OCPBUGS-61088: revert PR #2766

assets/admission-webhook/network-policy-downstream.yaml

@@ -0,0 +1,21 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: prometheus-operator-admission-webhook
+  namespace: openshift-monitoring
+spec:
+  egress:
+  - {}
+  ingress:
+  - ports:
+    - port: https
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: prometheus-operator-admission-webhook
+  policyTypes:
+  - Ingress
+  - Egress

assets/alertmanager/network-policy-downstream.yaml

@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: alertmanager
+  namespace: openshift-monitoring
+spec:
+  egress:
+  - {}
+  ingress:
+  - ports:
+    - port: tenancy
+      protocol: TCP
+    - port: web
+      protocol: TCP
+    - port: metrics
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: alertmanager
+  policyTypes:
+  - Ingress
+  - Egress

assets/cluster-monitoring-operator/network-policy-default-deny.yaml

@@ -0,0 +1,15 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: deny-cluster-monitoring-operator-and-operands
+  namespace: openshift-monitoring
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/part-of: openshift-monitoring
+  policyTypes:
+  - Ingress
+  - Egress

assets/kube-state-metrics/network-policy-downstream.yaml

@@ -0,0 +1,23 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: kube-state-metrics
+  namespace: openshift-monitoring
+spec:
+  egress:
+  - {}
+  ingress:
+  - ports:
+    - port: https-main
+      protocol: TCP
+    - port: https-self
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: kube-state-metrics
+  policyTypes:
+  - Ingress
+  - Egress

assets/metrics-server/network-policy-downstream.yaml

@@ -0,0 +1,21 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: metrics-server
+  namespace: openshift-monitoring
+spec:
+  egress:
+  - {}
+  ingress:
+  - ports:
+    - port: https
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: metrics-server
+  policyTypes:
+  - Ingress
+  - Egress

assets/monitoring-plugin/network-policy-downstream.yaml

@@ -0,0 +1,21 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: monitoring-plugin
+  namespace: openshift-monitoring
+spec:
+  egress:
+  - {}
+  ingress:
+  - ports:
+    - port: https
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: monitoring-plugin
+  policyTypes:
+  - Ingress
+  - Egress

assets/openshift-state-metrics/network-policy-downstream.yaml

@@ -0,0 +1,23 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: openshift-state-metrics
+  namespace: openshift-monitoring
+spec:
+  egress:
+  - {}
+  ingress:
+  - ports:
+    - port: https-main
+      protocol: TCP
+    - port: https-self
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: openshift-state-metrics
+  policyTypes:
+  - Ingress
+  - Egress

assets/prometheus-k8s/network-policy-downstream.yaml

@@ -0,0 +1,21 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: prometheus
+  namespace: openshift-monitoring
+spec:
+  egress:
+  - {}
+  ingress:
+  - ports:
+    - port: grpc
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: prometheus
+  policyTypes:
+  - Ingress
+  - Egress

assets/prometheus-operator/network-policy-downstream.yaml

@@ -0,0 +1,21 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: prometheus-operator
+  namespace: openshift-monitoring
+spec:
+  egress:
+  - {}
+  ingress:
+  - ports:
+    - port: https
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: prometheus-operator
+  policyTypes:
+  - Ingress
+  - Egress

assets/telemeter-client/network-policy-downstream.yaml

@@ -0,0 +1,21 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: telemeter-client
+  namespace: openshift-monitoring
+spec:
+  egress:
+  - {}
+  ingress:
+  - ports:
+    - port: https
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: telemeter-client
+  policyTypes:
+  - Ingress
+  - Egress

assets/thanos-querier/network-policy-downstream.yaml

@@ -0,0 +1,21 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: thanos-querier
+  namespace: openshift-monitoring
+spec:
+  egress:
+  - {}
+  ingress:
+  - ports:
+    - port: tenancy
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: thanos-query
+  policyTypes:
+  - Ingress
+  - Egress

jsonnet/components/admission-webhook.libsonnet

@@ -169,4 +169,38 @@ function(params)
         },
       ],
     },
+    networkPolicyDownstream: {
+      apiVersion: 'networking.k8s.io/v1',
+      kind: 'NetworkPolicy',
+      metadata: {
+        name: 'prometheus-operator-admission-webhook',
+        namespace: 'openshift-monitoring',
+      },
+      spec: {
+        podSelector: {
+          matchLabels: {
+            'app.kubernetes.io/name': 'prometheus-operator-admission-webhook',
+          },
+        },
+        policyTypes: [
+          'Ingress',
+          'Egress',
+        ],
+        ingress: [
+          {
+            ports: [
+              {
+                // allow apiserver reach to prometheus-operator-admission-webhook
+                // 8443(port name: https) port to validate customresourcedefinitions
+                port: 'https',
+                protocol: 'TCP',
+              },
+            ],
+          },
+        ],
+        egress: [
+          {},
+        ],
+      },
+    },
   }

jsonnet/components/alertmanager.libsonnet

@@ -445,4 +445,48 @@ function(params)
         ],
       },
     },
+    networkPolicyDownstream: {
+      apiVersion: 'networking.k8s.io/v1',
+      kind: 'NetworkPolicy',
+      metadata: {
+        name: 'alertmanager',
+        namespace: cfg.namespace,
+      },
+      spec: {
+        podSelector: {
+          matchLabels: {
+            'app.kubernetes.io/name': 'alertmanager',
+          },
+        },
+        policyTypes: [
+          'Ingress',
+          'Egress',
+        ],
+        ingress: [
+          {
+            ports: [
+              {
+                // allow access to the Alertmanager endpoints restricted to a given project,
+                // port number 9092(port name: tenancy)
+                port: 'tenancy',
+                protocol: 'TCP',
+              },
+              {
+                // allow prometheus to sent alerts to alertmanager, port number 9095(port name: web)
+                port: 'web',
+                protocol: 'TCP',
+              },
+              {
+                // allow prometheus to scrape alertmanager endpoint, port number 9097(port name: metrics)
+                port: 'metrics',
+                protocol: 'TCP',
+              },
+            ],
+          },
+        ],
+        egress: [
+          {},
+        ],
+      },
+    },
   }

jsonnet/components/cluster-monitoring-operator.libsonnet

@@ -322,6 +322,11 @@ function(params) {
         resources: ['alertmanagers/api'],
         verbs: ['*'],
       },
+      {
+        apiGroups: ['networking.k8s.io'],
+        resources: ['networkpolicies'],
+        verbs: ['create', 'get', 'list', 'watch', 'update', 'delete'],
+      },
     ],
   },
 
@@ -566,4 +571,27 @@ function(params) {
       verbs: ['*'],
     }],
   },
+
+  // default deny all pods traffic for pods which controlled by cluster-monitoring-operator,
+  // so it won't block with any extra pods controlled by other operators that deployed under
+  // openshift-monitoring project, example issue: https://issues.redhat.com/browse/ROSA-634
+  networkPolicyDefaultDeny: {
+    apiVersion: 'networking.k8s.io/v1',
+    kind: 'NetworkPolicy',
+    metadata: {
+      name: 'deny-cluster-monitoring-operator-and-operands',
+      namespace: cfg.namespace,
+    },
+    spec: {
+      podSelector: {
+        matchLabels: {
+          'app.kubernetes.io/part-of': 'openshift-monitoring',
+        },
+      },
+      policyTypes: [
+        'Ingress',
+        'Egress',
+      ],
+    },
+  },
 }