.network.openshift.io/ingress: ""
ports:
- protocol: TCP
port: policy-engine # Named port reference
- protocol: TCP
port: 8081 # Direct port reference as fallback
49 changes: 49 additions & 0 deletions config/networkpolicies/operand-ingress-prometheus.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: operand-ingress-prometheus
namespace: openshift-update-service
annotations:
description: |
Allows Prometheus monitoring stack to scrape metrics from UpdateService operand pods.
This enables observability and monitoring of the Cincinnati policy engine health and performance.
labels:
app.kubernetes.io/name: update-service
app.kubernetes.io/component: network-policy
spec:
# Target all operand pods (UpdateService workloads)
podSelector:
matchExpressions:
- key: deployment
operator: Exists # Matches any pod with a "deployment" label (operand pods)
policyTypes:
- Ingress
ingress:
# Allow Prometheus to scrape metrics
- from:
# OpenShift monitoring namespace (cluster monitoring)
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: openshift-monitoring
podSelector:
matchLabels:
app.kubernetes.io/name: prometheus
# Alternative monitoring namespace patterns
- namespaceSelector:
matchLabels:
name: openshift-monitoring
podSelector:
matchLabels:
app.kubernetes.io/name: prometheus
# User workload monitoring namespace
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: openshift-user-workload-monitoring
podSelector:
matchLabels:
app.kubernetes.io/name: prometheus
ports:
- protocol: TCP
port: 9080 # Graph builder status/health port
- protocol: TCP
port: 9081 # Policy engine status/health port
Loading