Add DNS network policy for OCP

Author: kabicin

controllers/webspherelibertyapplication_controller.go

@@ -398,8 +398,7 @@ func (r *ReconcileWebSphereLiberty) Reconcile(ctx context.Context, request ctrl.
 			common.StatusConditionTypeReconciled, instance)
 	}
 
-	// Kube API Server NetworkPolicy (credit to Martin Smithson)
-	reqLogger.Info("Start API Server Network Policy Reconcile")
+	// Kube API Server NetworkPolicy (based upon impl. by Martin Smithson)
 	apiServerNetworkPolicy := &networkingv1.NetworkPolicy{ObjectMeta: metav1.ObjectMeta{
 		Name:      instance.Name + "-egress-apiserver-access",
 		Namespace: instance.Namespace,
@@ -409,8 +408,30 @@ func (r *ReconcileWebSphereLiberty) Reconcile(ctx context.Context, request ctrl.
 			OperatorAllowAPIServerAccessLabel: "true",
 		},
 	}
+	// Add OpenShift DNS NetworkPolicy (if applicable)
+	if r.IsOpenShift() {
+		dnsRule := networkingv1.NetworkPolicyEgressRule{}
+		if dnsEndpoints, err := r.getEndpoints("dns-default", "openshift-dns"); err == nil {
+			if endpointPort := lutils.GetEndpointPortByName(&dnsEndpoints.Subsets[0].Ports, "dns"); endpointPort != nil {
+				dnsRule.Ports = append(dnsRule.Ports, lutils.CreateNetworkPolicyPortFromEndpointPort(endpointPort))
+			}
+			if endpointPort := lutils.GetEndpointPortByName(&dnsEndpoints.Subsets[0].Ports, "dns-tcp"); endpointPort != nil {
+				dnsRule.Ports = append(dnsRule.Ports, lutils.CreateNetworkPolicyPortFromEndpointPort(endpointPort))
+			}
+			reqLogger.Info("Found endpoints for dns-default service in the openshift-dns namespace")
+		} else {
+			peer := networkingv1.NetworkPolicyPeer{}
+			peer.NamespaceSelector = &metav1.LabelSelector{
+				MatchLabels: map[string]string{},
+			}
+			dnsRule.To = append(dnsRule.To, peer)
+			reqLogger.Info("Failed to retrieve endpoints for dns-default service in the openshift-dns namespace. Using more permissive rule.")
+		}
+		apiServerNetworkPolicy.Spec.Egress = append(apiServerNetworkPolicy.Spec.Egress, dnsRule)
+	}
+
 	rule := networkingv1.NetworkPolicyEgressRule{}
-	if apiServerEndpoints, err := r.getKubeAPIServerEndpoints(); err == nil {
+	if apiServerEndpoints, err := r.getEndpoints("kubernetes", "default"); err == nil {
 		// Define the port
 		port := networkingv1.NetworkPolicyPort{}
 		port.Protocol = &apiServerEndpoints.Subsets[0].Ports[0].Protocol
@@ -941,9 +962,7 @@ func shouldDeleteRoute(ba common.BaseComponent) bool {
 	return false
 }
 
-func (r *ReconcileWebSphereLiberty) getKubeAPIServerEndpoints() (*corev1.Endpoints, error) {
-	serviceName := "kubernetes"
-	namespace := "default"
+func (r *ReconcileWebSphereLiberty) getEndpoints(serviceName string, namespace string) (*corev1.Endpoints, error) {
 	endpoints := &corev1.Endpoints{}
 	if err := r.GetClient().Get(context.TODO(), types.NamespacedName{Name: serviceName, Namespace: namespace}, endpoints); err != nil {
 		return nil, err

utils/utils.go

@@ -25,6 +25,8 @@ import (
 	"strconv"
 	"strings"
 
+	networkingv1 "k8s.io/api/networking/v1"
+
 	wlv1 "github.com/WASdev/websphere-liberty-operator/api/v1"
 	rcoutils "github.com/application-stacks/runtime-component-operator/utils"
 	routev1 "github.com/openshift/api/route/v1"
@@ -34,6 +36,7 @@ import (
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/kubernetes/scheme"
 	"k8s.io/client-go/rest"
@@ -784,3 +787,20 @@ func GetRequiredLabels(name string, instance string) map[string]string {
 	requiredLabels["app.kubernetes.io/managed-by"] = "websphere-liberty-operator"
 	return requiredLabels
 }
+
+func GetEndpointPortByName(endpointPorts *[]corev1.EndpointPort, name string) *corev1.EndpointPort {
+	for _, endpointPort := range *endpointPorts {
+		if endpointPort.Name == name {
+			return &endpointPort
+		}
+	}
+	return nil
+}
+
+func CreateNetworkPolicyPortFromEndpointPort(endpointPort *corev1.EndpointPort) networkingv1.NetworkPolicyPort {
+	port := networkingv1.NetworkPolicyPort{}
+	port.Protocol = &endpointPort.Protocol
+	var portNumber intstr.IntOrString = intstr.FromInt((int)(endpointPort.Port))
+	port.Port = &portNumber
+	return port
+}