Merge pull request #74 from siddhibhor-56/network-policy-operand

ESO-223:Implementation of Network Policy for External Secrets Operand

Author: openshift-merge-bot[bot]

api/v1alpha1/external_secrets_config_types.go

@@ -1,6 +1,7 @@
 package v1alpha1
 
 import (
+	networkingv1 "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -120,6 +121,24 @@ type ControllerConfig struct {
 	// +kubebuilder:validation:Maximum:=18000
 	// +kubebuilder:validation:Optional
 	PeriodicReconcileInterval uint32 `json:"periodicReconcileInterval,omitempty"`
+
+	// networkPolicies specifies the list of network policy configurations
+	// to be applied to external-secrets pods.
+	//
+	// Each entry allows specifying a name for the generated NetworkPolicy object,
+	// along with its full Kubernetes NetworkPolicy definition.
+	//
+	// If this field is not provided, external-secrets components will be isolated
+	// with deny-all network policies, which will prevent proper operation.
+	//
+	// +kubebuilder:validation:XValidation:rule="oldSelf.all(op, self.exists(p, p.name == op.name && p.componentName == op.componentName))",message="name and componentName fields in networkPolicies are immutable"
+	// +kubebuilder:validation:MinItems:=0
+	// +kubebuilder:validation:MaxItems:=50
+	// +kubebuilder:validation:Optional
+	// +listType=map
+	// +listMapKey=name
+	// +listMapKey=componentName
+	NetworkPolicies []NetworkPolicy `json:"networkPolicies,omitempty"`
 }
 
 // BitwardenSecretManagerProvider is for enabling the bitwarden secrets manager provider and for setting up the additional service required for connecting with the bitwarden server.
@@ -201,3 +220,41 @@ type CertProvidersConfig struct {
 	// +kubebuilder:validation:Optional
 	CertManager *CertManagerConfig `json:"certManager,omitempty"`
 }
+
+// ComponentName represents the different external-secrets components that can have network policies applied.
+type ComponentName string
+
+const (
+	// CoreController represents the external-secrets component
+	CoreController ComponentName = "ExternalSecretsCoreController"
+
+	// BitwardenSDKServer represents the bitwarden-sdk-server component
+	BitwardenSDKServer ComponentName = "BitwardenSDKServer"
+)
+
+// NetworkPolicy represents a custom network policy configuration for operator-managed components.
+// It includes a name for identification and the network policy rules to be enforced.
+type NetworkPolicy struct {
+	// name is a unique identifier for this network policy configuration.
+	// This name will be used as part of the generated NetworkPolicy resource name.
+	// +kubebuilder:validation:MinLength:=1
+	// +kubebuilder:validation:MaxLength:=253
+	// +kubebuilder:validation:Required
+	Name string `json:"name"`
+
+	// componentName specifies which external-secrets component this network policy applies to.
+	// +kubebuilder:validation:Enum:=ExternalSecretsCoreController;BitwardenSDKServer
+	// +kubebuilder:validation:Required
+	ComponentName ComponentName `json:"componentName"`
+
+	// egress is a list of egress rules to be applied to the selected pods. Outgoing traffic
+	// is allowed if there are no NetworkPolicies selecting the pod (and cluster policy
+	// otherwise allows the traffic), OR if the traffic matches at least one egress rule
+	// across all the NetworkPolicy objects whose podSelector matches the pod. If
+	// this field is empty then this NetworkPolicy limits all outgoing traffic (and serves
+	// solely to ensure that the pods it selects are isolated by default).
+	// The operator will automatically handle ingress rules based on the current running ports.
+	// +kubebuilder:validation:Required
+	//+listType=atomic
+	Egress []networkingv1.NetworkPolicyEgressRule `json:"egress,omitempty" protobuf:"bytes,3,rep,name=egress"`
+}

api/v1alpha1/zz_generated.deepcopy.go

@@ -0,0 +1,37 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-api-server-egress-for-webhook
+  namespace: external-secrets
+  labels:
+    app.kubernetes.io/name: external-secrets-webhook
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/version: "v0.19.0"
+    app.kubernetes.io/managed-by: external-secrets-operator
+    external-secrets.io/component: webhook
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: external-secrets-webhook
+  policyTypes:
+    - Egress
+    - Ingress
+  egress:
+    - ports:
+        - protocol: TCP
+          port: 6443
+  ingress:
+    - ports:
+        - protocol: TCP
+          port: 10250
+    # Allow Prometheus/monitoring to scrape metrics
+    - from:
+      - namespaceSelector:
+          matchLabels:
+            openshift.io/cluster-monitoring: "true"
+      - namespaceSelector:
+          matchLabels:
+            name: openshift-monitoring
+      ports:
+        - protocol: TCP
+          port: 8080

bindata/external-secrets/networkpolicy_allow-api-server-and-webhook-traffic.yaml

@@ -0,0 +1,29 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-api-server-egress-for-bitwarden-server
+  namespace: external-secrets
+  labels:
+    app.kubernetes.io/name: bitwarden-sdk-server
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/version: "v0.19.0"
+    app.kubernetes.io/managed-by: external-secrets-operator
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: bitwarden-sdk-server
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    # Allow External Secrets Controller to communicate with Bitwarden SDK Server
+    - ports:
+        - protocol: TCP
+          port: 9998
+  # Allow access to Kubernetes API server and bitwarden sdk external server
+  egress:
+    - ports:
+        - protocol: TCP
+          port: 6443
+        - protocol: TCP
+          port: 443

bindata/external-secrets/networkpolicy_allow-api-server-egress-for-bitwarden-sever.yaml

@@ -0,0 +1,33 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-api-server-egress-for-cert-controller
+  namespace: external-secrets
+  labels:
+    app.kubernetes.io/name: external-secrets-cert-controller
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/version: "v0.19.0"
+    app.kubernetes.io/managed-by: external-secrets-operator
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: external-secrets-cert-controller
+  policyTypes:
+    - Egress
+    - Ingress
+  egress:
+    - ports:
+        - protocol: TCP
+          port: 6443
+  ingress:
+    # Allow Prometheus/monitoring to scrape metrics
+    - from:
+      - namespaceSelector:
+          matchLabels:
+            openshift.io/cluster-monitoring: "true"
+      - namespaceSelector:
+          matchLabels:
+            name: openshift-monitoring
+      ports:
+        - protocol: TCP
+          port: 8080

bindata/external-secrets/networkpolicy_allow-api-server-egress-for-cert-controller-traffic.yaml

@@ -0,0 +1,33 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-api-server-egress-for-main-controller
+  namespace: external-secrets
+  labels:
+    app.kubernetes.io/name: external-secrets
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/version: "v0.19.0"
+    app.kubernetes.io/managed-by: external-secrets-operator
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: external-secrets
+  policyTypes:
+    - Egress
+    - Ingress
+  egress:
+    - ports:
+        - protocol: TCP
+          port: 6443
+  ingress:
+    # Allow Prometheus/monitoring to scrape metrics
+    - from:
+      - namespaceSelector:
+          matchLabels:
+            openshift.io/cluster-monitoring: "true"
+      - namespaceSelector:
+          matchLabels:
+            name: openshift-monitoring
+      ports:
+        - protocol: TCP
+          port: 8080

bindata/external-secrets/networkpolicy_allow-api-server-egress-for-main-controller-traffic.yaml

@@ -0,0 +1,36 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/name: external-secrets
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/version: "v0.19.0"
+    app.kubernetes.io/managed-by: external-secrets-operator
+  name: allow-to-dns
+spec:
+  podSelector:
+    matchExpressions:
+      - key: app.kubernetes.io/name
+        operator: In
+        values:
+          - external-secrets
+          - bitwarden-sdk-server
+  egress:
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: openshift-dns
+          podSelector:
+            matchLabels:
+              dns.operator.openshift.io/daemonset-dns: default
+      ports:
+        - protocol: TCP
+          port: 5353
+        - protocol: UDP
+          port: 5353
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+  policyTypes:
+      - Egress

bindata/external-secrets/networkpolicy_allow-dns.yaml

@@ -0,0 +1,15 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: deny-all-traffic
+  namespace: external-secrets
+  labels:
+    app.kubernetes.io/name: external-secrets
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/version: "v0.19.0"
+    app.kubernetes.io/managed-by: external-secrets-operator
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress

bindata/external-secrets/networkpolicy_deny-all.yaml

@@ -220,7 +220,7 @@ metadata:
     categories: Security
     console.openshift.io/disable-operand-delete: "true"
     containerImage: openshift.io/external-secrets-operator:latest
-    createdAt: "2025-10-07T03:20:14Z"
+    createdAt: "2025-10-09T11:13:16Z"
     features.operators.openshift.io/cnf: "false"
     features.operators.openshift.io/cni: "false"
     features.operators.openshift.io/csi: "false"
@@ -578,6 +578,16 @@ spec:
           - patch
           - update
           - watch
+        - apiGroups:
+          - networking.k8s.io
+          resources:
+          - networkpolicies
+          verbs:
+          - create
+          - get
+          - list
+          - update
+          - watch
         - apiGroups:
           - operator.openshift.io
           resources: