Skip to content

Commit 8b60d24

Browse files
e0nee0ne
authored
Merge pull request #898 from zeeke/us/CNF-17884-network-policies
security: Add `NetworkPolicies` to operands
2 parents cf7573b + 4c7f2d8 commit 8b60d24

File tree

6 files changed

+79
-1
lines changed

6 files changed

+79
-1
lines changed

bindata/manifests/operator-webhook/004-networkpolicy.yaml

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
apiVersion: networking.k8s.io/v1
2+
kind: NetworkPolicy
3+
metadata:
4+
name: operator-webhook-allow-traffic-api-server
5+
namespace: {{.Namespace}}
6+
spec:
7+
podSelector:
8+
matchLabels:
9+
app: operator-webhook
10+
ingress:
11+
- ports:
12+
- protocol: TCP
13+
port: 6443
14+
egress:
15+
- ports:
16+
- protocol: TCP
17+
port: 6443
18+
policyTypes:
19+
- Ingress
20+
- Egress

bindata/manifests/webhook/005-networkpolicy.yaml

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
apiVersion: networking.k8s.io/v1
2+
kind: NetworkPolicy
3+
metadata:
4+
name: network-resources-injector-allow-traffic-api-server
5+
namespace: {{.Namespace}}
6+
spec:
7+
podSelector:
8+
matchLabels:
9+
app: network-resources-injector
10+
ingress:
11+
- ports:
12+
- protocol: TCP
13+
port: 6443
14+
egress:
15+
- ports:
16+
- protocol: TCP
17+
port: 6443
18+
policyTypes:
19+
- Ingress
20+
- Egress

controllers/sriovoperatorconfig_controller_test.go

Lines changed: 18 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@ import (
1010
admv1 "k8s.io/api/admissionregistration/v1"
1111
appsv1 "k8s.io/api/apps/v1"
1212
corev1 "k8s.io/api/core/v1"
13+
networkv1 "k8s.io/api/networking/v1"
1314
rbacv1 "k8s.io/api/rbac/v1"
1415
"k8s.io/apimachinery/pkg/api/errors"
1516
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -177,6 +178,10 @@ var _ = Describe("SriovOperatorConfig controller", Ordered, func() {
177178
err = util.WaitForNamespacedObjectDeleted(daemonSet, k8sClient, testNamespace, "network-resources-injector", util.RetryInterval, util.APITimeout)
178179
Expect(err).NotTo(HaveOccurred())
179180

181+
networkPolicy := &networkv1.NetworkPolicy{}
182+
err = util.WaitForNamespacedObjectDeleted(networkPolicy, k8sClient, testNamespace, "network-resources-injector-allow-traffic-api-server", util.RetryInterval, util.APITimeout)
183+
Expect(err).NotTo(HaveOccurred())
184+
180185
mutateCfg := &admv1.MutatingWebhookConfiguration{}
181186
err = util.WaitForNamespacedObjectDeleted(mutateCfg, k8sClient, testNamespace, "network-resources-injector-config", util.RetryInterval, util.APITimeout)
182187
Expect(err).NotTo(HaveOccurred())
@@ -193,6 +198,10 @@ var _ = Describe("SriovOperatorConfig controller", Ordered, func() {
193198
err = util.WaitForNamespacedObject(daemonSet, k8sClient, testNamespace, "network-resources-injector", util.RetryInterval, util.APITimeout)
194199
Expect(err).NotTo(HaveOccurred())
195200

201+
networkPolicy = &networkv1.NetworkPolicy{}
202+
err = util.WaitForNamespacedObject(networkPolicy, k8sClient, testNamespace, "network-resources-injector-allow-traffic-api-server", util.RetryInterval, util.APITimeout)
203+
Expect(err).NotTo(HaveOccurred())
204+
196205
mutateCfg = &admv1.MutatingWebhookConfiguration{}
197206
err = util.WaitForNamespacedObject(mutateCfg, k8sClient, testNamespace, "network-resources-injector-config", util.RetryInterval, util.APITimeout)
198207
Expect(err).NotTo(HaveOccurred())
@@ -212,6 +221,10 @@ var _ = Describe("SriovOperatorConfig controller", Ordered, func() {
212221
err = util.WaitForNamespacedObjectDeleted(daemonSet, k8sClient, testNamespace, "operator-webhook", util.RetryInterval, util.APITimeout)
213222
Expect(err).NotTo(HaveOccurred())
214223

224+
networkPolicy := &networkv1.NetworkPolicy{}
225+
err = util.WaitForNamespacedObjectDeleted(networkPolicy, k8sClient, testNamespace, "operator-webhook-allow-traffic-api-server", util.RetryInterval, util.APITimeout)
226+
Expect(err).NotTo(HaveOccurred())
227+
215228
mutateCfg := &admv1.MutatingWebhookConfiguration{}
216229
err = util.WaitForNamespacedObjectDeleted(mutateCfg, k8sClient, testNamespace, "sriov-operator-webhook-config", util.RetryInterval, util.APITimeout)
217230
Expect(err).NotTo(HaveOccurred())
@@ -220,7 +233,7 @@ var _ = Describe("SriovOperatorConfig controller", Ordered, func() {
220233
err = util.WaitForNamespacedObjectDeleted(validateCfg, k8sClient, testNamespace, "sriov-operator-webhook-config", util.RetryInterval, util.APITimeout)
221234
Expect(err).NotTo(HaveOccurred())
222235

223-
By("set disable to enableOperatorWebhook")
236+
By("set enable to enableOperatorWebhook")
224237
Expect(k8sClient.Get(ctx, types.NamespacedName{Namespace: testNamespace, Name: "default"}, config)).NotTo(HaveOccurred())
225238

226239
config.Spec.EnableOperatorWebhook = true
@@ -231,6 +244,10 @@ var _ = Describe("SriovOperatorConfig controller", Ordered, func() {
231244
err = util.WaitForNamespacedObject(daemonSet, k8sClient, testNamespace, "operator-webhook", util.RetryInterval, util.APITimeout)
232245
Expect(err).NotTo(HaveOccurred())
233246

247+
networkPolicy = &networkv1.NetworkPolicy{}
248+
err = util.WaitForNamespacedObject(networkPolicy, k8sClient, testNamespace, "operator-webhook-allow-traffic-api-server", util.RetryInterval, util.APITimeout)
249+
Expect(err).NotTo(HaveOccurred())
250+
234251
mutateCfg = &admv1.MutatingWebhookConfiguration{}
235252
err = util.WaitForNamespacedObject(mutateCfg, k8sClient, testNamespace, "sriov-operator-webhook-config", util.RetryInterval, util.APITimeout)
236253
Expect(err).NotTo(HaveOccurred())

deploy/role.yaml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,15 @@ rules:
3434
- create
3535
- update
3636
- delete
37+
- apiGroups:
38+
- networking.k8s.io
39+
resources:
40+
- networkpolicies
41+
verbs:
42+
- get
43+
- create
44+
- update
45+
- delete
3746
- apiGroups:
3847
- apps
3948
resourceNames:

deployment/sriov-network-operator-chart/templates/role.yaml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,15 @@ rules:
2828
- statefulsets
2929
verbs:
3030
- '*'
31+
- apiGroups:
32+
- networking.k8s.io
33+
resources:
34+
- networkpolicies
35+
verbs:
36+
- get
37+
- create
38+
- update
39+
- delete
3140
- apiGroups:
3241
- monitoring.coreos.com
3342
resources:

test/conformance/tests/test_sriov_operator.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@ import (
1717
admission "k8s.io/api/admissionregistration/v1"
1818
appsv1 "k8s.io/api/apps/v1"
1919
corev1 "k8s.io/api/core/v1"
20+
networkv1 "k8s.io/api/networking/v1"
2021
rbacv1 "k8s.io/api/rbac/v1"
2122
k8serrors "k8s.io/apimachinery/pkg/api/errors"
2223
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -1134,6 +1135,7 @@ var _ = Describe("[sriov] operator", Ordered, func() {
11341135
assertObjectIsNotFound("network-resources-injector-role-binding", &rbacv1.ClusterRoleBinding{})
11351136
assertObjectIsNotFound("network-resources-injector-config", &admission.MutatingWebhookConfiguration{})
11361137
assertObjectIsNotFound("nri-control-switches", &corev1.ConfigMap{})
1138+
assertObjectIsNotFound("network-resources-injector-allow-traffic-api-server", &networkv1.NetworkPolicy{})
11371139
})
11381140

11391141
It("SR-IOV Operator Config, disable Operator Webhook", func() {
@@ -1154,6 +1156,7 @@ var _ = Describe("[sriov] operator", Ordered, func() {
11541156
assertObjectIsNotFound("operator-webhook", &rbacv1.ClusterRole{})
11551157
assertObjectIsNotFound("operator-webhook-role-binding", &rbacv1.ClusterRoleBinding{})
11561158
assertObjectIsNotFound("sriov-operator-webhook-config", &admission.MutatingWebhookConfiguration{})
1159+
assertObjectIsNotFound("operator-webhook-allow-traffic-api-server", &networkv1.NetworkPolicy{})
11571160
})
11581161

11591162
It("SR-IOV Operator Config, disable Resource Injector and Operator Webhook", func() {

0 commit comments

Comments
 (0)