network policy for metrics endpoint

This is needed to enable ingress traffic to the endpoint.

Signed-off-by: Ronny Baturov <[email protected]>

Author: rbaturov

pkg/metrics/manifests/manifests.go

@@ -22,6 +22,7 @@ import (
 	"path/filepath"
 
 	corev1 "k8s.io/api/core/v1"
+	networkingv1 "k8s.io/api/networking/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/client-go/kubernetes/scheme"
 )
@@ -46,6 +47,22 @@ func Service(namespace string) (*corev1.Service, error) {
 	return service, nil
 }
 
+func NetworkPolicy(namespace string) (*networkingv1.NetworkPolicy, error) {
+	obj, err := loadObject(filepath.Join("yaml", "networkpolicy.yaml"))
+	if err != nil {
+		return nil, err
+	}
+
+	np, ok := obj.(*networkingv1.NetworkPolicy)
+	if !ok {
+		return nil, fmt.Errorf("unexpected type, got %t", obj)
+	}
+	if namespace != "" {
+		np.Namespace = namespace
+	}
+	return np, nil
+}
+
 func deserializeObjectFromData(data []byte) (runtime.Object, error) {
 	decode := scheme.Codecs.UniversalDeserializer().Decode
 	obj, _, err := decode(data, nil, nil)

pkg/metrics/manifests/monitor/monitor.go

@@ -18,25 +18,29 @@ package sched
 
 import (
 	corev1 "k8s.io/api/core/v1"
+	networkingv1 "k8s.io/api/networking/v1"
 
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/openshift-kni/numaresources-operator/pkg/metrics/manifests"
 )
 
 type Manifests struct {
-	Service *corev1.Service
+	Service       *corev1.Service
+	NetworkPolicy *networkingv1.NetworkPolicy
 }
 
 func (mf Manifests) ToObjects() []client.Object {
 	return []client.Object{
 		mf.Service,
+		mf.NetworkPolicy,
 	}
 }
 
 func (mf Manifests) Clone() Manifests {
 	return Manifests{
-		Service: mf.Service.DeepCopy(),
+		Service:       mf.Service.DeepCopy(),
+		NetworkPolicy: mf.NetworkPolicy.DeepCopy(),
 	}
 }
 
@@ -49,5 +53,10 @@ func GetManifests(namespace string) (Manifests, error) {
 		return mf, err
 	}
 
+	mf.NetworkPolicy, err = manifests.NetworkPolicy(namespace)
+	if err != nil {
+		return mf, err
+	}
+
 	return mf, nil
 }

pkg/metrics/manifests/yaml/networkpolicy.yaml

@@ -0,0 +1,14 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: ingress-to-rte-metrics
+spec:
+  podSelector:
+    matchLabels:
+      name: resource-topology
+  ingress:
+    - ports:
+        - protocol: TCP
+          port: metrics-port
+  policyTypes:
+    - Ingress

pkg/objectstate/rte/rte.go

@@ -21,6 +21,7 @@ import (
 
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
+	networkingv1 "k8s.io/api/networking/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/klog/v2"
 
@@ -96,7 +97,8 @@ type Errors struct {
 		ClusterRoleBinding error
 	}
 	Metrics struct {
-		Service error
+		Service       error
+		NetworkPolicy error
 	}
 }
 
@@ -239,6 +241,14 @@ func (em *ExistingManifests) State(mf Manifests) []objectstate.ObjectState {
 		Merge:    merge.ServiceForUpdate,
 	})
 
+	ret = append(ret, objectstate.ObjectState{
+		Existing: em.existing.Metrics.NetworkPolicy,
+		Error:    em.errs.Metrics.NetworkPolicy,
+		Desired:  mf.Metrics.NetworkPolicy.DeepCopy(),
+		Compare:  compare.Object,
+		Merge:    merge.MetadataForUpdate,
+	})
+
 	return ret
 }
 
@@ -328,6 +338,11 @@ func FromClient(ctx context.Context, cli client.Client, plat platform.Platform,
 		ret.existing.Metrics.Service = ser
 	}
 
+	networkPolicy := &networkingv1.NetworkPolicy{}
+	if ok := getObject(ctx, cli, keyFor(mf.Metrics.NetworkPolicy), networkPolicy, &ret.errs.Metrics.NetworkPolicy); ok {
+		ret.existing.Metrics.NetworkPolicy = networkPolicy
+	}
+
 	return &ret
 }