let CVO manage the CMO networkpolicy

juzhao · juzhao · commit 710acfa2be4c · 2025-11-17T11:05:59.000+08:00
diff --git a/assets/cluster-monitoring-operator/network-policy-default-deny.yaml b/assets/cluster-monitoring-operator/network-policy-default-deny.yaml
diff --git a/jsonnet/components/cluster-monitoring-operator.libsonnet b/jsonnet/components/cluster-monitoring-operator.libsonnet
@@ -571,56 +571,4 @@ function(params) {
       verbs: ['*'],
     }],
   },
-
-  // 2 networkpolicies, the first is default deny all pods traffic, the second is allow access to CMO port 8443
-  networkPolicyDefaultDeny: {
-    apiVersion: 'networking.k8s.io/v1',
-    kind: 'NetworkPolicy',
-    metadata: {
-      name: 'default-deny',
-      namespace: cfg.namespace,
-    },
-    spec: {
-      podSelector: {
-      },
-      policyTypes: [
-        'Ingress',
-        'Egress',
-      ],
-    },
-  },
-  networkPolicyDownstream: {
-    apiVersion: 'networking.k8s.io/v1',
-    kind: 'NetworkPolicy',
-    metadata: {
-      name: 'cluster-monitoring-operator',
-      namespace: cfg.namespace,
-    },
-    spec: {
-      podSelector: {
-        matchLabels: {
-          'app.kubernetes.io/name': 'cluster-monitoring-operator',
-        },
-      },
-      policyTypes: [
-        'Ingress',
-        'Egress',
-      ],
-      ingress: [
-        {
-          ports: [
-            {
-              // allow prometheus to scrape cluster-monitoring-operator endpoint,
-              // 8443(port name: https) port
-              port: 'https',
-              protocol: 'TCP',
-            },
-          ],
-        },
-      ],
-      egress: [
-        {},
-      ],
-    },
-  },
 }
diff --git a/manifests/0000_50_cluster-monitoring-operator_04-networkpolicy.yaml b/manifests/0000_50_cluster-monitoring-operator_04-networkpolicy.yaml
@@ -19,3 +19,17 @@ spec:
   policyTypes:
   - Ingress
   - Egress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: default-deny
+  namespace: openshift-monitoring
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress
diff --git a/pkg/manifests/manifests.go b/pkg/manifests/manifests.go
@@ -253,8 +253,6 @@ var (
 	ClusterMonitoringMetricsServerClientCertsSecret        = "cluster-monitoring-operator/metrics-server-client-certs.yaml"
 	ClusterMonitoringFederateClientCertsSecret             = "cluster-monitoring-operator/federate-client-certs.yaml"
 	ClusterMonitoringMetricsClientCACM                     = "cluster-monitoring-operator/metrics-client-ca.yaml"
-	ClusterMonitoringDenyAllTraffic                        = "cluster-monitoring-operator/network-policy-default-deny.yaml"
-	ClusterMonitoringNetworkPolicy                         = "cluster-monitoring-operator/network-policy-downstream.yaml"
 
 	TelemeterClientClusterRole            = "telemeter-client/cluster-role.yaml"
 	TelemeterClientClusterRoleBinding     = "telemeter-client/cluster-role-binding.yaml"
@@ -2520,14 +2518,6 @@ func (f *Factory) ClusterMonitoringOperatorPrometheusRule() (*monv1.PrometheusRu
 	return f.NewPrometheusRule(f.assets.MustNewAssetSlice(ClusterMonitoringOperatorPrometheusRule))
 }
 
-func (f *Factory) ClusterMonitoringDenyAllTraffic() (*networkingv1.NetworkPolicy, error) {
-	return f.NewNetworkPolicy(f.assets.MustNewAssetSlice(ClusterMonitoringDenyAllTraffic))
-}
-
-func (f *Factory) ClusterMonitoringNetworkPolicy() (*networkingv1.NetworkPolicy, error) {
-	return f.NewNetworkPolicy(f.assets.MustNewAssetSlice(ClusterMonitoringNetworkPolicy))
-}
-
 func (f *Factory) ControlPlanePrometheusRule() (*monv1.PrometheusRule, error) {
 	r, err := f.NewPrometheusRule(f.assets.MustNewAssetSlice(ControlPlanePrometheusRule))
 	if err != nil {
diff --git a/pkg/tasks/clustermonitoringoperator.go b/pkg/tasks/clustermonitoringoperator.go
@@ -45,23 +45,6 @@ func NewClusterMonitoringOperatorTask(
 }
 
 func (t *ClusterMonitoringOperatorTask) Run(ctx context.Context) error {
-	netpol, err := t.factory.ClusterMonitoringNetworkPolicy()
-	if err != nil {
-		return fmt.Errorf("initializing Cluster Monitoring Operator NetworkPolicy failed: %w", err)
-	}
-
-	err = t.client.CreateOrUpdateNetworkPolicy(ctx, netpol)
-	if err != nil {
-		return fmt.Errorf("reconciling Cluster Monitoring Operator NetworkPolicy failed: %w", err)
-	}
-
-	// Deploy the denyNetpol first would block CMO, deploy it last.
-	// TODO: maybe the NPs for CMO itself are better handled by CVO.
-	denyNetpol, err := t.factory.ClusterMonitoringDenyAllTraffic()
-	if err != nil {
-		return fmt.Errorf("initializing deny all pods traffic NetworkPolicy failed: %w", err)
-	}
-
 	err = t.client.CreateOrUpdateNetworkPolicy(ctx, denyNetpol)
 	if err != nil {
 		return fmt.Errorf("reconciling deny all pods traffic NetworkPolicy failed: %w", err)
