Skip to content

CNTRLPLANE-2845: add service-ca operator and workload network policies #324

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
openshift-merge-bot merged 1 commit into from
Apr 8, 2026
+102 −0
Merged

CNTRLPLANE-2845: add service-ca operator and workload network policies #324

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 37 additions & 0 deletions manifests/0000_10_openshift_service-ca_01_networkpolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
# Allow policy for the service-ca controller pod in the openshift-service-ca namespace.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: service-ca
namespace: openshift-service-ca
annotations:
include.release.openshift.io/self-managed-high-availability: "true"
include.release.openshift.io/single-node-developer: "true"
Comment on lines +7 to +9
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Missing ibm-cloud-managed annotation creates inconsistency.

The default-deny policy for this namespace (0000_10_openshift_service-ca_02_networkpolicy_default-deny-all.yaml) includes include.release.openshift.io/ibm-cloud-managed: "true", but this allow policy does not. This would cause traffic to be blocked in IBM Cloud managed environments.

🔧 Proposed fix 
   annotations:
     include.release.openshift.io/hypershift: "true"
+    include.release.openshift.io/ibm-cloud-managed: "true"
     include.release.openshift.io/self-managed-high-availability: "true"
     include.release.openshift.io/single-node-developer: "true"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
annotations:
include.release.openshift.io/hypershift: "true"
include.release.openshift.io/self-managed-high-availability: "true"
include.release.openshift.io/single-node-developer: "true"
annotations:
include.release.openshift.io/hypershift: "true"
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
include.release.openshift.io/single-node-developer: "true"
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@manifests/0000_10_openshift_service-ca_01_networkpolicy.yaml` around lines 7
- 10, The annotations block in the allow NetworkPolicy is missing the
include.release.openshift.io/ibm-cloud-managed: "true" key which makes it
inconsistent with the default-deny policy and will block traffic in IBM Cloud
managed environments; update the annotations in the manifest (the annotations
map that currently contains include.release.openshift.io/hypershift,
include.release.openshift.io/self-managed-high-availability, and
include.release.openshift.io/single-node-developer) to also include
include.release.openshift.io/ibm-cloud-managed: "true" so both policies share
the same IBM Cloud managed annotation.

spec:
podSelector:
matchLabels:
app: service-ca
ingress:
# Metrics scraping (TCP 8443) from any source
- ports:
- protocol: TCP
port: 8443
egress:
# DNS resolution via openshift-dns (TCP/UDP 5353)
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: openshift-dns
podSelector:
matchLabels:
dns.operator.openshift.io/daemonset-dns: default
ports:
- protocol: TCP
port: 5353
- protocol: UDP
port: 5353
# Kubernetes API server; no port restriction since it may run on non-standard ports
- {}
Comment on lines +33 to +34
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

Kubernetes NetworkPolicy egress rule empty object {} behavior specification

💡 Result:

In a NetworkPolicy, each entry in spec.egress is an allow rule; traffic is allowed if it matches at least one egress rule across all policies selecting the pod (rules are additive). If a pod becomes “egress-isolated” (a selecting policy has policyTypes: [Egress]), then only traffic allowed by those egress rules is permitted. [1]

What egress: - {} means

An empty egress rule object ({}) has no to and no ports, so it imposes no destination or port constraints—it matches all destinations on all ports. Kubernetes documents this as the standard “allow all egress traffic” policy:

spec:
  podSelector: {}
  egress:
  - {}
  policyTypes:
  - Egress

With this in place, “no additional policy or policies can cause any outgoing connection from those pods to be denied” (because NetworkPolicy is allow-list + additive; there is no explicit “deny” rule). [2]

Contrast: “default deny egress”

If you select pods and set policyTypes: [Egress] but provide no egress rules, that creates egress isolation with zero allowed egress, i.e. deny-all egress:

spec:
  podSelector: {}
  policyTypes:
  - Egress
``` [2]

**So:** `egress: - {}` == **allow all egress** (for selected pods), while omitting egress rules under an egress-isolating policy == **deny all egress**. [1][2]

**Sources**: Kubernetes NetworkPolicy concept docs (v1.33) [1][2].

---

🏁 Script executed:

```shell
cat -n manifests/0000_10_openshift_service-ca_01_networkpolicy.yaml | sed -n '16,37p'

Repository: openshift/service-ca-operator

Length of output: 797

egress: - {} permits unrestricted outbound traffic, not API-server-specific egress

Line 37 allows egress to any destination on any port/protocol. The comment on line 36 indicates intent to allow Kubernetes API server traffic only, but the empty egress rule {} overrides this constraint and permits all outbound destinations. Replace with an explicit rule targeting API server endpoints if that is the intended scope.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@manifests/0000_10_openshift_service-ca_01_networkpolicy.yaml` around lines 36
- 37, The egress entry "egress: - {}" currently allows all outbound traffic;
update the NetworkPolicy to restrict egress to the Kubernetes API server only by
replacing the empty rule with an explicit rule that targets the API server
(e.g., an egress rule matching destination port 443/6443 and either an IPBlock
for the cluster API service CIDR or a peer that selects the API server
pods/namespace via namespaceSelector/podSelector); specifically, remove the
"egress: - {}" wildcard and add an egress rule that uses to: - ipBlock: {cidr:
<api-server-cidr>} ports: - protocol: TCP port: 443 (and 6443 if used) or
alternatively use to: - namespaceSelector: {matchLabels:
{kubernetes.io/metadata.name: kube-system}} + podSelector matching the
kube-apiserver label so only API-server egress is permitted.

policyTypes:
- Ingress
- Egress
14 changes: 14 additions & 0 deletions manifests/0000_10_openshift_service-ca_02_networkpolicy_default-deny-all.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# Deny all ingress and egress traffic for all pods in the namespace by default.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: openshift-service-ca
annotations:
include.release.openshift.io/self-managed-high-availability: "true"
include.release.openshift.io/single-node-developer: "true"
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
37 changes: 37 additions & 0 deletions manifests/01_networkpolicy_00_service-ca-operator.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
# Allow policy for the service-ca-operator pod in the openshift-service-ca-operator namespace.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: service-ca-operator
namespace: openshift-service-ca-operator
annotations:
include.release.openshift.io/self-managed-high-availability: "true"
include.release.openshift.io/single-node-developer: "true"
Comment on lines +7 to +9
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Missing ibm-cloud-managed annotation creates inconsistency.

The default-deny policy in this namespace (01_networkpolicy_01_default-deny-all.yaml) includes include.release.openshift.io/ibm-cloud-managed: "true", but this allow policy does not. In IBM Cloud managed environments, the default-deny would be applied while this allow policy would be skipped, blocking all traffic to the operator pod.

🔧 Proposed fix 
   annotations:
     include.release.openshift.io/hypershift: "true"
+    include.release.openshift.io/ibm-cloud-managed: "true"
     include.release.openshift.io/self-managed-high-availability: "true"
     include.release.openshift.io/single-node-developer: "true"
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@manifests/01_networkpolicy_00_service-ca-operator.yaml` around lines 7 - 10,
Add the missing annotation include.release.openshift.io/ibm-cloud-managed:
"true" to the annotations block in the allow policy manifest
(01_networkpolicy_00_service-ca-operator.yaml) so it matches the default-deny
policy; update the annotations map containing
include.release.openshift.io/hypershift,
include.release.openshift.io/self-managed-high-availability, and
include.release.openshift.io/single-node-developer by adding the
include.release.openshift.io/ibm-cloud-managed key with the string value "true".

spec:
podSelector:
matchLabels:
app: service-ca-operator
ingress:
# Metrics scraping (TCP 8443) from any source
- ports:
- protocol: TCP
port: 8443
egress:
# DNS resolution via openshift-dns (TCP/UDP 5353)
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: openshift-dns
podSelector:
matchLabels:
dns.operator.openshift.io/daemonset-dns: default
ports:
- protocol: TCP
port: 5353
- protocol: UDP
port: 5353
# Kubernetes API server; no port restriction since it may run on non-standard ports
- {}
Comment on lines +33 to +34
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n manifests/08_networkpolicy.yaml | head -50

Repository: openshift/service-ca-operator

Length of output: 1693

🌐 Web query:

Kubernetes NetworkPolicy egress empty object behavior v1 API

💡 Result:

In the networking.k8s.io/v1 NetworkPolicy API, an “empty object” egress rule means “match everything”:

  • spec.egress: - {} creates one egress rule with no to and no ports constraints, so it matches all destinations on all ports → effectively allow all egress (for the selected pods, for policies that apply to Egress). This is the documented “allow all egress” pattern. [1]

  • Within an egress rule:

    • If to is missing or empty, the rule matches all destinations. [2]
    • If ports is missing or empty, the rule matches all ports. [3]

By contrast:

  • If a policy applies to egress (e.g., policyTypes: ["Egress"]) but has no egress rules (spec.egress omitted) or an empty egress list (spec.egress: []), then the selected pods become egress-isolated and no egress is allowed (default-deny for egress). [1]

Examples

# Allow all egress
spec:
  podSelector: {}
  policyTypes: ["Egress"]
  egress:
  - {}
# Deny all egress (egress isolation with zero allowed rules)
spec:
  podSelector: {}
  policyTypes: ["Egress"]
  # egress: []   # (equivalent intent: no allowed egress rules)
  # (or omit egress entirely)

Sources: Kubernetes NetworkPolicy docs (allow-all / default-deny examples) [1], API semantics for egress.to [2] and egress.ports [3].

[1] (v1-33.docs.kubernetes.io)
[2] (v1-31.kubernetes.ac.cn)
[3] (docs.okd.io)

Citations:

- {} in egress grants unrestricted access to all destinations, not API-server-only access

The empty egress rule on line 37 allows traffic to any destination on any port. This contradicts the intent stated in the line 36 comment. Either restrict the rule to the Kubernetes API server using an explicit to selector and port, or update the comment to reflect that unrestricted egress is intentional.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@manifests/08_networkpolicy.yaml` around lines 36 - 37, The egress rule
currently uses the open matcher "- {}" which permits all destinations; replace
that with a restricted egress that targets the Kubernetes API server using an
explicit "to" entry and port (e.g., port 6443) or, if unrestricted egress is
intended, update the comment to state that traffic is intentionally allowed to
all destinations. Locate the egress rule with the "- {}" entry in the
NetworkPolicy manifest and either replace it with a "to" selector/ipBlock + port
specification for the API server or change the comment to reflect the open
egress policy.

policyTypes:
- Ingress
- Egress
14 changes: 14 additions & 0 deletions manifests/01_networkpolicy_01_default-deny-all.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# Deny all ingress and egress traffic for all pods in the namespace by default.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: openshift-service-ca-operator
annotations:
include.release.openshift.io/self-managed-high-availability: "true"
include.release.openshift.io/single-node-developer: "true"
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress