OTA-1521: Add a default-deny network policy for CVO namespace #1198
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@petr-muller: This pull request references OTA-1531 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: petr-muller The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
petr-muller
changed the title
|
@petr-muller: This pull request references OTA-1521 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
I was expected none of the e2e would succeed (as CVO would broken up to "Deny ALL") but the situation is much better. |
|
/cc |
Yeah, checkout the Pragmatic (CVO uses host network) section of the working doc. Network Policies do not affect most host-networked pods traffic. It definitely does not affect the core functionality (being a k8s controller=talking to the apiserver). We will need to test all functionality that uses network communication (see the working doc) to be sure though - it is also possible that we simply do not have tests that exercise the functionality. |
petr-muller
changed the title
|
@petr-muller: This pull request references OTA-1499 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the spike to target the "4.20.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
Add a baseline NetworkPolicy to deny all network communication (both ingress and egress) to all pods in the namespace. Any necessary network traffic needs to be allowed by an additional NetworkPolicy resource (they are additive). At the moment, the default deny all policy should be the only one needed: - CVO is host-networked so it is [not affected by network policies](https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/networking/network-security#network-policy) - Bare `version` pods spawned by CVO do not require any network communication See [OTA Network Policies Working Document](https://docs.google.com/document/d/1Dzr3eYGVl6OBxqfUohugJLsbsn7sYrC3fN6yCe8zTRQ/edit?tab=t.0#heading=h.9vehq2liufe) for more information.
petr-muller
force-pushed
the
ota-1521-add-deny-all-network-policy
branch
from
76b22be to
07c6b5c
Compare
petr-muller
changed the title
|
@petr-muller: This pull request references OTA-1499 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the spike to target the "4.20.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@petr-muller: This pull request references OTA-1521 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@petr-muller: This pull request references OTA-1521 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@petr-muller: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Add a baseline NetworkPolicy to deny all network communication (both ingress and egress) to all pods in the namespace. Any necessary network traffic needs to be allowed by an additional NetworkPolicy resource (they are additive).
At the moment, the default deny all policy should be the only one needed:
versionpods spawned by CVO do not require any network communicationSee OTA Network Policies Working Document for more information.