rh-ecosystem-edge · TomerNewman · Aug 26, 2025 · coderabbitai · Dec 15, 2025 · coderabbitai
diff --git a/Makefile b/Makefile
@@ -279,6 +279,22 @@ operator-sdk:
 		chmod +x ${OPERATOR_SDK}; \
 	fi
 
+.PHONY: bundle-old
+bundle-old: operator-sdk manifests kustomize ## Generate bundle manifests and metadata, then validate generated files.
+	rm -fr ./bundle
+	${OPERATOR_SDK} generate kustomize manifests --apis-dir api
+	cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG) worker=$(WORKER_IMG)
+	cd config/manager-base && $(KUSTOMIZE) edit set image must-gather=$(GATHER_IMG) signer=$(SIGNER_IMG)
+	cd config/webhook-server && $(KUSTOMIZE) edit set image webhook-server=$(WEBHOOK_IMG)
+
+	OPERATOR_SDK="${OPERATOR_SDK}" \
+	BUNDLE_GEN_FLAGS="${BUNDLE_GEN_FLAGS} --extra-service-accounts kmm-operator-module-loader,kmm-operator-device-plugin" \
+	PKG=kernel-module-management \
+	SOURCE_DIR=$(dir $(realpath $(lastword $(MAKEFILE_LIST)))) \
+	./hack/generate-bundle
+
+	${OPERATOR_SDK} bundle validate ./bundle
+
 .PHONY: bundle
 bundle: operator-sdk manifests kustomize ## Generate bundle manifests and metadata, then validate generated files.
 	rm -fr ./bundle
@@ -291,9 +307,31 @@ bundle: operator-sdk manifests kustomize ## Generate bundle manifests and metada
 	BUNDLE_GEN_FLAGS="${BUNDLE_GEN_FLAGS} --extra-service-accounts kmm-operator-module-loader,kmm-operator-device-plugin" \
 	PKG=kernel-module-management \
 	SOURCE_DIR=$(dir $(realpath $(lastword $(MAKEFILE_LIST)))) \
+	INCLUDE_NETWORK_POLICIES=true \
 	./hack/generate-bundle
 
-	${OPERATOR_SDK} bundle validate ./bundle
+.PHONY: bundle-hub-old
+bundle-hub-old: operator-sdk manifests kustomize ## Generate bundle manifests and metadata, then validate generated files.
+	rm -fr bundle-hub
+
+	${OPERATOR_SDK} generate kustomize manifests \
+		--apis-dir api-hub \
+		--output-dir config/manifests-hub \
+		--package kernel-module-management-hub \
+		--input-dir config/manifests-hub
+	cd config/manager-hub && $(KUSTOMIZE) edit set image controller=$(HUB_IMG)
+	cd config/manager-base && $(KUSTOMIZE) edit set image must-gather=$(GATHER_IMG) signer=$(SIGNER_IMG)
+	cd config/webhook-server && $(KUSTOMIZE) edit set image webhook-server=$(WEBHOOK_IMG)
+
+	OPERATOR_SDK="${OPERATOR_SDK}" \
+	BUNDLE_GEN_FLAGS="${BUNDLE_GEN_FLAGS}" \
+	MANIFESTS_DIR=config/manifests-hub \
+	PKG=kernel-module-management-hub \
+	SOURCE_DIR=$(dir $(realpath $(lastword $(MAKEFILE_LIST)))) \
+	SUFFIX="-hub" \
+	./hack/generate-bundle
+
+	${OPERATOR_SDK} bundle validate ./bundle-hub
 
 .PHONY: bundle-hub
 bundle-hub: operator-sdk manifests kustomize ## Generate bundle manifests and metadata, then validate generated files.
@@ -314,9 +352,9 @@ bundle-hub: operator-sdk manifests kustomize ## Generate bundle manifests and me
 	PKG=kernel-module-management-hub \
 	SOURCE_DIR=$(dir $(realpath $(lastword $(MAKEFILE_LIST)))) \
 	SUFFIX="-hub" \
+	INCLUDE_NETWORK_POLICIES=true \
 	./hack/generate-bundle
 
