openshift · dusk125 · Jan 30, 2026 · Jan 30, 2026 · Jan 30, 2026 · Feb 2, 2026
diff --git a/manifests/0000_20_etcd-operator_11_networkpolicies.yaml b/manifests/0000_20_etcd-operator_11_networkpolicies.yaml
@@ -0,0 +1,171 @@
+---
+# Allow egress to DNS for the etcd-operator.
+# The operator needs DNS resolution to resolve service names and API endpoints.
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-to-dns
+  namespace: openshift-etcd-operator
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+spec:
+  podSelector: {}
+  egress:
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: openshift-dns
+    ports:
+    - protocol: TCP
+      port: 5353
+    - protocol: UDP
+      port: 5353
+    - protocol: TCP
+      port: 53
+    - protocol: UDP
+      port: 53
+  policyTypes:
+  - Egress
+---
+# Allow egress to the Kubernetes API server.
+# The etcd-operator needs to communicate with the API server to:
+# - Watch and update etcd resources
+# - Manage pods, services, and other resources in the openshift-etcd namespace
+# - Update cluster operator status
+# - Watch nodes and other cluster resources
+#
+# Note: We allow all egress because the API server IP address and port can vary
+# depending on cluster configuration (external load balancer, internal service, etc.).
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-to-apiserver
+  namespace: openshift-etcd-operator
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+spec:
+  podSelector: {}
+  egress:
+  - {}
+  policyTypes:
+  - Egress
+---
+# Allow ingress to the metrics endpoint from Prometheus.
+# The etcd-operator exposes metrics on port 8443 (containerPort) which is mapped
+# to port 443 via the "metrics" service.
+#
+# This policy allows Prometheus (and other monitoring components) running in namespaces
+# with the host-network policy group label to scrape metrics from the operator.
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-to-metrics
+  namespace: openshift-etcd-operator
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+spec:
+  podSelector:
+    matchLabels:
+      app: etcd-operator
+  ingress:
+  - ports:
+    - protocol: TCP
+      port: 8443
+  policyTypes:
+  - Ingress
+---
+# Allow egress to etcd endpoints.
+# The etcd-operator needs to communicate with etcd pods to:
+# - Manage the etcd cluster (add/remove members)
+# - Check etcd health and status
+# - Perform backup and restore operations
+#
+# etcd pods run with hostNetwork: true, which means they bypass
+# NetworkPolicy entirely. We restrict egress to the openshift-etcd namespace
+# on specific ports for defense in depth, even though etcd itself runs on
+# the host network and is accessed via node IPs.
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-to-etcd
+  namespace: openshift-etcd-operator
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+spec:
+  podSelector:
+    matchLabels:
+      app: etcd-operator
+  egress:
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: openshift-etcd
+    ports:
+    - protocol: TCP
+      port: 2379
+    - protocol: TCP
+      port: 9978
+    - protocol: TCP
+      port: 9979
+    - protocol: TCP
+      port: 9980
+  policyTypes:
+  - Egress
+---
+# Allow egress to monitoring services (Thanos/Prometheus).
+# The etcd-operator's FSyncController needs to query Thanos for etcd disk fsync metrics
+# to monitor disk performance and detect issues.
+#
+# The controller queries thanos-querier.openshift-monitoring.svc:9091 to get
+# histogram data about etcd disk write performance.
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-to-monitoring
+  namespace: openshift-etcd-operator
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+spec:
+  podSelector:
+    matchLabels:
+      app: etcd-operator
+  egress:
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: openshift-monitoring
+    ports:
+    - protocol: TCP
+      port: 9091
+  policyTypes:
+  - Egress
+---
+# Default-deny policy for the openshift-etcd-operator namespace.
+# This policy selects all pods in the namespace and enables default-deny for both
+# ingress and egress by specifying policyTypes without any allow rules.
+#
+# NetworkPolicies are additive (use OR logic):
+# - This policy enables default-deny for all pods
+# - Subsequent policies add specific allow rules
+# - If any policy allows traffic, that traffic is permitted
+# - Policies cannot override or block traffic allowed by other policies
+#
+# Without this policy, all pods would have unrestricted network access (allow-all).
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny
+  namespace: openshift-etcd-operator
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress