CNTRLPLANE-2663: Add network policies#1538
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@dusk125: This pull request references CNTRLPLANE-2663 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set. DetailsIn response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository: openshift/coderabbit/.coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
WalkthroughAdds six NetworkPolicy resources in the openshift-etcd-operator namespace: a default-deny baseline plus policies permitting egress to DNS, the API server, etcd, monitoring, and an ingress rule for metrics exposure. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dusk125 The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
dusk125
changed the title
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
/retest-required |
|
@dusk125: This pull request references CNTRLPLANE-2663 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/label tide/merge-method-squash |
openshift-ci
bot
added
the
tide/merge-method-squash
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In `@manifests/0000_20_etcd-operator_11_networkpolicies.yaml`:
- Around line 1-38: The NetworkPolicy named "allow-to-dns" currently sets
spec.policyTypes to only Egress so ingress default-deny is not enforced; either
add "Ingress" to spec.policyTypes and add an empty spec.ingress: [] to enable
default-deny ingress for the selected pods (keep podSelector: {} to apply to all
pods), or update the top comment to remove the claim that default-deny for
ingress is automatically enabled and clearly state that only egress is
restricted by this policy; modify either spec.policyTypes (and add spec.ingress)
or the comment accordingly to make the behavior and documentation consistent.
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In `@manifests/0000_20_etcd-operator_11_networkpolicies.yaml`:
- Around line 78-83: The allow-to-apiserver NetworkPolicy egress rule for port
6443 currently lacks a destination restriction; update the allow-to-apiserver
policy's egress entry (egress -> ports -> protocol: TCP port: 6443) to include a
corresponding "to" clause that limits destinations—either add an ipBlock with
the API server CIDR (ipBlock: cidr: <API_SERVER_CIDR>) or a `to` selector that
targets the API server workload (e.g., namespaceSelector matching the
openshift-kube-apiserver namespace and/or a podSelector matching the API server
pods/service), ensuring only the intended API server endpoint(s) can be reached.
| egress: | ||
| - ports: | ||
| - protocol: TCP | ||
| port: 6443 | ||
| policyTypes: | ||
| - Egress |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# First, let's examine the specific NetworkPolicy file to understand the full context
echo "=== Full NetworkPolicy file context ==="
cat -n manifests/0000_20_etcd-operator_11_networkpolicies.yaml
echo -e "\n=== Searching for other port 6443 usages in YAML files ==="
rg -l 'port:\s*6443' --type yaml 2>/dev/null || echo "No other files found with port 6443"
echo -e "\n=== Checking for NetworkPolicy files in the manifest ==="
fd -e yaml -e yml manifests | grep -i network | head -20Repository: openshift/cluster-etcd-operator
Length of output: 7655
Egress to port 6443 lacks destination restrictions and applies to all pods.
The allow-to-apiserver policy applies to all pods (podSelector: {}), and its egress rule permits traffic to port 6443 without a to selector—allowing any destination. While API server access is necessary, other policies in this same file (allow-to-dns, allow-to-monitoring) successfully restrict egress destinations. Consider restricting this rule to the API server endpoint via ipBlock (for the API server CIDR) or a to selector targeting the openshift-kube-apiserver namespace. This reduces the attack surface for pods that may not actually need API access.
🤖 Prompt for AI Agents
In `@manifests/0000_20_etcd-operator_11_networkpolicies.yaml` around lines 78 -
83, The allow-to-apiserver NetworkPolicy egress rule for port 6443 currently
lacks a destination restriction; update the allow-to-apiserver policy's egress
entry (egress -> ports -> protocol: TCP port: 6443) to include a corresponding
"to" clause that limits destinations—either add an ipBlock with the API server
CIDR (ipBlock: cidr: <API_SERVER_CIDR>) or a `to` selector that targets the API
server workload (e.g., namespaceSelector matching the openshift-kube-apiserver
namespace and/or a podSelector matching the API server pods/service), ensuring
only the intended API server endpoint(s) can be reached.
|
@dusk125: This pull request references CNTRLPLANE-2663 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@dusk125: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
3 participants
This PR adds network policies for the etcd-operator
Summary by CodeRabbit