Merge branch 'main' into netobserv-584

Author: leandroberetta

api/flowcollector/v1beta2/flowcollector_types.go

@@ -86,16 +86,16 @@ type FlowCollectorSpec struct {
 	// +k8s:conversion-gen=false
 	Exporters []*FlowCollectorExporter `json:"exporters"`
 
-	// `networkPolicy` defines ingress network policy settings for NetObserv components isolation.
+	// `networkPolicy` defines network policy settings for NetObserv components isolation.
 	// +k8s:conversion-gen=false
 	NetworkPolicy NetworkPolicy `json:"networkPolicy,omitempty"`
 }
 
 type NetworkPolicy struct {
 	// Set `enable` to `true` to deploy network policies on the namespaces used by NetObserv (main and privileged). It is disabled by default.
 	// These network policies better isolate the NetObserv components to prevent undesired connections to them.
-	// To increase the security of connections, enable this option or create your own network policy.
-	// +optional
+	// This option is enabled by default, disable it to manually manage network policies
+	// +kubebuilder:default:=true
 	Enable *bool `json:"enable,omitempty"`
 
 	// `additionalNamespaces` contains additional namespaces allowed to connect to the NetObserv namespace.

bundle/manifests/flows.netobserv.io_flowcollectors.yaml

@@ -4284,8 +4284,8 @@ spec:
                     and recreate the resource.
                   rule: self == oldSelf
               networkPolicy:
-                description: '`networkPolicy` defines ingress network policy settings
-                  for NetObserv components isolation.'
+                description: '`networkPolicy` defines network policy settings for
+                  NetObserv components isolation.'
                 properties:
                   additionalNamespaces:
                     description: |-
@@ -4296,10 +4296,11 @@ spec:
                       type: string
                     type: array
                   enable:
+                    default: true
                     description: |-
                       Set `enable` to `true` to deploy network policies on the namespaces used by NetObserv (main and privileged). It is disabled by default.
                       These network policies better isolate the NetObserv components to prevent undesired connections to them.
-                      To increase the security of connections, enable this option or create your own network policy.
+                      This option is enabled by default, disable it to manually manage network policies
                     type: boolean
                 type: object
               processor:

bundle/manifests/netobserv-operator.clusterserviceversion.yaml

@@ -214,7 +214,7 @@ metadata:
             "namespace": "netobserv",
             "networkPolicy": {
               "additionalNamespaces": [],
-              "enable": false
+              "enable": true
             },
             "processor": {
               "imagePullPolicy": "IfNotPresent",
@@ -254,7 +254,7 @@ metadata:
     categories: Monitoring, Networking, Observability
     console.openshift.io/plugins: '["netobserv-plugin"]'
     containerImage: quay.io/netobserv/network-observability-operator:1.9.2-community
-    createdAt: "2025-09-23T01:25:21Z"
+    createdAt: "2025-09-18T08:50:21Z"
     description: Network flows collector and monitoring solution
     operatorframework.io/initialization-resource: '{"apiVersion":"flows.netobserv.io/v1beta2",
       "kind":"FlowCollector","metadata":{"name":"cluster"},"spec": {}}'

config/crd/bases/flows.netobserv.io_flowcollectors.yaml

@@ -3931,7 +3931,7 @@ spec:
                     - message: Namespace is immutable. If you need to change it, delete and recreate the resource.
                       rule: self == oldSelf
                 networkPolicy:
-                  description: '`networkPolicy` defines ingress network policy settings for NetObserv components isolation.'
+                  description: '`networkPolicy` defines network policy settings for NetObserv components isolation.'
                   properties:
                     additionalNamespaces:
                       description: |-
@@ -3942,10 +3942,11 @@ spec:
                         type: string
                       type: array
                     enable:
+                      default: true
                       description: |-
                         Set `enable` to `true` to deploy network policies on the namespaces used by NetObserv (main and privileged). It is disabled by default.
                         These network policies better isolate the NetObserv components to prevent undesired connections to them.
-                        To increase the security of connections, enable this option or create your own network policy.
+                        This option is enabled by default, disable it to manually manage network policies
                       type: boolean
                   type: object
                 processor:

config/samples/flows_v1beta2_flowcollector.yaml

@@ -6,7 +6,7 @@ spec:
   namespace: netobserv
   deploymentModel: Direct
   networkPolicy:
-    enable: false
+    enable: true
     additionalNamespaces: []
   agent:
     type: eBPF

docs/FlowCollector.md

@@ -154,7 +154,7 @@ Kafka can provide better scalability, resiliency, and high availability (for mor
         <td><b><a href="#flowcollectorspecnetworkpolicy">networkPolicy</a></b></td>
         <td>object</td>
         <td>
-          `networkPolicy` defines ingress network policy settings for NetObserv components isolation.<br/>
+          `networkPolicy` defines network policy settings for NetObserv components isolation.<br/>
         </td>
         <td>false</td>
       </tr><tr>
@@ -8406,7 +8406,7 @@ If the namespace is different, the config map or the secret is copied so that it
 
 
 
-`networkPolicy` defines ingress network policy settings for NetObserv components isolation.
+`networkPolicy` defines network policy settings for NetObserv components isolation.
 
