Merge branch 'k8snetworkplumbingwg:master' into master

Author: nvidia-ci-cd

bindata/manifests/operator-webhook/004-networkpolicy.yaml

@@ -0,0 +1,20 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: operator-webhook-allow-traffic-api-server
+  namespace: {{.Namespace}}
+spec:
+  podSelector:
+    matchLabels:
+      app: operator-webhook
+  ingress:
+  - ports:
+    - protocol: TCP
+      port: 6443
+  egress:
+  - ports:
+    - protocol: TCP
+      port: 6443
+  policyTypes:
+  - Ingress
+  - Egress

bindata/manifests/webhook/005-networkpolicy.yaml

@@ -0,0 +1,20 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: network-resources-injector-allow-traffic-api-server
+  namespace: {{.Namespace}}
+spec:
+  podSelector:
+    matchLabels:
+      app: network-resources-injector
+  ingress:
+  - ports:
+    - protocol: TCP
+      port: 6443
+  egress:
+  - ports:
+    - protocol: TCP
+      port: 6443
+  policyTypes:
+  - Ingress
+  - Egress

controllers/sriovoperatorconfig_controller_test.go

@@ -26,6 +26,7 @@ import (
 	admv1 "k8s.io/api/admissionregistration/v1"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
+	networkv1 "k8s.io/api/networking/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -193,6 +194,10 @@ var _ = Describe("SriovOperatorConfig controller", Ordered, func() {
 			err = util.WaitForNamespacedObjectDeleted(daemonSet, k8sClient, testNamespace, "network-resources-injector", util.RetryInterval, util.APITimeout)
 			Expect(err).NotTo(HaveOccurred())
 
+			networkPolicy := &networkv1.NetworkPolicy{}
+			err = util.WaitForNamespacedObjectDeleted(networkPolicy, k8sClient, testNamespace, "network-resources-injector-allow-traffic-api-server", util.RetryInterval, util.APITimeout)
+			Expect(err).NotTo(HaveOccurred())
+
 			mutateCfg := &admv1.MutatingWebhookConfiguration{}
 			err = util.WaitForNamespacedObjectDeleted(mutateCfg, k8sClient, testNamespace, "network-resources-injector-config", util.RetryInterval, util.APITimeout)
 			Expect(err).NotTo(HaveOccurred())
@@ -209,6 +214,10 @@ var _ = Describe("SriovOperatorConfig controller", Ordered, func() {
 			err = util.WaitForNamespacedObject(daemonSet, k8sClient, testNamespace, "network-resources-injector", util.RetryInterval, util.APITimeout)
 			Expect(err).NotTo(HaveOccurred())
 
+			networkPolicy = &networkv1.NetworkPolicy{}
+			err = util.WaitForNamespacedObject(networkPolicy, k8sClient, testNamespace, "network-resources-injector-allow-traffic-api-server", util.RetryInterval, util.APITimeout)
+			Expect(err).NotTo(HaveOccurred())
+
 			mutateCfg = &admv1.MutatingWebhookConfiguration{}
 			err = util.WaitForNamespacedObject(mutateCfg, k8sClient, testNamespace, "network-resources-injector-config", util.RetryInterval, util.APITimeout)
 			Expect(err).NotTo(HaveOccurred())
@@ -228,6 +237,10 @@ var _ = Describe("SriovOperatorConfig controller", Ordered, func() {
 			err = util.WaitForNamespacedObjectDeleted(daemonSet, k8sClient, testNamespace, "operator-webhook", util.RetryInterval, util.APITimeout)
 			Expect(err).NotTo(HaveOccurred())
 
