adds network policy for operator

Author: PillaiManish

bindata/cert-manager-deployment/network-policy/operator-allow-egress-to-api-server.yaml

@@ -0,0 +1,14 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: operator-allow-egress-to-api-server
+spec:
+  podSelector:
+    matchLabels:
+      name: cert-manager-operator
+  policyTypes:
+    - Egress
+  egress:
+    - ports:
+        - protocol: TCP
+          port: 6443

bindata/cert-manager-deployment/network-policy/operator-allow-ingress-to-metrics.yaml

@@ -0,0 +1,14 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: operator-allow-ingress-to-metrics
+spec:
+  podSelector:
+    matchLabels:
+      name: cert-manager-operator
+  policyTypes:
+    - Ingress
+  ingress:
+    - ports:
+        - protocol: TCP
+          port: 8443

bindata/cert-manager-deployment/network-policy/operator-deny-all-pod-selector.yaml

@@ -0,0 +1,11 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: operator-deny-all-traffic
+spec:
+  podSelector:
+    matchLabels:
+      name: cert-manager-operator
+  policyTypes:
+    - Ingress
+    - Egress

pkg/controller/deployment/cert_manager_controller_set.go

@@ -21,6 +21,7 @@ type CertManagerControllerSet struct {
 	certManagerWebhookDeploymentController         factory.Controller
 	certManagerCAInjectorStaticResourcesController factory.Controller
 	certManagerCAInjectorDeploymentController      factory.Controller
+	certManagerOperatorStaticResourcesController   factory.Controller
 }
 
 func NewCertManagerControllerSet(
@@ -44,6 +45,7 @@ func NewCertManagerControllerSet(
 		certManagerWebhookDeploymentController:         NewCertManagerWebhookDeploymentController(operatorClient, certManagerOperatorInformers, infraInformers, kubeClient, kubeInformersForTargetNamespace, eventRecorder, targetVersion, versionRecorder, trustedCAConfigmapName, cloudCredentialsSecretName),
 		certManagerCAInjectorStaticResourcesController: NewCertManagerCAInjectorStaticResourcesController(operatorClient, kubeClientContainer, kubeInformersForNamespaces, eventRecorder),
 		certManagerCAInjectorDeploymentController:      NewCertManagerCAInjectorDeploymentController(operatorClient, certManagerOperatorInformers, infraInformers, kubeClient, kubeInformersForTargetNamespace, eventRecorder, targetVersion, versionRecorder, trustedCAConfigmapName, cloudCredentialsSecretName),
+		certManagerOperatorStaticResourcesController:   NewCertManagerOperatorStaticResourcesController(operatorClient, kubeClientContainer, kubeInformersForNamespaces, eventRecorder),
 	}
 }
 
@@ -55,5 +57,6 @@ func (c *CertManagerControllerSet) ToArray() []factory.Controller {
 		c.certManagerWebhookDeploymentController,
 		c.certManagerCAInjectorStaticResourcesController,
 		c.certManagerCAInjectorDeploymentController,
+		c.certManagerOperatorStaticResourcesController,
 	}
 }

pkg/controller/deployment/cert_manager_operator_static_resource.go

@@ -0,0 +1,55 @@
+package deployment
+
+import (
+	"github.com/openshift/cert-manager-operator/pkg/operator/operatorclient"
+	"github.com/openshift/library-go/pkg/controller/factory"
+	"github.com/openshift/library-go/pkg/operator/events"
+	"github.com/openshift/library-go/pkg/operator/resource/resourceapply"
+	"github.com/openshift/library-go/pkg/operator/staticresourcecontroller"
+	"github.com/openshift/library-go/pkg/operator/v1helpers"
+
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"sigs.k8s.io/yaml"
+
+	"github.com/openshift/cert-manager-operator/pkg/operator/assets"
+)
+
+const (
+	certManagerOperatorStaticResourcesControllerName = operatorName + "-operator-static-resources-"
+)
+
+var (
+	certManagerOperatorAssetFiles = []string{
+		"cert-manager-deployment/network-policy/operator-allow-egress-to-api-server.yaml",
+		"cert-manager-deployment/network-policy/operator-allow-ingress-to-metrics.yaml",
+		"cert-manager-deployment/network-policy/operator-deny-all-pod-selector.yaml",
+	}
+)
+
+func NewCertManagerOperatorStaticResourcesController(operatorClient v1helpers.OperatorClient,
+	kubeClientContainer *resourceapply.ClientHolder,
+	kubeInformersForNamespaces v1helpers.KubeInformersForNamespaces,
+	eventsRecorder events.Recorder,
+) factory.Controller {
+	return staticresourcecontroller.NewStaticResourceController(
+		certManagerOperatorStaticResourcesControllerName,
+		injectNamespace(operatorclient.OperatorNamespace),
+		certManagerOperatorAssetFiles,
+		kubeClientContainer,
+		operatorClient,
+		eventsRecorder,
+	).AddKubeInformers(kubeInformersForNamespaces)
+}
+
+func injectNamespace(namespace string) resourceapply.AssetFunc {
+	return func(name string) ([]byte, error) {
+		content := assets.MustAsset(name)
+		var obj unstructured.Unstructured
+		err := yaml.Unmarshal(content, &obj)
+		if err != nil {
+			return nil, err
+		}
+		obj.SetNamespace(namespace)
+		return yaml.Marshal(&obj)
+	}
+}

pkg/operator/assets/bindata.go

@@ -1,6 +1,9 @@
 package operatorclient
 
 const (
-	TargetNamespace   = "cert-manager"
+	TargetNamespace = "cert-manager"
+)
+
+var (
 	OperatorNamespace = "cert-manager-operator"
 )

pkg/operator/operatorclient/interfaces.go

@@ -71,10 +71,13 @@ func RunOperator(ctx context.Context, cc *controllercmd.ControllerContext) error
 	versionRecorder := status.NewVersionGetter()
 	versionRecorder.SetVersion("operator", status.VersionForOperatorFromEnv())
 
+	operatorclient.OperatorNamespace = cc.OperatorNamespace
+
 	kubeInformersForNamespaces := v1helpers.NewKubeInformersForNamespaces(kubeClient,
 		"",
 		"kube-system",
 		operatorclient.TargetNamespace,
+		operatorclient.OperatorNamespace,
 	)
 
 	configClient, err := configv1client.NewForConfig(cc.KubeConfig)