adding network policies to kmm

Due to security concerns, we need to allow KMM
operator only the nessecery traffic.
This commits adds Network policies for each kmm pod.
1. controller
2. webhook
3. build and sign
This commit also changes e2e tests to verify the network policies affect.
This commit also affects KMM bundle to include the network policy mainfests.

Author: TomerNewman

Makefile

@@ -279,6 +279,22 @@ operator-sdk:
 		chmod +x ${OPERATOR_SDK}; \
 	fi
 
+.PHONY: bundle-old
+bundle-old: operator-sdk manifests kustomize ## Generate bundle manifests and metadata, then validate generated files.
+	rm -fr ./bundle
+	${OPERATOR_SDK} generate kustomize manifests --apis-dir api
+	cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG) worker=$(WORKER_IMG)
+	cd config/manager-base && $(KUSTOMIZE) edit set image must-gather=$(GATHER_IMG) signer=$(SIGNER_IMG)
+	cd config/webhook-server && $(KUSTOMIZE) edit set image webhook-server=$(WEBHOOK_IMG)
+
+	OPERATOR_SDK="${OPERATOR_SDK}" \
+	BUNDLE_GEN_FLAGS="${BUNDLE_GEN_FLAGS} --extra-service-accounts kmm-operator-module-loader,kmm-operator-device-plugin" \
+	PKG=kernel-module-management \
+	SOURCE_DIR=$(dir $(realpath $(lastword $(MAKEFILE_LIST)))) \
+	./hack/generate-bundle
+
+	${OPERATOR_SDK} bundle validate ./bundle
+
 .PHONY: bundle
 bundle: operator-sdk manifests kustomize ## Generate bundle manifests and metadata, then validate generated files.
 	rm -fr ./bundle
@@ -291,9 +307,31 @@ bundle: operator-sdk manifests kustomize ## Generate bundle manifests and metada
 	BUNDLE_GEN_FLAGS="${BUNDLE_GEN_FLAGS} --extra-service-accounts kmm-operator-module-loader,kmm-operator-device-plugin" \
 	PKG=kernel-module-management \
 	SOURCE_DIR=$(dir $(realpath $(lastword $(MAKEFILE_LIST)))) \
+	INCLUDE_NETWORK_POLICIES=true \
 	./hack/generate-bundle
 
-	${OPERATOR_SDK} bundle validate ./bundle
+.PHONY: bundle-hub-old
+bundle-hub-old: operator-sdk manifests kustomize ## Generate bundle manifests and metadata, then validate generated files.
+	rm -fr bundle-hub
+
+	${OPERATOR_SDK} generate kustomize manifests \
+		--apis-dir api-hub \
+		--output-dir config/manifests-hub \
+		--package kernel-module-management-hub \
+		--input-dir config/manifests-hub
+	cd config/manager-hub && $(KUSTOMIZE) edit set image controller=$(HUB_IMG)
+	cd config/manager-base && $(KUSTOMIZE) edit set image must-gather=$(GATHER_IMG) signer=$(SIGNER_IMG)
+	cd config/webhook-server && $(KUSTOMIZE) edit set image webhook-server=$(WEBHOOK_IMG)
+
+	OPERATOR_SDK="${OPERATOR_SDK}" \
+	BUNDLE_GEN_FLAGS="${BUNDLE_GEN_FLAGS}" \
+	MANIFESTS_DIR=config/manifests-hub \
+	PKG=kernel-module-management-hub \
+	SOURCE_DIR=$(dir $(realpath $(lastword $(MAKEFILE_LIST)))) \
+	SUFFIX="-hub" \
+	./hack/generate-bundle
+
+	${OPERATOR_SDK} bundle validate ./bundle-hub
 
 .PHONY: bundle-hub
 bundle-hub: operator-sdk manifests kustomize ## Generate bundle manifests and metadata, then validate generated files.
@@ -314,9 +352,9 @@ bundle-hub: operator-sdk manifests kustomize ## Generate bundle manifests and me
 	PKG=kernel-module-management-hub \
 	SOURCE_DIR=$(dir $(realpath $(lastword $(MAKEFILE_LIST)))) \
 	SUFFIX="-hub" \
+	INCLUDE_NETWORK_POLICIES=true \
 	./hack/generate-bundle
 
-	${OPERATOR_SDK} bundle validate ./bundle-hub
 
 .PHONY: bundle-build-hub
 bundle-build-hub: ## Build the bundle-hub image.

PROJECT

@@ -1,6 +1,6 @@
 domain: sigs.x-k8s.io
 layout:
-- go.kubebuilder.io/v3
+- go.kubebuilder.io/v4
 plugins:
   manifests.sdk.operatorframework.io/v2: {}
   scorecard.sdk.operatorframework.io/v2: {}

