update network policy for opensearch/elasticsearch (#2542)

Daniel-Fan · web-flow · commit 486e80f2e7f5 · 2025-06-09T21:38:19.000+08:00
* update network policy for opensearch

Signed-off-by: Daniel Fan &lt;fanyuchensx@gmail.com&gt;

* Add component label to NetworkPolicy resources for Flink and OpenSearch

Signed-off-by: Daniel Fan &lt;fanyuchensx@gmail.com&gt;

---------

Signed-off-by: Daniel Fan &lt;fanyuchensx@gmail.com&gt;
diff --git a/cp3-networkpolicy/egress/flink/bedrock-egress-ibm-flink-operand.yaml b/cp3-networkpolicy/egress/flink/bedrock-egress-ibm-flink-operand.yaml
@@ -3,6 +3,8 @@ apiVersion: networking.k8s.io/v1
 metadata:
   name: egress-ibm-flink-operand
   namespace: "flinkNamespace"
+  labels:
+    component: cpfs3
 spec:
   podSelector: 
     matchLabels:
diff --git a/cp3-networkpolicy/egress/flink/bedrock-egress-ibm-flink-operator.yaml b/cp3-networkpolicy/egress/flink/bedrock-egress-ibm-flink-operator.yaml
@@ -3,6 +3,8 @@ apiVersion: networking.k8s.io/v1
 metadata:
   name: egress-ibm-flink-operator
   namespace: "opNamespace"
+  labels:
+    component: cpfs3
 spec:
   podSelector: 
     matchLabels:
diff --git a/cp3-networkpolicy/egress/opensearch/bedrock-egress-ibm-opensearch-operand.yaml b/cp3-networkpolicy/egress/opensearch/bedrock-egress-ibm-opensearch-operand.yaml
@@ -3,6 +3,8 @@ apiVersion: networking.k8s.io/v1
 metadata:
   name: egress-ibm-opensearch-operand
   namespace: "opensearchNamespace"
+  labels:
+    component: cpfs3
 spec:
   podSelector: 
     matchLabels:
diff --git a/cp3-networkpolicy/egress/opensearch/bedrock-egress-ibm-opensearch-operator.yaml b/cp3-networkpolicy/egress/opensearch/bedrock-egress-ibm-opensearch-operator.yaml
@@ -3,6 +3,8 @@ apiVersion: networking.k8s.io/v1
 metadata:
   name: egress-ibm-opensearch-operator
   namespace: "opNamespace"
+  labels:
+    component: cpfs3
 spec:
   podSelector: 
     matchLabels:
diff --git a/cp3-networkpolicy/ingress/flink/bedrock-access-to-ibm-flink-operand.yaml b/cp3-networkpolicy/ingress/flink/bedrock-access-to-ibm-flink-operand.yaml
@@ -3,6 +3,8 @@ apiVersion: networking.k8s.io/v1
 metadata:
   name: ingress-ibm-flink-operand
   namespace: "flinkNamespace"
+  labels:
+    component: cpfs3
 spec:
   podSelector: 
     matchLabels:
diff --git a/cp3-networkpolicy/ingress/flink/bedrock-access-to-ibm-flink-operator.yaml b/cp3-networkpolicy/ingress/flink/bedrock-access-to-ibm-flink-operator.yaml
@@ -3,6 +3,8 @@ apiVersion: networking.k8s.io/v1
 metadata:
   name: ingress-ibm-flink-operator
   namespace: "opNamespace"
+  labels:
+    component: cpfs3
 spec:
   podSelector: 
     matchLabels:
diff --git a/cp3-networkpolicy/ingress/opensearch/bedrock-access-to-ibm-elasticsearch-operand.yaml b/cp3-networkpolicy/ingress/opensearch/bedrock-access-to-ibm-elasticsearch-operand.yaml
@@ -0,0 +1,25 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: ingress-ibm-elasticsearch-operand
+  namespace: "opensearchNamespace"
+  labels:
+    component: cpfs3
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/managed-by: ibm-elasticsearch
+  ingress:
+    - ports:
+      - protocol: TCP
+        port: 443
+      - protocol: TCP
+        port: 19300
+      - protocol: TCP
+        port: 9300
+      - protocol: TCP
+        port: 9200
+      from:
+        - podSelector: {}
+  policyTypes:
+    - Ingress
diff --git a/cp3-networkpolicy/ingress/opensearch/bedrock-access-to-ibm-opensearch-operand.yaml b/cp3-networkpolicy/ingress/opensearch/bedrock-access-to-ibm-opensearch-operand.yaml
@@ -3,21 +3,34 @@ apiVersion: networking.k8s.io/v1
 metadata:
   name: ingress-ibm-opensearch-operand
   namespace: "opensearchNamespace"
+  labels:
+    component: cpfs3
 spec:
   podSelector:
     matchLabels:
-      app.kubernetes.io/managed-by: ibm-elasticsearch
+      cluster.opensearch.cloudpackopen.ibm.com: opensearch-cr
   ingress:
     - ports:
-      - protocol: TCP
-        port: 443
-      - protocol: TCP
-        port: 19300
-      - protocol: TCP
-        port: 9300
-      - protocol: TCP
-        port: 9200
+        - protocol: TCP
+          port: 9200
+          endPort: 9300
+        - protocol: TCP
+          port: 9300
+          endPort: 9400
       from:
-        - podSelector: {}
+        - podSelector:
+            matchLabels:
+              cluster.opensearch.cloudpackopen.ibm.com: opensearch-cr
+    - ports:
+        - protocol: TCP
+          port: 9200
+        - protocol: TCP
+          port: 2112
+        - protocol: TCP
+          port: 9300
+      from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: "opensearchNamespace"
   policyTypes:
     - Ingress
diff --git a/cp3-networkpolicy/ingress/opensearch/bedrock-access-to-ibm-opensearch-operator.yaml b/cp3-networkpolicy/ingress/opensearch/bedrock-access-to-ibm-opensearch-operator.yaml
@@ -3,6 +3,8 @@ apiVersion: networking.k8s.io/v1
 metadata:
   name: ingress-ibm-opensearch-operator
   namespace: "opNamespace"
+  labels:
+    component: cpfs3
 spec:
   podSelector: 
     matchLabels:
