kustomize: operator network policies

This commit introduces two network policies for the operator:
1. A default deny-all policy that blocks all ingress and egress traffic by default. This serves as a security baseline, ensuring that no unintended connections are allowed from or to the operator pod.
2. A policy allowing egress traffic from the scheduler pod to the API server.

NOTE: OLM does not support generation of network-policy as part of CSV
creation just yet.
Those will be deployed along side the operator only when using
kustomize.

Signed-off-by: Ronny Baturov <[email protected]>
Co-authored-by: Talor Itzhak <[email protected]>

Author: rbaturov

config/default/kustomization.yaml

@@ -16,6 +16,7 @@ resources:
 - ../crd
 - ../rbac
 - ../manager
+- ../networkpolicy
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
 # crd/kustomization.yaml
 #- ../webhook

config/networkpolicy/deny-all.yaml

@@ -0,0 +1,12 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: operator-default-deny-all
+spec:
+  podSelector:
+    matchLabels:
+      app: numaresources-operator
+  policyTypes:
+  - Ingress
+  - Egress
+

config/networkpolicy/egress-to-api-server.yaml

@@ -0,0 +1,14 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: operator-egress-to-api-server
+spec:
+  podSelector:
+    matchLabels:
+      app: numaresources-operator 
+  egress:
+  - ports:
+    - protocol: TCP
+      port: 6443 
+  policyTypes:
+  - Egress

config/networkpolicy/ingress-to-metrics.yaml

@@ -0,0 +1,14 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: ingress-to-operator-metrics
+spec:
+  podSelector:
+    matchLabels:
+      app: numaresources-operator
+  ingress:
+    - ports:
+        - protocol: TCP
+          port: 8080
+  policyTypes:
+    - Ingress

config/networkpolicy/kustomization.yaml

@@ -0,0 +1,4 @@
+resources:
+- deny-all.yaml
+- egress-to-api-server.yaml
+- ingress-to-metrics.yaml