 <table>
     <thead>
@@ -8432,7 +8432,9 @@ configuration, you can disable it and install your own instead.<br/>
         <td>
           Set `enable` to `true` to deploy network policies on the namespaces used by NetObserv (main and privileged). It is disabled by default.
 These network policies better isolate the NetObserv components to prevent undesired connections to them.
-To increase the security of connections, enable this option or create your own network policy.<br/>
+This option is enabled by default, disable it to manually manage network policies<br/>
+          <br/>
+            <i>Default</i>: true<br/>
         </td>
         <td>false</td>
       </tr></tbody>

helm/crds/flows.netobserv.io_flowcollectors.yaml

@@ -3935,7 +3935,7 @@ spec:
                     - message: Namespace is immutable. If you need to change it, delete and recreate the resource.
                       rule: self == oldSelf
                 networkPolicy:
-                  description: '`networkPolicy` defines ingress network policy settings for NetObserv components isolation.'
+                  description: '`networkPolicy` defines network policy settings for NetObserv components isolation.'
                   properties:
                     additionalNamespaces:
                       description: |-
@@ -3946,10 +3946,11 @@ spec:
                         type: string
                       type: array
                     enable:
+                      default: true
                       description: |-
                         Set `enable` to `true` to deploy network policies on the namespaces used by NetObserv (main and privileged). It is disabled by default.
                         These network policies better isolate the NetObserv components to prevent undesired connections to them.
-                        To increase the security of connections, enable this option or create your own network policy.
+                        This option is enabled by default, disable it to manually manage network policies
                       type: boolean
                   type: object
                 processor:

internal/controller/flowcollector_controller_iso_test.go

@@ -218,7 +218,7 @@ func flowCollectorIsoSpecs() {
 			},
 			Exporters: []*flowslatest.FlowCollectorExporter{},
 			NetworkPolicy: flowslatest.NetworkPolicy{
-				Enable:               nil,
+				Enable:               ptr.To(true),
 				AdditionalNamespaces: []string{},
 			},
 		}

internal/controller/networkpolicy/np_objects.go

@@ -27,7 +27,7 @@ func buildMainNetworkPolicy(desired *flowslatest.FlowCollector, mgr *manager.Man
 	ns := desired.Spec.GetNamespace()
 
 	name := types.NamespacedName{Name: netpolName, Namespace: ns}
-	if desired.Spec.NetworkPolicy.Enable == nil || !*desired.Spec.NetworkPolicy.Enable {
+	if !helper.DeployNetworkPolicy(&desired.Spec) {
 		return name, nil
 	}
 
@@ -191,7 +191,7 @@ func buildPrivilegedNetworkPolicy(desired *flowslatest.FlowCollector, mgr *manag
 	privNs := mainNs + constants.EBPFPrivilegedNSSuffix
 
 	name := types.NamespacedName{Name: netpolName, Namespace: privNs}
-	if desired.Spec.NetworkPolicy.Enable == nil || !*desired.Spec.NetworkPolicy.Enable {
+	if !helper.DeployNetworkPolicy(&desired.Spec) {
 		return name, nil
 	}
 
@@ -245,5 +245,19 @@ func buildPrivilegedNetworkPolicy(desired *flowslatest.FlowCollector, mgr *manag
 		}
 	}
 
+	for _, aNs := range desired.Spec.NetworkPolicy.AdditionalNamespaces {
+		np.Spec.Ingress = append(np.Spec.Ingress, networkingv1.NetworkPolicyIngressRule{
+			From: []networkingv1.NetworkPolicyPeer{
+				peerInNamespace(aNs),
+			},
+		})
+		np.Spec.Egress = append(np.Spec.Egress, networkingv1.NetworkPolicyEgressRule{
+			To: []networkingv1.NetworkPolicyPeer{
+				peerInNamespace(aNs),
+			},
+		})
+
+	}
+
 	return name, &np
 }

internal/controller/networkpolicy/np_test.go

@@ -189,5 +189,19 @@ func TestNpBuilder(t *testing.T) {
 	assert.NotNil(np)
 	assert.Equal(np.ObjectMeta.Name, name.Name)
 	assert.Equal(np.ObjectMeta.Namespace, name.Namespace)
-	assert.Equal([]networkingv1.NetworkPolicyIngressRule{}, np.Spec.Ingress)
+	assert.Equal([]networkingv1.NetworkPolicyIngressRule{
+		{From: []networkingv1.NetworkPolicyPeer{
+			{NamespaceSelector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{
+					"kubernetes.io/metadata.name": "foo",
+				},
+			}},
+		}},
+		{From: []networkingv1.NetworkPolicyPeer{
+			{NamespaceSelector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{
+					"kubernetes.io/metadata.name": "bar",
+				},
+			}},
+		}}}, np.Spec.Ingress)
 }