@@ -3,6 +3,7 @@ package v1alpha1
33import (
44 apiv1 "github.com/openshift/api/operator/v1"
55 corev1 "k8s.io/api/core/v1"
6+ networkingv1 "k8s.io/api/networking/v1"
67 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
78)
89
@@ -59,6 +60,50 @@ type CertManagerSpec struct {
5960 // +kubebuilder:validation:Optional
6061 // +optional
6162 CAInjectorConfig * DeploymentConfig `json:"cainjectorConfig,omitempty"`
63+
64+ // DefaultNetworkPolicy enables the default network policy for cert-manager components.
65+ // When set to "true", the operator will create default network policies to secure
66+ // communication between cert-manager controller, webhook, and cainjector components.
67+ // When set to "false" or empty, no default network policies are created.
68+ // Valid values are: "true", "false", or empty (default: false).
69+ //
70+ // This field is immutable once set to "true" for security reasons. Network policies
71+ // cannot be disabled once enabled to prevent accidental security degradation.
72+ // Users should carefully plan their network policy requirements before enabling this field.
73+ //
74+ // +kubebuilder:validation:Optional
75+ // +kubebuilder:validation:Enum:="true";"false";""
76+ // +kubebuilder:validation:XValidation:rule="oldSelf != 'true' || self == 'true'",message="defaultNetworkPolicy cannot be changed from 'true' to 'false' once set"
77+ // +optional
78+ DefaultNetworkPolicy string `json:"defaultNetworkPolicy,omitempty"`
79+
80+ // NetworkPolicies specifies the egress network policy configuration to be applied to cert-manager
81+ // pods/operands when DefaultNetworkPolicy is "true". By default, enabling network policies
82+ // creates a deny-all policy that blocks all outgoing traffic from cert-manager components.
83+ // Ingress rules are automatically handled by the operator based on the current running ports.
84+ // Use this field to provide the necessary egress policy rules that allow required outbound traffic
85+ // for cert-manager to function properly (e.g., API server communication, external issuer access, etc.).
86+ //
87+ // Each NetworkPolicy in this slice will be created as a separate Kubernetes NetworkPolicy
88+ // resource. Multiple policies can be defined to organize egress rules logically (e.g., separate
89+ // policies for different types of outbound traffic or different security zones).
90+ //
91+ // This field is only effective when DefaultNetworkPolicy is set to "true".
92+ // If DefaultNetworkPolicy is "true" but this field is not provided, cert-manager
93+ // components will be isolated with deny-all egress policies.
94+ //
95+ // This field is immutable once DefaultNetworkPolicy is set to "true" for security reasons.
96+ //
97+ // +kubebuilder:validation:Optional
98+ // +kubebuilder:validation:XValidation:rule="oldSelf.all(op, self.exists(p, p.name == op.name && p.componentName == op.componentName))",message="name and componentName fields in networkPolicies are immutable"
99+ // +kubebuilder:validation:MinItems:=0
100+ // +kubebuilder:validation:MaxItems:=50
101+ // +kubebuilder:validation:Optional
102+ // +listType=map
103+ // +listMapKey=name
104+ // +listMapKey=componentName
105+ // +optional
106+ NetworkPolicies []NetworkPolicy `json:"networkPolicies,omitempty"`
62107}
63108
64109// DeploymentConfig defines the schema for
@@ -181,6 +226,49 @@ type CertManagerList struct {
181226 Items []CertManager `json:"items"`
182227}
183228
229+ // ComponentName represents the different cert-manager components that can have network policies applied.
230+ type ComponentName string
231+
232+ const (
233+ // CAInjector represents the cert-manager CA injector component
234+ CAInjector ComponentName = "CAInjector"
235+
236+ // CoreController represents the cert-manager core controller component
237+ CoreController ComponentName = "CoreController"
238+
239+ // Webhook represents the cert-manager webhook component
240+ Webhook ComponentName = "Webhook"
241+ )
242+
243+ // NetworkPolicy represents a custom network policy configuration for operator-managed components.
244+ // It includes a name for identification and the network policy rules to be enforced.
245+ type NetworkPolicy struct {
246+ // Name is a unique identifier for this network policy configuration.
247+ // This name will be used as part of the generated NetworkPolicy resource name.
248+ // +kubebuilder:validation:MinLength:=1
249+ // +kubebuilder:validation:MaxLength:=253
250+ // +kubebuilder:validation:Required
251+ // +required
252+ Name string `json:"name"`
253+
254+ // ComponentName represents the different cert-manager components that can have network policies applied.
255+ // +kubebuilder:validation:Enum=CAInjector;CoreController;Webhook
256+ // +kubebuilder:validation:Required
257+ // +required
258+ ComponentName ComponentName `json:"componentName"`
259+
260+ // egress is a list of egress rules to be applied to the selected pods. Outgoing traffic
261+ // is allowed if there are no NetworkPolicies selecting the pod (and cluster policy
262+ // otherwise allows the traffic), OR if the traffic matches at least one egress rule
263+ // across all of the NetworkPolicy objects whose podSelector matches the pod. If
264+ // this field is empty then this NetworkPolicy limits all outgoing traffic (and serves
265+ // solely to ensure that the pods it selects are isolated by default).
266+ // The operator will automatically handle ingress rules based on the current running ports.
267+ // +optional
268+ // +listType=atomic
269+ Egress []networkingv1.NetworkPolicyEgressRule `json:"egress,omitempty" protobuf:"bytes,3,rep,name=egress"`
270+ }
271+
184272func init () {
185273 SchemeBuilder .Register (& CertManager {}, & CertManagerList {})
186274}
0 commit comments