-	${OPERATOR_SDK} bundle validate ./bundle-hub
 
 .PHONY: bundle-build-hub
 bundle-build-hub: ## Build the bundle-hub image.

diff --git a/bundle-hub/manifests/kernel-module-management-hub.clusterserviceversion.yaml b/bundle-hub/manifests/kernel-module-management-hub.clusterserviceversion.yaml
@@ -245,19 +245,13 @@ spec:
           replicas: 1
           selector:
             matchLabels:
-              app.kubernetes.io/component: kmm-hub
-              app.kubernetes.io/name: kmm-hub
-              app.kubernetes.io/part-of: kmm
               control-plane: controller
           strategy: {}
           template:
             metadata:
               annotations:
                 kubectl.kubernetes.io/default-container: manager
               labels:
-                app.kubernetes.io/component: kmm-hub
-                app.kubernetes.io/name: kmm-hub
-                app.kubernetes.io/part-of: kmm
                 control-plane: controller
             spec:
               affinity:
@@ -342,19 +336,13 @@ spec:
           replicas: 1
           selector:
             matchLabels:
-              app.kubernetes.io/component: kmm-hub
-              app.kubernetes.io/name: kmm-hub
-              app.kubernetes.io/part-of: kmm
               control-plane: webhook-server
           strategy: {}
           template:
             metadata:
               annotations:
                 kubectl.kubernetes.io/default-container: webhook-server
               labels:
-                app.kubernetes.io/component: kmm-hub
-                app.kubernetes.io/name: kmm-hub
-                app.kubernetes.io/part-of: kmm
                 control-plane: webhook-server
             spec:
               affinity:

diff --git a/bundle-hub/manifests/kmm-operator-hub-controller-metrics-service_v1_service.yaml b/bundle-hub/manifests/kmm-operator-hub-controller-metrics-service_v1_service.yaml
@@ -17,9 +17,6 @@ spec:
     protocol: TCP
     targetPort: metrics
   selector:
-    app.kubernetes.io/component: kmm-hub
-    app.kubernetes.io/name: kmm-hub
-    app.kubernetes.io/part-of: kmm
     control-plane: controller
 status:
   loadBalancer: {}
diff --git a/bundle-hub/manifests/kmm-operator-hub-controller_networking.k8s.io_v1_networkpolicy.yaml b/bundle-hub/manifests/kmm-operator-hub-controller_networking.k8s.io_v1_networkpolicy.yaml
@@ -0,0 +1,36 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: controller
+  namespace: system
+spec:
+  podSelector:
+    matchLabels:
+      control-plane: controller
+  policyTypes:
+    - Egress
+    - Ingress
+  ingress:
+    - ports:
+        - protocol: TCP # metrics port
+          port: 8443
+        - protocol: TCP
+          port: 8081 # Healthz
+  egress:
+    - to:
+        - namespaceSelector: # DNS
+            matchLabels:
+              kubernetes.io/metadata.name: openshift-dns
+          podSelector:
+            matchLabels:
+              dns.operator.openshift.io/daemonset-dns: default
+      ports:
+        - protocol: UDP # DNS
+          port: 53
+        - protocol: TCP # DNS
+          port: 53
+    - ports: # kube api server
+        - protocol: TCP
+          port: 6443
+        - protocol: TCP
+          port: 443
diff --git a/bundle-hub/manifests/kmm-operator-hub-webhook-service_v1_service.yaml b/bundle-hub/manifests/kmm-operator-hub-webhook-service_v1_service.yaml
@@ -16,9 +16,6 @@ spec:
     protocol: TCP
     targetPort: 9443
   selector:
-    app.kubernetes.io/component: kmm-hub
-    app.kubernetes.io/name: kmm-hub
-    app.kubernetes.io/part-of: kmm
     control-plane: webhook-server
 status:
   loadBalancer: {}
diff --git a/bundle-hub/manifests/kmm-operator-hub-webhook_networking.k8s.io_v1_networkpolicy.yaml b/bundle-hub/manifests/kmm-operator-hub-webhook_networking.k8s.io_v1_networkpolicy.yaml
@@ -0,0 +1,22 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: webhook
+  namespace: system
+spec:
+  podSelector:
+    matchLabels:
+      control-plane: webhook-server
+  policyTypes:
+  - Egress
+  - Ingress
+  ingress:
+  - ports:
+    - protocol: TCP
+      port: 9443
-  ingress:
-  - ports:
-    - protocol: TCP
-      port: 9443
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: kube-system
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: openshift-kube-apiserver
+    ports:
+    - protocol: TCP
+      port: 9443
-  ingress:
-  - ports:
-    - protocol: TCP
-      port: 9443
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: kube-system
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: openshift-kube-apiserver
+    ports:
+    - protocol: TCP
+      port: 9443
+  egress:
+  - ports: # kube api server port
+    - protocol: TCP
+      port: 6443
+    - protocol: TCP
+      port: 443
diff --git a/bundle/manifests/kernel-module-management.clusterserviceversion.yaml b/bundle/manifests/kernel-module-management.clusterserviceversion.yaml
@@ -352,19 +352,13 @@ spec:
           replicas: 1
           selector:
             matchLabels:
-              app.kubernetes.io/component: kmm
-              app.kubernetes.io/name: kmm
-              app.kubernetes.io/part-of: kmm
               control-plane: controller
           strategy: {}
           template:
             metadata:
               annotations:
                 kubectl.kubernetes.io/default-container: manager
               labels:
-                app.kubernetes.io/component: kmm
-                app.kubernetes.io/name: kmm
-                app.kubernetes.io/part-of: kmm
                 control-plane: controller
             spec:
               affinity:
@@ -451,19 +445,13 @@ spec:
           replicas: 1
           selector:
             matchLabels:
-              app.kubernetes.io/component: kmm
-              app.kubernetes.io/name: kmm
-              app.kubernetes.io/part-of: kmm
               control-plane: webhook-server
           strategy: {}
           template:
             metadata:
               annotations:
                 kubectl.kubernetes.io/default-container: webhook-server
               labels:
-                app.kubernetes.io/component: kmm
-                app.kubernetes.io/name: kmm
-                app.kubernetes.io/part-of: kmm
                 control-plane: webhook-server
             spec:
               affinity:

diff --git a/bundle/manifests/kmm-operator-controller-metrics-service_v1_service.yaml b/bundle/manifests/kmm-operator-controller-metrics-service_v1_service.yaml
@@ -17,9 +17,6 @@ spec:
     protocol: TCP
     targetPort: metrics
   selector:
-    app.kubernetes.io/component: kmm
-    app.kubernetes.io/name: kmm
-    app.kubernetes.io/part-of: kmm
     control-plane: controller
 status:
   loadBalancer: {}
diff --git a/bundle/manifests/kmm-operator-controller_networking.k8s.io_v1_networkpolicy.yaml b/bundle/manifests/kmm-operator-controller_networking.k8s.io_v1_networkpolicy.yaml
@@ -0,0 +1,36 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: controller
+  namespace: system
+spec:
-metadata:
-  name: controller
-  namespace: system
-spec:
+metadata:
+  name: controller
+spec:
-metadata:
-  name: controller
-  namespace: system
-spec:
+metadata:
+  name: controller
+spec:
+  podSelector:
+    matchLabels:
+      control-plane: controller
+  policyTypes:
+    - Egress
+    - Ingress
+  ingress:
+    - ports:
+        - protocol: TCP # metrics port
+          port: 8443
+        - protocol: TCP
+          port: 8081 # Healthz
+  egress:
+    - to:
+        - namespaceSelector: # DNS
+            matchLabels:
+              kubernetes.io/metadata.name: openshift-dns
+          podSelector:
+            matchLabels:
+              dns.operator.openshift.io/daemonset-dns: default
+      ports:
+        - protocol: UDP # DNS
+          port: 53
+        - protocol: TCP # DNS
+          port: 53
+    - ports: # kube api server
+        - protocol: TCP
+          port: 6443
+        - protocol: TCP
+          port: 443
diff --git a/bundle/manifests/kmm-operator-webhook-service_v1_service.yaml b/bundle/manifests/kmm-operator-webhook-service_v1_service.yaml
@@ -16,9 +16,6 @@ spec:
     protocol: TCP
     targetPort: 9443
   selector:
-    app.kubernetes.io/component: kmm
-    app.kubernetes.io/name: kmm
-    app.kubernetes.io/part-of: kmm
     control-plane: webhook-server
 status:
   loadBalancer: {}
diff --git a/bundle/manifests/kmm-operator-webhook_networking.k8s.io_v1_networkpolicy.yaml b/bundle/manifests/kmm-operator-webhook_networking.k8s.io_v1_networkpolicy.yaml
@@ -0,0 +1,22 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: webhook
+  namespace: system
-  namespace: system
-  namespace: system
+spec:
+  podSelector:
+    matchLabels:
+      control-plane: webhook-server
+  policyTypes:
+  - Egress
+  - Ingress
+  ingress:
+  - ports:
+    - protocol: TCP
+      port: 9443
+  egress:
+  - ports: # kube api server port
+    - protocol: TCP
+      port: 6443
+    - protocol: TCP
+      port: 443
diff --git a/ci/e2e/kustomization.yaml b/ci/e2e/kustomization.yaml
@@ -10,8 +10,10 @@ generatorOptions:
 
 configMapGenerator:
   - name: kmm-kmod-dockerfile
+    namespace: openshift-kmm
     files: [dockerfile=Dockerfile]
 
 secretGenerator:
   - name: build-secret
+    namespace: openshift-kmm
     literals: [ci-build-secret=super-secret-value]
diff --git a/ci/e2e/module.yaml b/ci/e2e/module.yaml
@@ -3,6 +3,7 @@ apiVersion: kmm.sigs.x-k8s.io/v1beta1
 kind: Module
 metadata:
   name: kmm-ci
+  namespace: openshift-kmm
 spec:
   moduleLoader:
     container:

diff --git a/ci/prow/e2e-incluster-build b/ci/prow/e2e-incluster-build
@@ -6,10 +6,10 @@ POD_NAME=''
 
 wait_for_pod_and_print_logs () {
   # we can't exec a command nor get the logs on a pod that isn't `Running` yet.
-  oc wait "pod/${POD_NAME}" --for jsonpath='{.status.phase}'=Running --timeout=60s
+  oc wait -n openshift-kmm"pod/${POD_NAME}" --for jsonpath='{.status.phase}'=Running --timeout=60s
-  oc wait -n openshift-kmm"pod/${POD_NAME}" --for jsonpath='{.status.phase}'=Running --timeout=60s
+  oc wait -n openshift-kmm "pod/${POD_NAME}" --for jsonpath='{.status.phase}'=Running --timeout=60s
-  oc wait -n openshift-kmm"pod/${POD_NAME}" --for jsonpath='{.status.phase}'=Running --timeout=60s
+  oc wait -n openshift-kmm "pod/${POD_NAME}" --for jsonpath='{.status.phase}'=Running --timeout=60s
 
   echo "Print pod ${POD_NAME} logs..."
-  oc logs "pod/${POD_NAME}" -f
+  oc logs -n openshift-kmm "pod/${POD_NAME}" -f
 }
 
 check_module_not_loaded () {
@@ -46,14 +46,14 @@ timeout 1m bash -c 'until oc apply -k ci/e2e; do sleep 3; done'
 # Wait for the build pod to be created. `kubectl wait` doesn't support such option,
 # see https://github.com/kubernetes/kubernetes/issues/83242.
 echo "Waiting for the build pod to be created..."
-timeout 1m bash -c 'until oc get pods -o json | jq -er ".items[].metadata.name | select(.? | match(\"build\"))"; do sleep 1; done'
-POD_NAME=$(oc get pods -o json | jq -r '.items[].metadata.name | select(.? | match("build"))')
+timeout 1m bash -c 'until oc get pods -n openshift-kmm -o json | jq -er ".items[].metadata.name | select(.? | match(\"build\"))"; do sleep 1; done'
+POD_NAME=$(oc get pods -n openshift-kmm -o json | jq -r '.items[].metadata.name | select(.? | match("build"))')
 
 wait_for_pod_and_print_logs
 
 echo "Waiting for the signing pod to be created..."
-timeout 1m bash -c 'until oc get pods -o json | jq -er ".items[].metadata.name | select(.? | match(\"sign\"))"; do sleep 1; done'
-POD_NAME=$(oc get pods -o json | jq -r '.items[].metadata.name | select(.? | match("sign"))')
+timeout 1m bash -c 'until oc get pods -n openshift-kmm -o json | jq -er ".items[].metadata.name | select(.? | match(\"sign\"))"; do sleep 1; done'
+POD_NAME=$(oc get pods -n openshift-kmm -o json | jq -r '.items[].metadata.name | select(.? | match("sign"))')
 
 wait_for_pod_and_print_logs
 
@@ -66,7 +66,7 @@ oc debug "node/${NODE}" -- chroot host/ lsmod | grep kmm_ci_b
 check_module_not_loaded "dummy"
 
 echo "Remove the Module..."
-oc delete modules.kmm.sigs.x-k8s.io/kmm-ci --wait=false
+oc delete modules.kmm.sigs.x-k8s.io/kmm-ci --wait=false -n openshift-kmm
 
 echo "Check that the module gets unloaded from the node..."
 timeout 1m bash -c 'until ! oc debug node/${NODE} -- chroot host/ lsmod | grep kmm_ci_a; do sleep 3; done'
@@ -75,4 +75,4 @@ echo "Check that the dependent module is also unloaded from the node..."
 check_module_not_loaded "kmm_ci_b"
 
 echo "Wait for the Module to be deleted..."
-oc wait --for delete modules.kmm.sigs.x-k8s.io/kmm-ci
+oc wait --for delete modules.kmm.sigs.x-k8s.io/kmm-ci -n openshift-kmm
diff --git a/ci/sign-key-certs/kustomization.yaml b/ci/sign-key-certs/kustomization.yaml
@@ -6,6 +6,8 @@ generatorOptions:
 
 secretGenerator:
   - name: kmm-kmod-signing-cert
+    namespace: openshift-kmm
     files: [cert=signing-cert.pem]
   - name: kmm-kmod-signing-key
+    namespace: openshift-kmm
     files: [key=signing-key.pem]
diff --git a/config/default-hub/kustomization.yaml b/config/default-hub/kustomization.yaml
@@ -17,7 +17,7 @@ components:
 configurations:
 - kustomizeconfig.yaml
 labels:
-- includeSelectors: true
+- includeSelectors: false
   pairs:
     app.kubernetes.io/component: kmm-hub
     app.kubernetes.io/name: kmm-hub

diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
@@ -17,7 +17,7 @@ namePrefix: kmm-operator-
 configurations:
 - kustomizeconfig.yaml
 labels:
-- includeSelectors: true
+- includeSelectors: false
   pairs:
     app.kubernetes.io/component: kmm
     app.kubernetes.io/name: kmm