feat(controller): support hostNetwork

This commit adds the support to enable host network in the Kubewarden
stack. This is done by enabling a CLI flag in the controller. Once this
is done, all the policy server deployments are configured to use host
network as well.

Furthermore, to allow user to fix port conflicts issues, 3 new fields
have been added to the policy server spec. This fields allow users to
define the ports to be used by the policy server deployment.

Assisted-by: Github Copilot
Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>

refactor(webhook): remove metricsPort conflict validation

spec.metricsPort only controls the metrics Service Port (the externally
visible scrape port) and has no effect on pod-side ports. Since it
operates at a different layer than webhookPort and readinessProbePort,
there is no meaningful conflict to validate against. The only pod-side
conflict check that remains is webhookPort vs readinessProbePort.

As a consequence, the defaultMetricsPort parameter is removed from
SetupWebhookWithManager and the policyServerValidator struct, simplifying
the webhook setup chain in main.go.

Assisted-by: Github Copilot
Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>

Author: jvanz

Makefile

@@ -54,6 +54,9 @@ helm-unittest:
 test-e2e: controller-image audit-scanner-image policy-server-image
 	$(GO_BUILD_ENV) go test ./e2e/ -v
 
+.PHONY: test-all
+test-all: test helm-unittest test-e2e
+
 .PHONY: fmt-go
 fmt-go:
 	$(GO_BUILD_ENV) go fmt ./...

api/policies/v1/factories.go

@@ -487,6 +487,9 @@ type PolicyServerBuilder struct {
 	requests                       corev1.ResourceList
 	sigstoreTrustConfigMap         string
 	namespacedPoliciesCapabilities []string
+	webhookPort                    *int32
+	readinessProbePort             *int32
+	metricsPort                    *int32
 }
 
 func NewPolicyServerFactory() *PolicyServerBuilder {
@@ -535,6 +538,21 @@ func (f *PolicyServerBuilder) WithNamespacedPoliciesCapabilities(capabilities []
 	return f
 }
 
+func (f *PolicyServerBuilder) WithWebhookPort(port int32) *PolicyServerBuilder {
+	f.webhookPort = &port
+	return f
+}
+
+func (f *PolicyServerBuilder) WithReadinessProbePort(port int32) *PolicyServerBuilder {
+	f.readinessProbePort = &port
+	return f
+}
+
+func (f *PolicyServerBuilder) WithMetricsPort(port int32) *PolicyServerBuilder {
+	f.metricsPort = &port
+	return f
+}
+
 func (f *PolicyServerBuilder) Build() *PolicyServer {
 	policyServer := PolicyServer{
 		ObjectMeta: metav1.ObjectMeta{
@@ -559,6 +577,9 @@ func (f *PolicyServerBuilder) Build() *PolicyServer {
 			Requests:                       f.requests,
 			SigstoreTrustConfig:            f.sigstoreTrustConfigMap,
 			NamespacedPoliciesCapabilities: f.namespacedPoliciesCapabilities,
+			WebhookPort:                    f.webhookPort,
+			ReadinessProbePort:             f.readinessProbePort,
+			MetricsPort:                    f.metricsPort,
 			Env: []corev1.EnvVar{
 				{
 					Name:  "KUBEWARDEN_LOG_LEVEL",

api/policies/v1/policyserver_types.go

@@ -150,6 +150,44 @@ type PolicyServerSpec struct {
 	// - Specific capability paths (e.g. "oci/v1/verify", "net/v1/dns_lookup_host")
 	// +optional
 	NamespacedPoliciesCapabilities []string `json:"namespacedPoliciesCapabilities,omitempty"`
+
+	// Port where the policy server listens for incoming webhook requests.
+	// When unset, defaults to 8443. This is the port the Kubernetes API server
+	// reaches when evaluating admission requests.
+	// +optional
+	// +kubebuilder:validation:Minimum=1
+	// +kubebuilder:validation:Maximum=65535
+	WebhookPort *int32 `json:"webhookPort,omitempty"`
+
+	// Port used by the policy server to expose the readiness probe endpoint.
+	// When unset, defaults to 8081.
+	// +optional
+	// +kubebuilder:validation:Minimum=1
+	// +kubebuilder:validation:Maximum=65535
+	ReadinessProbePort *int32 `json:"readinessProbePort,omitempty"`
+
+	// Port exposed by the metrics Service for this policy server.
+	// When unset, defaults to the controller-wide default
+	// (KUBEWARDEN_POLICY_SERVER_SERVICES_METRICS_PORT env var, or 8080).
+	// Only relevant when metrics are enabled.
+	//
+	// Use this field to customize which port Prometheus scrapes for this
+	// PolicyServer's metrics Service (e.g. to match naming conventions or
+	// avoid Service-level port collisions).
+	//
+	// NOTE: this field controls only the Service Port (the externally visible
+	// scrape port). The Service TargetPort — the port the pod actually listens
+	// on — is always the controller-wide default and is not affected by this
+	// field. This is intentional: when the OpenTelemetry sidecar mode is
+	// enabled, each pod gets its own injected sidecar, but the pod-side
+	// Prometheus listener port is determined by controller-wide/injection
+	// configuration, not per PolicyServer. Therefore, changing this field does
+	// not change the pod listener port and will not resolve pod-port conflicts
+	// such as those caused by hostNetwork.
+	// +optional
+	// +kubebuilder:validation:Minimum=1
+	// +kubebuilder:validation:Maximum=65535
+	MetricsPort *int32 `json:"metricsPort,omitempty"`
 }
 
 type ReconciliationTransitionReason string
@@ -222,6 +260,34 @@ func (ps *PolicyServer) AppLabel() string {
 	return "kubewarden-" + ps.NameWithPrefix()
 }
 
+// EffectiveWebhookPort returns the port the policy server listens on for
+// admission webhook requests, using the CRD field when set or the default constant.
+func (ps *PolicyServer) EffectiveWebhookPort() int32 {
+	if ps.Spec.WebhookPort != nil {
+		return *ps.Spec.WebhookPort
+	}
+	return constants.PolicyServerListenPort
+}
+
+// EffectiveReadinessProbePort returns the port used for the readiness probe,
+// using the CRD field when set or the default constant.
+func (ps *PolicyServer) EffectiveReadinessProbePort() int32 {
+	if ps.Spec.ReadinessProbePort != nil {
+		return *ps.Spec.ReadinessProbePort
+	}
+	return constants.PolicyServerReadinessProbePort
+}
+
+// EffectiveMetricsPort returns the port used to expose the metrics endpoint.
+// It returns the CRD-level override when set, otherwise it falls back to defaultPort
+// (which is typically the controller-wide default configured via environment variable).
+func (ps *PolicyServer) EffectiveMetricsPort(defaultPort int32) int32 {
+	if ps.Spec.MetricsPort != nil {
+		return *ps.Spec.MetricsPort
+	}
+	return defaultPort
+}
+
 // CommonLabels returns the common labels to be used with the resources
 // associated to a Policy Server. The labels defined follow
 // Kubernetes guidelines: https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/#labels

api/policies/v1/policyserver_webhook.go

@@ -175,6 +175,7 @@ func (v *policyServerValidator) validate(ctx context.Context, policyServer *Poli
 
 	allErrs = append(allErrs, validateLimitsAndRequests(policyServer.Spec.Limits, policyServer.Spec.Requests)...)
 	allErrs = append(allErrs, validateNamespacedPoliciesCapabilities(policyServer.Spec.NamespacedPoliciesCapabilities)...)
+	allErrs = append(allErrs, v.validatePorts(policyServer)...)
 
 	if len(allErrs) == 0 {
 		return nil
@@ -274,7 +275,6 @@ func validateNamespacedPoliciesCapabilities(capabilities []string) field.ErrorLi
 			allErrs = append(allErrs, err)
 		}
 	}
-
 	return allErrs
 }
 
@@ -327,3 +327,24 @@ func validateSingleCapability(pattern string, path *field.Path) *field.Error {
 		fmt.Sprintf("%q is not a complete capability path; use %q to allow all capabilities under it",
 			pattern, pattern+"/*"))
 }
+
+// validatePorts checks that the port fields in the PolicyServer spec do not
+// conflict with each other. Only pod-side ports (webhookPort, readinessProbePort)
+// are validated against each other. spec.metricsPort is a Service-layer-only
+// setting and cannot conflict with pod-side ports.
+func (v *policyServerValidator) validatePorts(policyServer *PolicyServer) field.ErrorList {
+	var allErrs field.ErrorList
+
+	webhookPort := policyServer.EffectiveWebhookPort()
+	readinessPort := policyServer.EffectiveReadinessProbePort()
+
+	if webhookPort == readinessPort {
+		allErrs = append(allErrs, field.Invalid(
+			field.NewPath("spec").Child("readinessProbePort"),
+			readinessPort,
+			fmt.Sprintf("readinessProbePort must differ from webhookPort (%d)", webhookPort),
+		))
+	}
+
+	return allErrs
+}

api/policies/v1/policyserver_webhook_test.go

@@ -412,3 +412,76 @@ func TestPolicyServerValidateNamespacedPoliciesCapabilities(t *testing.T) {
 		})
 	}
 }
+
+func TestValidatePorts(t *testing.T) {
+	tests := []struct {
+		name        string
+		webhookPort *int32
+		readiness   *int32
+		metrics     *int32
+		errContains string
+	}{
+		{
+			name:        "all defaults, no conflict",
+			errContains: "",
+		},
+		{
+			name:        "webhookPort equals readinessProbePort",
+			webhookPort: ptr.To[int32](8081),
+			readiness:   ptr.To[int32](8081),
+			errContains: "readinessProbePort must differ from webhookPort",
+		},
+		{
+			name:        "webhookPort and readinessProbePort distinct custom values",
+			webhookPort: ptr.To[int32](9443),
+			readiness:   ptr.To[int32](9081),
+			errContains: "",
+		},
+		{
+			// metricsPort is a Service-layer-only setting and cannot conflict
+			// with pod-side ports (webhookPort, readinessProbePort).
+			name:        "metricsPort equal to webhookPort is allowed",
+			webhookPort: ptr.To[int32](8080),
+			metrics:     ptr.To[int32](8080),
+			errContains: "",
+		},
+		{
+			// metricsPort is a Service-layer-only setting and cannot conflict
+			// with pod-side ports (webhookPort, readinessProbePort).
+			name:        "metricsPort equal to readinessProbePort is allowed",
+			readiness:   ptr.To[int32](9000),
+			metrics:     ptr.To[int32](9000),
+			errContains: "",
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			k8sClient := fake.NewClientBuilder().Build()
+			builder := NewPolicyServerFactory()
+			if test.webhookPort != nil {
+				builder = builder.WithWebhookPort(*test.webhookPort)
+			}
+			if test.readiness != nil {
+				builder = builder.WithReadinessProbePort(*test.readiness)
+			}
+			if test.metrics != nil {
+				builder = builder.WithMetricsPort(*test.metrics)
+			}
+			policyServer := builder.Build()
+
+			validator := policyServerValidator{
+				deploymentsNamespace: "default",
+				k8sClient:            k8sClient,
+				logger:               logr.Discard(),
+			}
+			err := validator.validate(t.Context(), policyServer)
+
+			if test.errContains != "" {
+				require.ErrorContains(t, err, test.errContains)
+			} else {
+				require.NoError(t, err)
+			}
+		})
+	}
+}

api/policies/v1/zz_generated.deepcopy.go

@@ -11,3 +11,11 @@ If you'd like to support us, we'd love to hear from you as one of our adopters.
 Adopters can be public or private. 
 
 Learn how to add your organization as a Kubewarden adopter by checking out the ADOPTERS.md file here: https://github.com/kubewarden/community/blob/main/ADOPTERS.md
+
+{{ if .Values.hostNetwork }}
+⚠️  WARNING  ⚠️
+Host Network is enabled. Ensure you set appropriate podAntiAffinity rules to prevent host port conflicts between controller replicas on the same node.
+{{ if eq .Values.telemetry.mode "sidecar" }}
+Telemetry sidecar mode (telemetry.mode=sidecar) is incompatible with host network. This chart rejects that configuration and rendering/installation will fail when hostNetwork=true and telemetry.mode=sidecar. Use telemetry.mode=custom with a remote collector instead, or disable hostNetwork.
+{{- end }}
+{{- end }}

charts/kubewarden-controller/templates/NOTES.txt

@@ -181,3 +181,31 @@ are configured.
 - {{ .Values.auditScanner.reportCRDsKind }}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Compute the effective affinity for the controller deployment.
+Uses the controller-specific affinity if set, otherwise falls back to
+global.affinity for backward compatibility.
+
+NOTE: When hostNetwork is enabled, users are responsible for setting
+appropriate podAntiAffinity rules to prevent host-port conflicts between
+controller replicas on the same node.
+*/}}
+{{- define "kubewarden-controller.effectiveAffinity" -}}
+{{- if .Values.affinity -}}
+  {{- toYaml .Values.affinity -}}
+{{- else if .Values.global.affinity -}}
+  {{- toYaml .Values.global.affinity -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Validate that hostNetwork and telemetry sidecar mode are not both enabled.
+They are incompatible because multiple OTel sidecars on the same node would
+cause port conflicts in host-network mode.
+*/}}
+{{- define "kubewarden-controller.validateHostNetworkSidecar" -}}
+{{- if and .Values.hostNetwork (eq .Values.telemetry.mode "sidecar") (or .Values.telemetry.metrics .Values.telemetry.tracing) -}}
+{{- fail "hostNetwork and telemetry.mode=sidecar are incompatible: OpenTelemetry sidecar injection causes port conflicts in host-network mode. Use telemetry.mode=custom with a remote collector instead." -}}
+{{- end -}}
+{{- end -}}