+			networkPolicy := &networkv1.NetworkPolicy{}
+			err = util.WaitForNamespacedObjectDeleted(networkPolicy, k8sClient, testNamespace, "operator-webhook-allow-traffic-api-server", util.RetryInterval, util.APITimeout)
+			Expect(err).NotTo(HaveOccurred())
+
 			mutateCfg := &admv1.MutatingWebhookConfiguration{}
 			err = util.WaitForNamespacedObjectDeleted(mutateCfg, k8sClient, testNamespace, "sriov-operator-webhook-config", util.RetryInterval, util.APITimeout)
 			Expect(err).NotTo(HaveOccurred())
@@ -236,7 +249,7 @@ var _ = Describe("SriovOperatorConfig controller", Ordered, func() {
 			err = util.WaitForNamespacedObjectDeleted(validateCfg, k8sClient, testNamespace, "sriov-operator-webhook-config", util.RetryInterval, util.APITimeout)
 			Expect(err).NotTo(HaveOccurred())
 
-			By("set disable to enableOperatorWebhook")
+			By("set enable to enableOperatorWebhook")
 			Expect(k8sClient.Get(ctx, types.NamespacedName{Namespace: testNamespace, Name: "default"}, config)).NotTo(HaveOccurred())
 
 			config.Spec.EnableOperatorWebhook = true
@@ -247,6 +260,10 @@ var _ = Describe("SriovOperatorConfig controller", Ordered, func() {
 			err = util.WaitForNamespacedObject(daemonSet, k8sClient, testNamespace, "operator-webhook", util.RetryInterval, util.APITimeout)
 			Expect(err).NotTo(HaveOccurred())
 
+			networkPolicy = &networkv1.NetworkPolicy{}
+			err = util.WaitForNamespacedObject(networkPolicy, k8sClient, testNamespace, "operator-webhook-allow-traffic-api-server", util.RetryInterval, util.APITimeout)
+			Expect(err).NotTo(HaveOccurred())
+
 			mutateCfg = &admv1.MutatingWebhookConfiguration{}
 			err = util.WaitForNamespacedObject(mutateCfg, k8sClient, testNamespace, "sriov-operator-webhook-config", util.RetryInterval, util.APITimeout)
 			Expect(err).NotTo(HaveOccurred())

deploy/role.yaml

@@ -50,6 +50,15 @@ rules:
   - create
   - update
   - delete
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - networkpolicies
+  verbs:
+  - get
+  - create
+  - update
+  - delete
 - apiGroups:
   - apps
   resourceNames:

deployment/sriov-network-operator-chart/templates/role.yaml

@@ -28,6 +28,15 @@ rules:
       - statefulsets
     verbs:
       - '*'
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - networkpolicies
+    verbs:
+      - get
+      - create
+      - update
+      - delete
   - apiGroups:
       - monitoring.coreos.com
     resources:

test/conformance/tests/test_sriov_operator.go

@@ -33,6 +33,7 @@ import (
 	admission "k8s.io/api/admissionregistration/v1"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
+	networkv1 "k8s.io/api/networking/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -1150,6 +1151,7 @@ var _ = Describe("[sriov] operator", Ordered, func() {
 				assertObjectIsNotFound("network-resources-injector-role-binding", &rbacv1.ClusterRoleBinding{})
 				assertObjectIsNotFound("network-resources-injector-config", &admission.MutatingWebhookConfiguration{})
 				assertObjectIsNotFound("nri-control-switches", &corev1.ConfigMap{})
+				assertObjectIsNotFound("network-resources-injector-allow-traffic-api-server", &networkv1.NetworkPolicy{})
 			})
 
 			It("SR-IOV Operator Config, disable Operator Webhook", func() {
@@ -1170,6 +1172,7 @@ var _ = Describe("[sriov] operator", Ordered, func() {
 				assertObjectIsNotFound("operator-webhook", &rbacv1.ClusterRole{})
 				assertObjectIsNotFound("operator-webhook-role-binding", &rbacv1.ClusterRoleBinding{})
 				assertObjectIsNotFound("sriov-operator-webhook-config", &admission.MutatingWebhookConfiguration{})
+				assertObjectIsNotFound("operator-webhook-allow-traffic-api-server", &networkv1.NetworkPolicy{})
 			})
 
 			It("SR-IOV Operator Config, disable Resource Injector and Operator Webhook", func() {