WASdev · kabicin · Jun 11, 2025 · Jun 11, 2025 · Jun 11, 2025 · Jul 2, 2025
diff --git a/api/v1/webspherelibertyapplication_types.go b/api/v1/webspherelibertyapplication_types.go
@@ -414,13 +414,37 @@ type WebSphereLibertyApplicationNetworkPolicy struct {
 	// +operator-sdk:csv:customresourcedefinitions:order=52,type=spec,displayName="Disable",xDescriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch"
 	Disable *bool `json:"disable,omitempty"`
 
-	// Specify the labels of namespaces that incoming traffic is allowed from.
-	// +operator-sdk:csv:customresourcedefinitions:order=53,type=spec,displayName="Namespace Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text"
+	// Disable the creation of the network policy ingress. Defaults to false.
+	// +operator-sdk:csv:customresourcedefinitions:order=53,type=spec,displayName="Disable Ingress",xDescriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch"
+	DisableIngress *bool `json:"disableIngress,omitempty"`
+
+	// Disable the creation of the network policy egress. Defaults to false.
+	// +operator-sdk:csv:customresourcedefinitions:order=54,type=spec,displayName="Disable Egress",xDescriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch"
+	DisableEgress *bool `json:"disableEgress,omitempty"`
+
+	// Bypasses deny all egress rules to allow API server and DNS access. Defaults to false.
+	// +operator-sdk:csv:customresourcedefinitions:order=55,type=spec,displayName="Bypass Deny All Egress",xDescriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch"
+	BypassDenyAllEgress *bool `json:"bypassDenyAllEgress,omitempty"`
+
+	// Deprecated. .spec.networkPolicy.fromNamespaceLabels should be used instead. If both are specified, .spec.networkPolicy.fromNamespaceLabels will override this.
+	// +operator-sdk:csv:customresourcedefinitions:order=56,type=spec,displayName="Namespace Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text"
 	NamespaceLabels *map[string]string `json:"namespaceLabels,omitempty"`
 
+	// Specify the labels of namespaces that incoming traffic is allowed from.
+	// +operator-sdk:csv:customresourcedefinitions:order=57,type=spec,displayName="From Namespace Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text"
+	FromNamespaceLabels *map[string]string `json:"fromNamespaceLabels,omitempty"`
+
 	// Specify the labels of pod(s) that incoming traffic is allowed from.
-	// +operator-sdk:csv:customresourcedefinitions:order=54,type=spec,displayName="From Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text"
+	// +operator-sdk:csv:customresourcedefinitions:order=58,type=spec,displayName="From Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text"
 	FromLabels *map[string]string `json:"fromLabels,omitempty"`
+
+	// Specify the labels of namespaces that outgoing traffic is allowed to.
+	// +operator-sdk:csv:customresourcedefinitions:order=59,type=spec,displayName="To Namespace Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text"
+	ToNamespaceLabels *map[string]string `json:"toNamespaceLabels,omitempty"`
+
+	// Specify the labels of pod(s) that outgoing traffic is allowed to.
+	// +operator-sdk:csv:customresourcedefinitions:order=60,type=spec,displayName="To Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text"
+	ToLabels *map[string]string `json:"toLabels,omitempty"`
 }
 
 // Defines the desired state and cycle of applications.
@@ -1211,8 +1235,28 @@ func (ssa *WebSphereLibertyApplicationServiceSessionAffinity) GetConfig() *corev
 	return ssa.Config
 }
 
-// GetNamespaceLabels returns the namespace selector labels that should be used for the ingress rule
-func (np *WebSphereLibertyApplicationNetworkPolicy) GetNamespaceLabels() map[string]string {
+// GetToNamespaceLabels returns the namespace selector labels that should be used for the egress rule
+func (np *WebSphereLibertyApplicationNetworkPolicy) GetToNamespaceLabels() map[string]string {
+	if np.ToNamespaceLabels != nil {
+		return *np.ToNamespaceLabels
+	}
+	return nil
+}
+
+// GetToLabels returns the pod selector labels that should be used for the egress rule
+func (np *WebSphereLibertyApplicationNetworkPolicy) GetToLabels() map[string]string {
+	if np.ToLabels != nil {
+		return *np.ToLabels
+	}
+	return nil
+}
+
+// GetFromNamespaceLabels returns the namespace selector labels that should be used for the ingress rule
+func (np *WebSphereLibertyApplicationNetworkPolicy) GetFromNamespaceLabels() map[string]string {
+	if np.FromNamespaceLabels != nil {
+		return *np.FromNamespaceLabels
+	}
+	// fallback to deprecated flag np.NamespaceLabels if configured
 	if np.NamespaceLabels != nil {
 		return *np.NamespaceLabels
 	}
@@ -1232,6 +1276,21 @@ func (np *WebSphereLibertyApplicationNetworkPolicy) IsDisabled() bool {
 	return np.Disable != nil && *np.Disable
 }
 
+// IsIngressDisabled returns whether the network policy ingress should be created or not
+func (np *WebSphereLibertyApplicationNetworkPolicy) IsIngressDisabled() bool {
+	return np.DisableIngress != nil && *np.DisableIngress
+}
+
+// IsEgressDisabled returns whether the network policy egress should be created or not
+func (np *WebSphereLibertyApplicationNetworkPolicy) IsEgressDisabled() bool {
+	return np.DisableEgress != nil && *np.DisableEgress
+}
+
+// IsBypassingDenyAllEgress returns whether the application Pods should ignore a deny-all Egress
+func (np *WebSphereLibertyApplicationNetworkPolicy) IsBypassingDenyAllEgress() bool {
+	return np.BypassDenyAllEgress != nil && *np.BypassDenyAllEgress
+}
+
 // GetLabels returns labels to be added on ServiceMonitor
 func (m *WebSphereLibertyApplicationMonitoring) GetLabels() map[string]string {
 	return m.Labels

diff --git a/api/v1/zz_generated.deepcopy.go b/api/v1/zz_generated.deepcopy.go
diff --git a/bundle/manifests/ibm-websphere-liberty.clusterserviceversion.yaml b/bundle/manifests/ibm-websphere-liberty.clusterserviceversion.yaml
@@ -564,31 +564,68 @@ spec:
         path: semeruCloudCompiler.enable
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
-      - description: Specify the labels of namespaces that incoming traffic is allowed
-          from.
-        displayName: Namespace Labels
-        path: networkPolicy.namespaceLabels
+      - description: Disable the creation of the network policy ingress. Defaults
+          to false.
+        displayName: Disable Ingress
+        path: networkPolicy.disableIngress
         x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:text
+        - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
       - description: Number of desired pods for the Semeru Cloud Compiler. Defaults
           to 1.
         displayName: Replicas
         path: semeruCloudCompiler.replicas
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:podCount
-      - description: Specify the labels of pod(s) that incoming traffic is allowed
-          from.
-        displayName: From Labels
-        path: networkPolicy.fromLabels
+      - description: Disable the creation of the network policy egress. Defaults to
+          false.
+        displayName: Disable Egress
+        path: networkPolicy.disableEgress
         x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:text
+        - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
       - description: Resource requests and limits for the Semeru Cloud Compiler. The
           CPU defaults to 100m with a limit of 2000m. The memory defaults to 800Mi,
           with a limit of 1200Mi.
         displayName: Resource Requirements
         path: semeruCloudCompiler.resources
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:resourceRequirements
+      - description: Bypasses deny all egress rules to allow API server and DNS access.
+          Defaults to false.
+        displayName: Bypass Deny All Egress
+        path: networkPolicy.bypassDenyAllEgress
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
+      - description: Deprecated. .spec.networkPolicy.fromNamespaceLabels should be
+          used instead. If both are specified, .spec.networkPolicy.fromNamespaceLabels
+          will override this.
+        displayName: Namespace Labels
+        path: networkPolicy.namespaceLabels
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:text
+      - description: Specify the labels of namespaces that incoming traffic is allowed
+          from.
+        displayName: From Namespace Labels
+        path: networkPolicy.fromNamespaceLabels
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:text
+      - description: Specify the labels of pod(s) that incoming traffic is allowed
+          from.
+        displayName: From Labels
+        path: networkPolicy.fromLabels
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:text
+      - description: Specify the labels of namespaces that outgoing traffic is allowed
+          to.
+        displayName: To Namespace Labels
+        path: networkPolicy.toNamespaceLabels
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:text
+      - description: Specify the labels of pod(s) that outgoing traffic is allowed
+          to.
+        displayName: To Labels
+        path: networkPolicy.toLabels
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:text
       - description: 'Product edition. Defaults to IBM WebSphere Application Server.
           Other options: IBM WebSphere Application Server Liberty Core, IBM WebSphere
           Application Server Network Deployment'
@@ -1085,6 +1122,14 @@ spec:
           - list
           - update
           - watch
+        - apiGroups:
+          - ""
+          resources:
+          - endpoints
+          verbs:
+          - get
+          - list
+          - watch
         - apiGroups:
           - ""
           resources:

diff --git a/bundle/manifests/liberty.websphere.ibm.com_webspherelibertyapplications.yaml b/bundle/manifests/liberty.websphere.ibm.com_webspherelibertyapplications.yaml
@@ -3901,22 +3901,53 @@ spec:
               networkPolicy:
                 description: Defines the network policy
                 properties:
+                  bypassDenyAllEgress:
+                    description: Bypasses deny all egress rules to allow API server
+                      and DNS access. Defaults to false.
+                    type: boolean
                   disable:
                     description: Disable the creation of the network policy. Defaults
                       to false.
                     type: boolean
+                  disableEgress:
+                    description: Disable the creation of the network policy egress.
+                      Defaults to false.
+                    type: boolean
+                  disableIngress:
+                    description: Disable the creation of the network policy ingress.
+                      Defaults to false.
+                    type: boolean
                   fromLabels:
                     additionalProperties:
                       type: string
                     description: Specify the labels of pod(s) that incoming traffic
                       is allowed from.
                     type: object
-                  namespaceLabels:
+                  fromNamespaceLabels:
                     additionalProperties:
                       type: string
                     description: Specify the labels of namespaces that incoming traffic
                       is allowed from.
                     type: object
+                  namespaceLabels:
+                    additionalProperties:
+                      type: string
+                    description: Deprecated. .spec.networkPolicy.fromNamespaceLabels
+                      should be used instead. If both are specified, .spec.networkPolicy.fromNamespaceLabels
+                      will override this.
+                    type: object
+                  toLabels:
+                    additionalProperties:
+                      type: string
+                    description: Specify the labels of pod(s) that outgoing traffic
+                      is allowed to.
+                    type: object
+                  toNamespaceLabels:
+                    additionalProperties:
+                      type: string
+                    description: Specify the labels of namespaces that outgoing traffic
+                      is allowed to.
+                    type: object
                 type: object
               probes:
                 description: Define health checks on application container to determine

diff --git a/config/crd/bases/liberty.websphere.ibm.com_webspherelibertyapplications.yaml b/config/crd/bases/liberty.websphere.ibm.com_webspherelibertyapplications.yaml
@@ -3897,22 +3897,53 @@ spec:
               networkPolicy:
                 description: Defines the network policy
                 properties:
+                  bypassDenyAllEgress:
+                    description: Bypasses deny all egress rules to allow API server
+                      and DNS access. Defaults to false.
+                    type: boolean
                   disable:
                     description: Disable the creation of the network policy. Defaults
                       to false.
                     type: boolean
+                  disableEgress:
+                    description: Disable the creation of the network policy egress.
+                      Defaults to false.
+                    type: boolean
+                  disableIngress:
+                    description: Disable the creation of the network policy ingress.
+                      Defaults to false.
+                    type: boolean
                   fromLabels:
                     additionalProperties:
                       type: string
                     description: Specify the labels of pod(s) that incoming traffic
                       is allowed from.
                     type: object
-                  namespaceLabels:
+                  fromNamespaceLabels:
                     additionalProperties:
                       type: string
                     description: Specify the labels of namespaces that incoming traffic
                       is allowed from.
                     type: object
+                  namespaceLabels:
+                    additionalProperties:
+                      type: string
+                    description: Deprecated. .spec.networkPolicy.fromNamespaceLabels
+                      should be used instead. If both are specified, .spec.networkPolicy.fromNamespaceLabels
+                      will override this.
+                    type: object
+                  toLabels:
+                    additionalProperties:
+                      type: string
+                    description: Specify the labels of pod(s) that outgoing traffic
+                      is allowed to.
+                    type: object
+                  toNamespaceLabels:
+                    additionalProperties:
+                      type: string
+                    description: Specify the labels of namespaces that outgoing traffic
+                      is allowed to.
+                    type: object
                 type: object
               probes:
                 description: Define health checks on application container to determine