From 144cb8d2fa0708f478c57ccb95a25eca5e3a2dee Mon Sep 17 00:00:00 2001 From: kabicin <37311900+kabicin@users.noreply.github.com> Date: Wed, 11 Jun 2025 11:21:33 -0400 Subject: [PATCH 1/4] Implement BaseComponentNetworkPolicy --- api/v1/webspherelibertyapplication_types.go | 68 +++++++++++++++++-- .../webspherelibertyapplication_controller.go | 38 ++++++++++- utils/utils.go | 22 ++++++ 3 files changed, 122 insertions(+), 6 deletions(-) diff --git a/api/v1/webspherelibertyapplication_types.go b/api/v1/webspherelibertyapplication_types.go index 1c6d45c8..0ba6d76c 100644 --- a/api/v1/webspherelibertyapplication_types.go +++ b/api/v1/webspherelibertyapplication_types.go @@ -414,13 +414,37 @@ type WebSphereLibertyApplicationNetworkPolicy struct { // +operator-sdk:csv:customresourcedefinitions:order=52,type=spec,displayName="Disable",xDescriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch" Disable *bool `json:"disable,omitempty"` - // Specify the labels of namespaces that incoming traffic is allowed from. - // +operator-sdk:csv:customresourcedefinitions:order=53,type=spec,displayName="Namespace Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text" + // Disable the creation of the network policy ingress. Defaults to false. + // +operator-sdk:csv:customresourcedefinitions:order=53,type=spec,displayName="Disable Ingress",xDescriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch" + DisableIngress *bool `json:"disableIngress,omitempty"` + + // Disable the creation of the network policy egress. Defaults to false. + // +operator-sdk:csv:customresourcedefinitions:order=54,type=spec,displayName="Disable Egress",xDescriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch" + DisableEgress *bool `json:"disableEgress,omitempty"` + + // Bypasses deny all egress rules to allow API server and DNS access. Defaults to false. + // +operator-sdk:csv:customresourcedefinitions:order=55,type=spec,displayName="Bypass Deny All Egress",xDescriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch" + BypassDenyAllEgress *bool `json:"bypassDenyAllEgress,omitempty"` + + // Deprecated. .spec.networkPolicy.fromNamespaceLabels should be used instead. If both are specified, .spec.networkPolicy.fromNamespaceLabels will override this. + // +operator-sdk:csv:customresourcedefinitions:order=56,type=spec,displayName="Namespace Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text" NamespaceLabels *map[string]string `json:"namespaceLabels,omitempty"` + // Specify the labels of namespaces that incoming traffic is allowed from. + // +operator-sdk:csv:customresourcedefinitions:order=57,type=spec,displayName="From Namespace Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text" + FromNamespaceLabels *map[string]string `json:"fromNamespaceLabels,omitempty"` + // Specify the labels of pod(s) that incoming traffic is allowed from. - // +operator-sdk:csv:customresourcedefinitions:order=54,type=spec,displayName="From Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text" + // +operator-sdk:csv:customresourcedefinitions:order=58,type=spec,displayName="From Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text" FromLabels *map[string]string `json:"fromLabels,omitempty"` + + // Specify the labels of namespaces that outgoing traffic is allowed to. + // +operator-sdk:csv:customresourcedefinitions:order=59,type=spec,displayName="To Namespace Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text" + ToNamespaceLabels *map[string]string `json:"toNamespaceLabels,omitempty"` + + // Specify the labels of pod(s) that outgoing traffic is allowed to. + // +operator-sdk:csv:customresourcedefinitions:order=60,type=spec,displayName="To Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text" + ToLabels *map[string]string `json:"toLabels,omitempty"` } // Defines the desired state and cycle of applications. @@ -1211,8 +1235,28 @@ func (ssa *WebSphereLibertyApplicationServiceSessionAffinity) GetConfig() *corev return ssa.Config } -// GetNamespaceLabels returns the namespace selector labels that should be used for the ingress rule -func (np *WebSphereLibertyApplicationNetworkPolicy) GetNamespaceLabels() map[string]string { +// GetToNamespaceLabels returns the namespace selector labels that should be used for the egress rule +func (np *WebSphereLibertyApplicationNetworkPolicy) GetToNamespaceLabels() map[string]string { + if np.ToNamespaceLabels != nil { + return *np.ToNamespaceLabels + } + return nil +} + +// GetToLabels returns the pod selector labels that should be used for the egress rule +func (np *WebSphereLibertyApplicationNetworkPolicy) GetToLabels() map[string]string { + if np.ToLabels != nil { + return *np.ToLabels + } + return nil +} + +// GetFromNamespaceLabels returns the namespace selector labels that should be used for the ingress rule +func (np *WebSphereLibertyApplicationNetworkPolicy) GetFromNamespaceLabels() map[string]string { + if np.FromNamespaceLabels != nil { + return *np.FromNamespaceLabels + } + // fallback to deprecated flag np.NamespaceLabels for when we only supported one type of network policy (ingress) if np.NamespaceLabels != nil { return *np.NamespaceLabels } @@ -1232,6 +1276,20 @@ func (np *WebSphereLibertyApplicationNetworkPolicy) IsDisabled() bool { return np.Disable != nil && *np.Disable } +// IsIngressDisabled returns whether the network policy ingress should be created or not +func (np *WebSphereLibertyApplicationNetworkPolicy) IsIngressDisabled() bool { + return np.DisableIngress != nil && *np.DisableIngress +} + +// IsEgressDisabled returns whether the network policy egress should be created or not +func (np *WebSphereLibertyApplicationNetworkPolicy) IsEgressDisabled() bool { + return np.DisableEgress != nil && *np.DisableEgress +} + +func (np *WebSphereLibertyApplicationNetworkPolicy) IsBypassingDenyAllEgress() bool { + return np.BypassDenyAllEgress != nil && *np.BypassDenyAllEgress +} + // GetLabels returns labels to be added on ServiceMonitor func (m *WebSphereLibertyApplicationMonitoring) GetLabels() map[string]string { return m.Labels diff --git a/internal/controller/webspherelibertyapplication_controller.go b/internal/controller/webspherelibertyapplication_controller.go index b1c4a1d1..60897fc0 100644 --- a/internal/controller/webspherelibertyapplication_controller.go +++ b/internal/controller/webspherelibertyapplication_controller.go @@ -73,6 +73,7 @@ const applicationFinalizer = "finalizer.webspherelibertyapps.liberty.websphere.i // +kubebuilder:rbac:groups=apps,resources=deployments;statefulsets,verbs=get;list;watch;create;update;delete,namespace=websphere-liberty-operator // +kubebuilder:rbac:groups=apps,resources=deployments/finalizers;statefulsets,verbs=update,namespace=websphere-liberty-operator // +kubebuilder:rbac:groups=core,resources=services;secrets;serviceaccounts;configmaps;persistentvolumeclaims,verbs=get;list;watch;create;update;delete,namespace=websphere-liberty-operator +// +kubebuilder:rbac:groups=core,resources=endpoints,verbs=get;list;watch,namespace=websphere-liberty-operator // +kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;watch;create;update;delete,namespace=websphere-liberty-operator // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles;rolebindings,verbs=get;list;watch;create;update;delete,namespace=websphere-liberty-operator // +kubebuilder:rbac:groups=autoscaling,resources=horizontalpodautoscalers,verbs=get;list;watch;create;update;delete,namespace=websphere-liberty-operator @@ -456,7 +457,7 @@ func (r *ReconcileWebSphereLiberty) Reconcile(ctx context.Context, request ctrl. networkPolicy := &networkingv1.NetworkPolicy{ObjectMeta: defaultMeta} if np := instance.Spec.NetworkPolicy; np == nil || np != nil && !np.IsDisabled() { err = r.CreateOrUpdate(networkPolicy, instance, func() error { - oputils.CustomizeNetworkPolicy(networkPolicy, r.IsOpenShift(), instance) + oputils.CustomizeNetworkPolicy(networkPolicy, r.IsOpenShift(), r.getDNSEgressRule, r.getEndpoints, instance) return nil }) if err != nil { @@ -1022,3 +1023,38 @@ func (r *ReconcileWebSphereLiberty) deletePVC(reqLogger logr.Logger, pvcName str } } } + +func (r *ReconcileWebSphereLiberty) getEndpoints(serviceName string, namespace string) (*corev1.Endpoints, error) { + endpoints := &corev1.Endpoints{} + if err := r.GetClient().Get(context.TODO(), types.NamespacedName{Name: serviceName, Namespace: namespace}, endpoints); err != nil { + return nil, err + } else { + return endpoints, nil + } +} + +func (r *ReconcileWebSphereLiberty) getDNSEgressRule(endpointsName string, endpointsNamespace string) (bool, networkingv1.NetworkPolicyEgressRule) { + dnsRule := networkingv1.NetworkPolicyEgressRule{} + if dnsEndpoints, err := r.getEndpoints(endpointsName, endpointsNamespace); err == nil { + if len(dnsEndpoints.Subsets) > 0 { + if endpointPort := lutils.GetEndpointPortByName(&dnsEndpoints.Subsets[0].Ports, "dns"); endpointPort != nil { + dnsRule.Ports = append(dnsRule.Ports, lutils.CreateNetworkPolicyPortFromEndpointPort(endpointPort)) + } + if endpointPort := lutils.GetEndpointPortByName(&dnsEndpoints.Subsets[0].Ports, "dns-tcp"); endpointPort != nil { + dnsRule.Ports = append(dnsRule.Ports, lutils.CreateNetworkPolicyPortFromEndpointPort(endpointPort)) + } + } + peer := networkingv1.NetworkPolicyPeer{} + peer.NamespaceSelector = &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "kubernetes.io/metadata.name": endpointsNamespace, + }, + } + dnsRule.To = append(dnsRule.To, peer) + return false, dnsRule + } + // use permissive rule + // egress: + // - {} + return true, dnsRule +} diff --git a/utils/utils.go b/utils/utils.go index 29f8817e..1df0fc28 100644 --- a/utils/utils.go +++ b/utils/utils.go @@ -28,6 +28,8 @@ import ( "math/rand/v2" + networkingv1 "k8s.io/api/networking/v1" + wlv1 "github.com/WASdev/websphere-liberty-operator/api/v1" rcoutils "github.com/application-stacks/runtime-component-operator/utils" routev1 "github.com/openshift/api/route/v1" @@ -37,6 +39,7 @@ import ( "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" + "k8s.io/apimachinery/pkg/util/intstr" "k8s.io/client-go/kubernetes" "k8s.io/client-go/kubernetes/scheme" "k8s.io/client-go/rest" @@ -1001,6 +1004,25 @@ func GetRequiredLabels(name string, instance string) map[string]string { return requiredLabels } +func GetEndpointPortByName(endpointPorts *[]corev1.EndpointPort, name string) *corev1.EndpointPort { + if endpointPorts != nil { + for _, endpointPort := range *endpointPorts { + if endpointPort.Name == name { + return &endpointPort + } + } + } + return nil +} + +func CreateNetworkPolicyPortFromEndpointPort(endpointPort *corev1.EndpointPort) networkingv1.NetworkPolicyPort { + port := networkingv1.NetworkPolicyPort{} + port.Protocol = &endpointPort.Protocol + var portNumber intstr.IntOrString = intstr.FromInt((int)(endpointPort.Port)) + port.Port = &portNumber + return port +} + func IsOperandVersionString(version string) bool { if !strings.Contains(version, "_") { return false From c1b08862a3545af0e88f937a07a4325320863cf6 Mon Sep 17 00:00:00 2001 From: kabicin <37311900+kabicin@users.noreply.github.com> Date: Wed, 11 Jun 2025 11:33:13 -0400 Subject: [PATCH 2/4] Add bundle manifests --- api/v1/zz_generated.deepcopy.go | 48 ++++++++++++++ ...bsphere-liberty.clusterserviceversion.yaml | 65 ++++++++++++++++--- ....ibm.com_webspherelibertyapplications.yaml | 33 +++++++++- ....ibm.com_webspherelibertyapplications.yaml | 33 +++++++++- ...bsphere-liberty.clusterserviceversion.yaml | 57 +++++++++++++--- config/rbac/role.yaml | 8 +++ .../kubectl/websphereliberty-app-crd.yaml | 33 +++++++++- .../websphereliberty-app-operator.yaml | 8 +++ .../websphereliberty-app-rbac-watch-all.yaml | 8 +++ ...bsphereliberty-app-rbac-watch-another.yaml | 8 +++ .../daily/base/websphere-liberty-crd.yaml | 33 +++++++++- .../daily/base/websphere-liberty-roles.yaml | 8 +++ .../watch-all-namespaces/cluster-roles.yaml | 8 +++ .../wlo-watched-ns/watched-roles.yaml | 8 +++ 14 files changed, 334 insertions(+), 24 deletions(-) diff --git a/api/v1/zz_generated.deepcopy.go b/api/v1/zz_generated.deepcopy.go index f35dbb91..d7c856c8 100644 --- a/api/v1/zz_generated.deepcopy.go +++ b/api/v1/zz_generated.deepcopy.go @@ -490,6 +490,21 @@ func (in *WebSphereLibertyApplicationNetworkPolicy) DeepCopyInto(out *WebSphereL *out = new(bool) **out = **in } + if in.DisableIngress != nil { + in, out := &in.DisableIngress, &out.DisableIngress + *out = new(bool) + **out = **in + } + if in.DisableEgress != nil { + in, out := &in.DisableEgress, &out.DisableEgress + *out = new(bool) + **out = **in + } + if in.BypassDenyAllEgress != nil { + in, out := &in.BypassDenyAllEgress, &out.BypassDenyAllEgress + *out = new(bool) + **out = **in + } if in.NamespaceLabels != nil { in, out := &in.NamespaceLabels, &out.NamespaceLabels *out = new(map[string]string) @@ -501,6 +516,17 @@ func (in *WebSphereLibertyApplicationNetworkPolicy) DeepCopyInto(out *WebSphereL } } } + if in.FromNamespaceLabels != nil { + in, out := &in.FromNamespaceLabels, &out.FromNamespaceLabels + *out = new(map[string]string) + if **in != nil { + in, out := *in, *out + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + } if in.FromLabels != nil { in, out := &in.FromLabels, &out.FromLabels *out = new(map[string]string) @@ -512,6 +538,28 @@ func (in *WebSphereLibertyApplicationNetworkPolicy) DeepCopyInto(out *WebSphereL } } } + if in.ToNamespaceLabels != nil { + in, out := &in.ToNamespaceLabels, &out.ToNamespaceLabels + *out = new(map[string]string) + if **in != nil { + in, out := *in, *out + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + } + if in.ToLabels != nil { + in, out := &in.ToLabels, &out.ToLabels + *out = new(map[string]string) + if **in != nil { + in, out := *in, *out + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebSphereLibertyApplicationNetworkPolicy. diff --git a/bundle/manifests/ibm-websphere-liberty.clusterserviceversion.yaml b/bundle/manifests/ibm-websphere-liberty.clusterserviceversion.yaml index 2f4d9eb6..7fd27902 100644 --- a/bundle/manifests/ibm-websphere-liberty.clusterserviceversion.yaml +++ b/bundle/manifests/ibm-websphere-liberty.clusterserviceversion.yaml @@ -564,24 +564,24 @@ spec: path: semeruCloudCompiler.enable x-descriptors: - urn:alm:descriptor:com.tectonic.ui:booleanSwitch - - description: Specify the labels of namespaces that incoming traffic is allowed - from. - displayName: Namespace Labels - path: networkPolicy.namespaceLabels + - description: Disable the creation of the network policy ingress. Defaults + to false. + displayName: Disable Ingress + path: networkPolicy.disableIngress x-descriptors: - - urn:alm:descriptor:com.tectonic.ui:text + - urn:alm:descriptor:com.tectonic.ui:booleanSwitch - description: Number of desired pods for the Semeru Cloud Compiler. Defaults to 1. displayName: Replicas path: semeruCloudCompiler.replicas x-descriptors: - urn:alm:descriptor:com.tectonic.ui:podCount - - description: Specify the labels of pod(s) that incoming traffic is allowed - from. - displayName: From Labels - path: networkPolicy.fromLabels + - description: Disable the creation of the network policy egress. Defaults to + false. + displayName: Disable Egress + path: networkPolicy.disableEgress x-descriptors: - - urn:alm:descriptor:com.tectonic.ui:text + - urn:alm:descriptor:com.tectonic.ui:booleanSwitch - description: Resource requests and limits for the Semeru Cloud Compiler. The CPU defaults to 100m with a limit of 2000m. The memory defaults to 800Mi, with a limit of 1200Mi. @@ -589,6 +589,43 @@ spec: path: semeruCloudCompiler.resources x-descriptors: - urn:alm:descriptor:com.tectonic.ui:resourceRequirements + - description: Bypasses deny all egress rules to allow API server and DNS access. + Defaults to false. + displayName: Bypass Deny All Egress + path: networkPolicy.bypassDenyAllEgress + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:booleanSwitch + - description: Deprecated. .spec.networkPolicy.fromNamespaceLabels should be + used instead. If both are specified, .spec.networkPolicy.fromNamespaceLabels + will override this. + displayName: Namespace Labels + path: networkPolicy.namespaceLabels + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:text + - description: Specify the labels of namespaces that incoming traffic is allowed + from. + displayName: From Namespace Labels + path: networkPolicy.fromNamespaceLabels + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:text + - description: Specify the labels of pod(s) that incoming traffic is allowed + from. + displayName: From Labels + path: networkPolicy.fromLabels + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:text + - description: Specify the labels of namespaces that outgoing traffic is allowed + to. + displayName: To Namespace Labels + path: networkPolicy.toNamespaceLabels + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:text + - description: Specify the labels of pod(s) that outgoing traffic is allowed + to. + displayName: To Labels + path: networkPolicy.toLabels + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:text - description: 'Product edition. Defaults to IBM WebSphere Application Server. Other options: IBM WebSphere Application Server Liberty Core, IBM WebSphere Application Server Network Deployment' @@ -1085,6 +1122,14 @@ spec: - list - update - watch + - apiGroups: + - "" + resources: + - endpoints + verbs: + - get + - list + - watch - apiGroups: - "" resources: diff --git a/bundle/manifests/liberty.websphere.ibm.com_webspherelibertyapplications.yaml b/bundle/manifests/liberty.websphere.ibm.com_webspherelibertyapplications.yaml index 50a22ccb..022faabc 100644 --- a/bundle/manifests/liberty.websphere.ibm.com_webspherelibertyapplications.yaml +++ b/bundle/manifests/liberty.websphere.ibm.com_webspherelibertyapplications.yaml @@ -3901,22 +3901,53 @@ spec: networkPolicy: description: Defines the network policy properties: + bypassDenyAllEgress: + description: Bypasses deny all egress rules to allow API server + and DNS access. Defaults to false. + type: boolean disable: description: Disable the creation of the network policy. Defaults to false. type: boolean + disableEgress: + description: Disable the creation of the network policy egress. + Defaults to false. + type: boolean + disableIngress: + description: Disable the creation of the network policy ingress. + Defaults to false. + type: boolean fromLabels: additionalProperties: type: string description: Specify the labels of pod(s) that incoming traffic is allowed from. type: object - namespaceLabels: + fromNamespaceLabels: additionalProperties: type: string description: Specify the labels of namespaces that incoming traffic is allowed from. type: object + namespaceLabels: + additionalProperties: + type: string + description: Deprecated. .spec.networkPolicy.fromNamespaceLabels + should be used instead. If both are specified, .spec.networkPolicy.fromNamespaceLabels + will override this. + type: object + toLabels: + additionalProperties: + type: string + description: Specify the labels of pod(s) that outgoing traffic + is allowed to. + type: object + toNamespaceLabels: + additionalProperties: + type: string + description: Specify the labels of namespaces that outgoing traffic + is allowed to. + type: object type: object probes: description: Define health checks on application container to determine diff --git a/config/crd/bases/liberty.websphere.ibm.com_webspherelibertyapplications.yaml b/config/crd/bases/liberty.websphere.ibm.com_webspherelibertyapplications.yaml index f48ebec6..1a1ea4f4 100644 --- a/config/crd/bases/liberty.websphere.ibm.com_webspherelibertyapplications.yaml +++ b/config/crd/bases/liberty.websphere.ibm.com_webspherelibertyapplications.yaml @@ -3897,22 +3897,53 @@ spec: networkPolicy: description: Defines the network policy properties: + bypassDenyAllEgress: + description: Bypasses deny all egress rules to allow API server + and DNS access. Defaults to false. + type: boolean disable: description: Disable the creation of the network policy. Defaults to false. type: boolean + disableEgress: + description: Disable the creation of the network policy egress. + Defaults to false. + type: boolean + disableIngress: + description: Disable the creation of the network policy ingress. + Defaults to false. + type: boolean fromLabels: additionalProperties: type: string description: Specify the labels of pod(s) that incoming traffic is allowed from. type: object - namespaceLabels: + fromNamespaceLabels: additionalProperties: type: string description: Specify the labels of namespaces that incoming traffic is allowed from. type: object + namespaceLabels: + additionalProperties: + type: string + description: Deprecated. .spec.networkPolicy.fromNamespaceLabels + should be used instead. If both are specified, .spec.networkPolicy.fromNamespaceLabels + will override this. + type: object + toLabels: + additionalProperties: + type: string + description: Specify the labels of pod(s) that outgoing traffic + is allowed to. + type: object + toNamespaceLabels: + additionalProperties: + type: string + description: Specify the labels of namespaces that outgoing traffic + is allowed to. + type: object type: object probes: description: Define health checks on application container to determine diff --git a/config/manifests/bases/ibm-websphere-liberty.clusterserviceversion.yaml b/config/manifests/bases/ibm-websphere-liberty.clusterserviceversion.yaml index b9c1b1d5..bdd74ea4 100644 --- a/config/manifests/bases/ibm-websphere-liberty.clusterserviceversion.yaml +++ b/config/manifests/bases/ibm-websphere-liberty.clusterserviceversion.yaml @@ -506,24 +506,24 @@ spec: path: semeruCloudCompiler.enable x-descriptors: - urn:alm:descriptor:com.tectonic.ui:booleanSwitch - - description: Specify the labels of namespaces that incoming traffic is allowed - from. - displayName: Namespace Labels - path: networkPolicy.namespaceLabels + - description: Disable the creation of the network policy ingress. Defaults + to false. + displayName: Disable Ingress + path: networkPolicy.disableIngress x-descriptors: - - urn:alm:descriptor:com.tectonic.ui:text + - urn:alm:descriptor:com.tectonic.ui:booleanSwitch - description: Number of desired pods for the Semeru Cloud Compiler. Defaults to 1. displayName: Replicas path: semeruCloudCompiler.replicas x-descriptors: - urn:alm:descriptor:com.tectonic.ui:podCount - - description: Specify the labels of pod(s) that incoming traffic is allowed - from. - displayName: From Labels - path: networkPolicy.fromLabels + - description: Disable the creation of the network policy egress. Defaults to + false. + displayName: Disable Egress + path: networkPolicy.disableEgress x-descriptors: - - urn:alm:descriptor:com.tectonic.ui:text + - urn:alm:descriptor:com.tectonic.ui:booleanSwitch - description: Resource requests and limits for the Semeru Cloud Compiler. The CPU defaults to 100m with a limit of 2000m. The memory defaults to 800Mi, with a limit of 1200Mi. @@ -531,6 +531,43 @@ spec: path: semeruCloudCompiler.resources x-descriptors: - urn:alm:descriptor:com.tectonic.ui:resourceRequirements + - description: Bypasses deny all egress rules to allow API server and DNS access. + Defaults to false. + displayName: Bypass Deny All Egress + path: networkPolicy.bypassDenyAllEgress + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:booleanSwitch + - description: Deprecated. .spec.networkPolicy.fromNamespaceLabels should be + used instead. If both are specified, .spec.networkPolicy.fromNamespaceLabels + will override this. + displayName: Namespace Labels + path: networkPolicy.namespaceLabels + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:text + - description: Specify the labels of namespaces that incoming traffic is allowed + from. + displayName: From Namespace Labels + path: networkPolicy.fromNamespaceLabels + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:text + - description: Specify the labels of pod(s) that incoming traffic is allowed + from. + displayName: From Labels + path: networkPolicy.fromLabels + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:text + - description: Specify the labels of namespaces that outgoing traffic is allowed + to. + displayName: To Namespace Labels + path: networkPolicy.toNamespaceLabels + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:text + - description: Specify the labels of pod(s) that outgoing traffic is allowed + to. + displayName: To Labels + path: networkPolicy.toLabels + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:text - description: 'Product edition. Defaults to IBM WebSphere Application Server. Other options: IBM WebSphere Application Server Liberty Core, IBM WebSphere Application Server Network Deployment' diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 81858a0b..cdcff04b 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -73,6 +73,14 @@ rules: - list - update - watch +- apiGroups: + - "" + resources: + - endpoints + verbs: + - get + - list + - watch - apiGroups: - "" resources: diff --git a/internal/deploy/kubectl/websphereliberty-app-crd.yaml b/internal/deploy/kubectl/websphereliberty-app-crd.yaml index 00920fb4..893d6229 100644 --- a/internal/deploy/kubectl/websphereliberty-app-crd.yaml +++ b/internal/deploy/kubectl/websphereliberty-app-crd.yaml @@ -3900,22 +3900,53 @@ spec: networkPolicy: description: Defines the network policy properties: + bypassDenyAllEgress: + description: Bypasses deny all egress rules to allow API server + and DNS access. Defaults to false. + type: boolean disable: description: Disable the creation of the network policy. Defaults to false. type: boolean + disableEgress: + description: Disable the creation of the network policy egress. + Defaults to false. + type: boolean + disableIngress: + description: Disable the creation of the network policy ingress. + Defaults to false. + type: boolean fromLabels: additionalProperties: type: string description: Specify the labels of pod(s) that incoming traffic is allowed from. type: object - namespaceLabels: + fromNamespaceLabels: additionalProperties: type: string description: Specify the labels of namespaces that incoming traffic is allowed from. type: object + namespaceLabels: + additionalProperties: + type: string + description: Deprecated. .spec.networkPolicy.fromNamespaceLabels + should be used instead. If both are specified, .spec.networkPolicy.fromNamespaceLabels + will override this. + type: object + toLabels: + additionalProperties: + type: string + description: Specify the labels of pod(s) that outgoing traffic + is allowed to. + type: object + toNamespaceLabels: + additionalProperties: + type: string + description: Specify the labels of namespaces that outgoing traffic + is allowed to. + type: object type: object probes: description: Define health checks on application container to determine diff --git a/internal/deploy/kubectl/websphereliberty-app-operator.yaml b/internal/deploy/kubectl/websphereliberty-app-operator.yaml index 32d3b3d4..5de24a45 100644 --- a/internal/deploy/kubectl/websphereliberty-app-operator.yaml +++ b/internal/deploy/kubectl/websphereliberty-app-operator.yaml @@ -112,6 +112,14 @@ rules: - list - update - watch +- apiGroups: + - "" + resources: + - endpoints + verbs: + - get + - list + - watch - apiGroups: - "" resources: diff --git a/internal/deploy/kubectl/websphereliberty-app-rbac-watch-all.yaml b/internal/deploy/kubectl/websphereliberty-app-rbac-watch-all.yaml index c450836c..92c44ddd 100644 --- a/internal/deploy/kubectl/websphereliberty-app-rbac-watch-all.yaml +++ b/internal/deploy/kubectl/websphereliberty-app-rbac-watch-all.yaml @@ -104,6 +104,14 @@ rules: - list - update - watch +- apiGroups: + - "" + resources: + - endpoints + verbs: + - get + - list + - watch - apiGroups: - "" resources: diff --git a/internal/deploy/kubectl/websphereliberty-app-rbac-watch-another.yaml b/internal/deploy/kubectl/websphereliberty-app-rbac-watch-another.yaml index c76a7917..ba346027 100644 --- a/internal/deploy/kubectl/websphereliberty-app-rbac-watch-another.yaml +++ b/internal/deploy/kubectl/websphereliberty-app-rbac-watch-another.yaml @@ -106,6 +106,14 @@ rules: - list - update - watch +- apiGroups: + - "" + resources: + - endpoints + verbs: + - get + - list + - watch - apiGroups: - "" resources: diff --git a/internal/deploy/kustomize/daily/base/websphere-liberty-crd.yaml b/internal/deploy/kustomize/daily/base/websphere-liberty-crd.yaml index 00920fb4..893d6229 100644 --- a/internal/deploy/kustomize/daily/base/websphere-liberty-crd.yaml +++ b/internal/deploy/kustomize/daily/base/websphere-liberty-crd.yaml @@ -3900,22 +3900,53 @@ spec: networkPolicy: description: Defines the network policy properties: + bypassDenyAllEgress: + description: Bypasses deny all egress rules to allow API server + and DNS access. Defaults to false. + type: boolean disable: description: Disable the creation of the network policy. Defaults to false. type: boolean + disableEgress: + description: Disable the creation of the network policy egress. + Defaults to false. + type: boolean + disableIngress: + description: Disable the creation of the network policy ingress. + Defaults to false. + type: boolean fromLabels: additionalProperties: type: string description: Specify the labels of pod(s) that incoming traffic is allowed from. type: object - namespaceLabels: + fromNamespaceLabels: additionalProperties: type: string description: Specify the labels of namespaces that incoming traffic is allowed from. type: object + namespaceLabels: + additionalProperties: + type: string + description: Deprecated. .spec.networkPolicy.fromNamespaceLabels + should be used instead. If both are specified, .spec.networkPolicy.fromNamespaceLabels + will override this. + type: object + toLabels: + additionalProperties: + type: string + description: Specify the labels of pod(s) that outgoing traffic + is allowed to. + type: object + toNamespaceLabels: + additionalProperties: + type: string + description: Specify the labels of namespaces that outgoing traffic + is allowed to. + type: object type: object probes: description: Define health checks on application container to determine diff --git a/internal/deploy/kustomize/daily/base/websphere-liberty-roles.yaml b/internal/deploy/kustomize/daily/base/websphere-liberty-roles.yaml index e2569f79..b99afaec 100644 --- a/internal/deploy/kustomize/daily/base/websphere-liberty-roles.yaml +++ b/internal/deploy/kustomize/daily/base/websphere-liberty-roles.yaml @@ -115,6 +115,14 @@ rules: - list - update - watch +- apiGroups: + - "" + resources: + - endpoints + verbs: + - get + - list + - watch - apiGroups: - "" resources: diff --git a/internal/deploy/kustomize/daily/overlays/watch-all-namespaces/cluster-roles.yaml b/internal/deploy/kustomize/daily/overlays/watch-all-namespaces/cluster-roles.yaml index 980cd5a4..0e7bdd83 100644 --- a/internal/deploy/kustomize/daily/overlays/watch-all-namespaces/cluster-roles.yaml +++ b/internal/deploy/kustomize/daily/overlays/watch-all-namespaces/cluster-roles.yaml @@ -104,6 +104,14 @@ rules: - list - update - watch +- apiGroups: + - "" + resources: + - endpoints + verbs: + - get + - list + - watch - apiGroups: - "" resources: diff --git a/internal/deploy/kustomize/daily/overlays/watch-another-namespace/wlo-watched-ns/watched-roles.yaml b/internal/deploy/kustomize/daily/overlays/watch-another-namespace/wlo-watched-ns/watched-roles.yaml index 9a76fe25..928ddc01 100644 --- a/internal/deploy/kustomize/daily/overlays/watch-another-namespace/wlo-watched-ns/watched-roles.yaml +++ b/internal/deploy/kustomize/daily/overlays/watch-another-namespace/wlo-watched-ns/watched-roles.yaml @@ -106,6 +106,14 @@ rules: - list - update - watch +- apiGroups: + - "" + resources: + - endpoints + verbs: + - get + - list + - watch - apiGroups: - "" resources: From 72d3d874940659d0c22cc8eb9472c3ba45f22ce7 Mon Sep 17 00:00:00 2001 From: kabicin <37311900+kabicin@users.noreply.github.com> Date: Wed, 11 Jun 2025 14:28:36 -0400 Subject: [PATCH 3/4] Add comments --- api/v1/webspherelibertyapplication_types.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/api/v1/webspherelibertyapplication_types.go b/api/v1/webspherelibertyapplication_types.go index 0ba6d76c..c3f9c824 100644 --- a/api/v1/webspherelibertyapplication_types.go +++ b/api/v1/webspherelibertyapplication_types.go @@ -1256,7 +1256,7 @@ func (np *WebSphereLibertyApplicationNetworkPolicy) GetFromNamespaceLabels() map if np.FromNamespaceLabels != nil { return *np.FromNamespaceLabels } - // fallback to deprecated flag np.NamespaceLabels for when we only supported one type of network policy (ingress) + // fallback to deprecated flag np.NamespaceLabels if configured if np.NamespaceLabels != nil { return *np.NamespaceLabels } @@ -1286,6 +1286,7 @@ func (np *WebSphereLibertyApplicationNetworkPolicy) IsEgressDisabled() bool { return np.DisableEgress != nil && *np.DisableEgress } +// IsBypassingDenyAllEgress returns whether the application Pods should ignore a deny-all Egress func (np *WebSphereLibertyApplicationNetworkPolicy) IsBypassingDenyAllEgress() bool { return np.BypassDenyAllEgress != nil && *np.BypassDenyAllEgress } From 8209faf49e10a57636ecf26d05a65447bcf1149a Mon Sep 17 00:00:00 2001 From: kabicin <37311900+kabicin@users.noreply.github.com> Date: Wed, 2 Jul 2025 16:14:27 -0400 Subject: [PATCH 4/4] Pull RCO@isolate-np and OLO@isolate-np --- go.mod | 4 ++-- go.sum | 4 ++++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index d7a5af43..c124d6f7 100644 --- a/go.mod +++ b/go.mod @@ -3,8 +3,8 @@ module github.com/WASdev/websphere-liberty-operator go 1.24 require ( - github.com/OpenLiberty/open-liberty-operator v0.8.1-0.20250626162458-04f829ff569b - github.com/application-stacks/runtime-component-operator v1.0.0-20220602-0850.0.20250624180127-8ac4006cbab3 + github.com/OpenLiberty/open-liberty-operator v0.8.1-0.20250702201033-de510721b265 + github.com/application-stacks/runtime-component-operator v1.0.0-20220602-0850.0.20250702140255-55f17220c16f github.com/cert-manager/cert-manager v1.15.5 github.com/go-logr/logr v1.4.2 github.com/openshift/api v0.0.0-20230928134114-673ed0cfc7f1 diff --git a/go.sum b/go.sum index ad448683..0d30137a 100644 --- a/go.sum +++ b/go.sum @@ -4,8 +4,12 @@ contrib.go.opencensus.io/exporter/prometheus v0.4.2 h1:sqfsYl5GIY/L570iT+l93ehxa contrib.go.opencensus.io/exporter/prometheus v0.4.2/go.mod h1:dvEHbiKmgvbr5pjaF9fpw1KeYcjrnC1J8B+JKjsZyRQ= github.com/OpenLiberty/open-liberty-operator v0.8.1-0.20250626162458-04f829ff569b h1:kCG4mlFxniS/ER5KdFs5UzIOW7YtXPYfIPHvOqsjwhc= github.com/OpenLiberty/open-liberty-operator v0.8.1-0.20250626162458-04f829ff569b/go.mod h1:zw8uHEkx2mccGxDppDiAB/KLIkdc+VrlQvof7BVNO/0= +github.com/OpenLiberty/open-liberty-operator v0.8.1-0.20250702201033-de510721b265 h1:EoELV7CJrAFFvxtrKjPEejLABNsKWE/3BNGV76D0rI8= +github.com/OpenLiberty/open-liberty-operator v0.8.1-0.20250702201033-de510721b265/go.mod h1:Ch4gn9uAB1C9nYE2VdqiAOMzt/l4vSjZn+qUeUTSdLU= github.com/application-stacks/runtime-component-operator v1.0.0-20220602-0850.0.20250624180127-8ac4006cbab3 h1:rcx6XOy5geMntHne4mi/S+KQUEsN8liuEg7N80108+w= github.com/application-stacks/runtime-component-operator v1.0.0-20220602-0850.0.20250624180127-8ac4006cbab3/go.mod h1:IWb2bp8hVEbKNUDRkfa5Pty3bSdOalGRDds/VMckYCA= +github.com/application-stacks/runtime-component-operator v1.0.0-20220602-0850.0.20250702140255-55f17220c16f h1:RJnnP4RVCgCDL5TXwmnwZNVzEGmzx5LMoInh0cT+4YM= +github.com/application-stacks/runtime-component-operator v1.0.0-20220602-0850.0.20250702140255-55f17220c16f/go.mod h1:IWb2bp8hVEbKNUDRkfa5Pty3bSdOalGRDds/VMckYCA= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=