bundle-hub/manifests/kernel-module-management-hub.clusterserviceversion.yaml

@@ -37,7 +37,7 @@ metadata:
         }
       ]
     capabilities: Seamless Upgrades
-    createdAt: "2025-07-15T14:14:25Z"
+    createdAt: "2025-08-26T14:37:47Z"
     operatorframework.io/suggested-namespace: openshift-kmm-hub
     operators.operatorframework.io/builder: operator-sdk-v1.32.0
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
@@ -227,19 +227,13 @@ spec:
           replicas: 1
           selector:
             matchLabels:
-              app.kubernetes.io/component: kmm-hub
-              app.kubernetes.io/name: kmm-hub
-              app.kubernetes.io/part-of: kmm
               control-plane: controller
           strategy: {}
           template:
             metadata:
               annotations:
                 kubectl.kubernetes.io/default-container: manager
               labels:
-                app.kubernetes.io/component: kmm-hub
-                app.kubernetes.io/name: kmm-hub
-                app.kubernetes.io/part-of: kmm
                 control-plane: controller
             spec:
               affinity:
@@ -324,19 +318,13 @@ spec:
           replicas: 1
           selector:
             matchLabels:
-              app.kubernetes.io/component: kmm-hub
-              app.kubernetes.io/name: kmm-hub
-              app.kubernetes.io/part-of: kmm
               control-plane: webhook-server
           strategy: {}
           template:
             metadata:
               annotations:
                 kubectl.kubernetes.io/default-container: webhook-server
               labels:
-                app.kubernetes.io/component: kmm-hub
-                app.kubernetes.io/name: kmm-hub
-                app.kubernetes.io/part-of: kmm
                 control-plane: webhook-server
             spec:
               affinity:

bundle-hub/manifests/kmm-operator-hub-build-and-sign_networking.k8s.io_v1_networkpolicy.yaml

@@ -0,0 +1,14 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: build-and-sign
+  namespace: system
+spec:
+  podSelector:
+    matchExpressions:
+    - key: openshift.io/build.name
+      operator: Exists
+  policyTypes:
+    - Egress
+  egress:
+  - {}

bundle-hub/manifests/kmm-operator-hub-controller-metrics-service_v1_service.yaml

@@ -17,9 +17,6 @@ spec:
     protocol: TCP
     targetPort: metrics
   selector:
-    app.kubernetes.io/component: kmm-hub
-    app.kubernetes.io/name: kmm-hub
-    app.kubernetes.io/part-of: kmm
     control-plane: controller
 status:
   loadBalancer: {}

bundle-hub/manifests/kmm-operator-hub-controller_networking.k8s.io_v1_networkpolicy.yaml

@@ -0,0 +1,36 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: controller
+  namespace: system
+spec:
+  podSelector:
+    matchLabels:
+      control-plane: controller
+  policyTypes:
+    - Egress
+    - Ingress
+  ingress:
+    - ports:
+        - protocol: TCP # metrics port
+          port: 8443
+        - protocol: TCP
+          port: 8081 # Healthz
+  egress:
+    - to:
+        - namespaceSelector: # DNS
+            matchLabels:
+              kubernetes.io/metadata.name: openshift-dns
+          podSelector:
+            matchLabels:
+              dns.operator.openshift.io/daemonset-dns: default
+      ports:
+        - protocol: UDP # DNS
+          port: 53
+        - protocol: TCP # DNS
+          port: 53
+    - ports: # kube api server
+        - protocol: TCP
+          port: 6443
+        - protocol: TCP
+          port: 443

bundle-hub/manifests/kmm-operator-hub-default-deny_networking.k8s.io_v1_networkpolicy.yaml

@@ -0,0 +1,10 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: default-deny
+ namespace: system
+spec:
+ podSelector: {}
+ policyTypes:
+ - Ingress
+ - Egress

bundle-hub/manifests/kmm-operator-hub-webhook-service_v1_service.yaml

@@ -16,9 +16,6 @@ spec:
     protocol: TCP
     targetPort: 9443
   selector:
-    app.kubernetes.io/component: kmm-hub
-    app.kubernetes.io/name: kmm-hub
-    app.kubernetes.io/part-of: kmm
     control-plane: webhook-server
 status:
   loadBalancer: {}

bundle-hub/manifests/kmm-operator-hub-webhook_networking.k8s.io_v1_networkpolicy.yaml

@@ -0,0 +1,22 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: webhook
+  namespace: system
+spec:
+  podSelector:
+    matchLabels:
+      control-plane: webhook-server
+  policyTypes:
+  - Egress
+  - Ingress
+  ingress:
+  - ports:
+    - protocol: TCP
+      port: 9443
+  egress:
+  - ports: # kube api server port
+    - protocol: TCP
+      port: 6443
+    - protocol: TCP
+      port: 443

bundle/manifests/kernel-module-management.clusterserviceversion.yaml

@@ -47,7 +47,7 @@ metadata:
         }
       ]
     capabilities: Seamless Upgrades
-    createdAt: "2025-07-15T13:32:13Z"
+    createdAt: "2025-08-26T14:37:46Z"
     operatorframework.io/suggested-namespace: openshift-kmm
     operators.operatorframework.io/builder: operator-sdk-v1.32.0
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
@@ -303,19 +303,13 @@ spec:
           replicas: 1
           selector:
             matchLabels:
-              app.kubernetes.io/component: kmm
-              app.kubernetes.io/name: kmm
-              app.kubernetes.io/part-of: kmm
               control-plane: controller
           strategy: {}
           template:
             metadata:
               annotations:
                 kubectl.kubernetes.io/default-container: manager
               labels:
-                app.kubernetes.io/component: kmm
-                app.kubernetes.io/name: kmm
-                app.kubernetes.io/part-of: kmm
                 control-plane: controller
             spec:
               affinity:
@@ -402,19 +396,13 @@ spec:
           replicas: 1
           selector:
             matchLabels:
-              app.kubernetes.io/component: kmm
-              app.kubernetes.io/name: kmm
-              app.kubernetes.io/part-of: kmm
               control-plane: webhook-server
           strategy: {}
           template:
             metadata:
               annotations:
                 kubectl.kubernetes.io/default-container: webhook-server
               labels:
-                app.kubernetes.io/component: kmm
-                app.kubernetes.io/name: kmm
-                app.kubernetes.io/part-of: kmm
                 control-plane: webhook-server
             spec:
               affinity: