feat(controller): support hostNetwork

Assisted-by: Github Copilot
Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>

Author: jvanz

Makefile

@@ -54,6 +54,9 @@ helm-unittest:
 test-e2e: controller-image audit-scanner-image policy-server-image
 	$(GO_BUILD_ENV) go test ./e2e/ -v
 
+.PHONY: test-all
+test-all: test helm-unittest test-e2e
+
 .PHONY: fmt-go
 fmt-go:
 	$(GO_BUILD_ENV) go fmt ./...

api/policies/v1/factories.go

@@ -486,6 +486,9 @@ type PolicyServerBuilder struct {
 	limits                 corev1.ResourceList
 	requests               corev1.ResourceList
 	sigstoreTrustConfigMap string
+	webhookPort            *int32
+	readinessProbePort     *int32
+	metricsPort            *int32
 }
 
 func NewPolicyServerFactory() *PolicyServerBuilder {
@@ -529,6 +532,21 @@ func (f *PolicyServerBuilder) WithRequests(requests corev1.ResourceList) *Policy
 	return f
 }
 
+func (f *PolicyServerBuilder) WithWebhookPort(port int32) *PolicyServerBuilder {
+	f.webhookPort = &port
+	return f
+}
+
+func (f *PolicyServerBuilder) WithReadinessProbePort(port int32) *PolicyServerBuilder {
+	f.readinessProbePort = &port
+	return f
+}
+
+func (f *PolicyServerBuilder) WithMetricsPort(port int32) *PolicyServerBuilder {
+	f.metricsPort = &port
+	return f
+}
+
 func (f *PolicyServerBuilder) Build() *PolicyServer {
 	policyServer := PolicyServer{
 		ObjectMeta: metav1.ObjectMeta{
@@ -552,6 +570,9 @@ func (f *PolicyServerBuilder) Build() *PolicyServer {
 			Limits:              f.limits,
 			Requests:            f.requests,
 			SigstoreTrustConfig: f.sigstoreTrustConfigMap,
+			WebhookPort:         f.webhookPort,
+			ReadinessProbePort:  f.readinessProbePort,
+			MetricsPort:         f.metricsPort,
 			Env: []corev1.EnvVar{
 				{
 					Name:  "KUBEWARDEN_LOG_LEVEL",

api/policies/v1/policyserver_types.go

@@ -139,6 +139,28 @@ type PolicyServerSpec struct {
 	// remain unchanged, but new pods that reference it cannot be created.
 	// +optional
 	PriorityClassName string `json:"priorityClassName,omitempty"`
+
+	// Port where the policy server listens for incoming webhook requests.
+	// When unset, defaults to 8443. This is the port the Kubernetes API server
+	// reaches when evaluating admission requests.
+	// +optional
+	// +kubebuilder:validation:Minimum=1
+	// +kubebuilder:validation:Maximum=65535
+	WebhookPort *int32 `json:"webhookPort,omitempty"`
+
+	// Port used by the policy server to expose the readiness probe endpoint.
+	// When unset, defaults to 8081.
+	// +optional
+	// +kubebuilder:validation:Minimum=1
+	// +kubebuilder:validation:Maximum=65535
+	ReadinessProbePort *int32 `json:"readinessProbePort,omitempty"`
+
+	// Port used by the policy server to expose the metrics endpoint.
+	// When unset, defaults to 8080. Only relevant when metrics are enabled.
+	// +optional
+	// +kubebuilder:validation:Minimum=1
+	// +kubebuilder:validation:Maximum=65535
+	MetricsPort *int32 `json:"metricsPort,omitempty"`
 }
 
 type ReconciliationTransitionReason string
@@ -211,6 +233,33 @@ func (ps *PolicyServer) AppLabel() string {
 	return "kubewarden-" + ps.NameWithPrefix()
 }
 
+// EffectiveWebhookPort returns the port the policy server listens on for
+// admission webhook requests, using the CRD field when set or the default constant.
+func (ps *PolicyServer) EffectiveWebhookPort() int32 {
+	if ps.Spec.WebhookPort != nil {
+		return *ps.Spec.WebhookPort
+	}
+	return constants.PolicyServerListenPort
+}
+
+// EffectiveReadinessProbePort returns the port used for the readiness probe,
+// using the CRD field when set or the default constant.
+func (ps *PolicyServer) EffectiveReadinessProbePort() int32 {
+	if ps.Spec.ReadinessProbePort != nil {
+		return *ps.Spec.ReadinessProbePort
+	}
+	return constants.PolicyServerReadinessProbePort
+}
+
+// EffectiveMetricsPort returns the port used to expose the metrics endpoint,
+// using the CRD field when set or the default constant.
+func (ps *PolicyServer) EffectiveMetricsPort() int32 {
+	if ps.Spec.MetricsPort != nil {
+		return *ps.Spec.MetricsPort
+	}
+	return constants.PolicyServerMetricsPort
+}
+
 // CommonLabels returns the common labels to be used with the resources
 // associated to a Policy Server. The labels defined follow
 // Kubernetes guidelines: https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/#labels

api/policies/v1/policyserver_webhook.go

@@ -131,6 +131,7 @@ func (v *policyServerValidator) validate(ctx context.Context, policyServer *Poli
 	}
 
 	allErrs = append(allErrs, validateLimitsAndRequests(policyServer.Spec.Limits, policyServer.Spec.Requests)...)
+	allErrs = append(allErrs, validatePorts(policyServer)...)
 
 	if len(allErrs) == 0 {
 		return nil
@@ -208,3 +209,38 @@ func validateLimitsAndRequests(limits, requests corev1.ResourceList) field.Error
 
 	return allErrs
 }
+
+// validatePorts checks that the port fields in the PolicyServer spec do not
+// conflict with each other. Effective ports (field value or constant default)
+// are compared so that partial overrides are also caught.
+func validatePorts(policyServer *PolicyServer) field.ErrorList {
+	var allErrs field.ErrorList
+
+	webhookPort := policyServer.EffectiveWebhookPort()
+	readinessPort := policyServer.EffectiveReadinessProbePort()
+	metricsPort := policyServer.EffectiveMetricsPort()
+
+	if webhookPort == readinessPort {
+		allErrs = append(allErrs, field.Invalid(
+			field.NewPath("spec").Child("readinessProbePort"),
+			readinessPort,
+			fmt.Sprintf("readinessProbePort must differ from webhookPort (%d)", webhookPort),
+		))
+	}
+	if webhookPort == metricsPort {
+		allErrs = append(allErrs, field.Invalid(
+			field.NewPath("spec").Child("metricsPort"),
+			metricsPort,
+			fmt.Sprintf("metricsPort must differ from webhookPort (%d)", webhookPort),
+		))
+	}
+	if readinessPort == metricsPort {
+		allErrs = append(allErrs, field.Invalid(
+			field.NewPath("spec").Child("metricsPort"),
+			metricsPort,
+			fmt.Sprintf("metricsPort must differ from readinessProbePort (%d)", readinessPort),
+		))
+	}
+
+	return allErrs
+}

api/policies/v1/policyserver_webhook_test.go

@@ -279,3 +279,80 @@ func TestPolicyServerValidateSigstoreTrustConfig(t *testing.T) {
 		})
 	}
 }
+
+func TestValidatePorts(t *testing.T) {
+	tests := []struct {
+		name        string
+		webhookPort *int32
+		readiness   *int32
+		metrics     *int32
+		errContains string
+	}{
+		{
+			name:        "all defaults, no conflict",
+			errContains: "",
+		},
+		{
+			name:        "webhookPort equals readinessProbePort",
+			webhookPort: ptr.To[int32](8081),
+			readiness:   ptr.To[int32](8081),
+			errContains: "readinessProbePort must differ from webhookPort",
+		},
+		{
+			name:        "webhookPort equals metricsPort",
+			webhookPort: ptr.To[int32](8080),
+			metrics:     ptr.To[int32](8080),
+			errContains: "metricsPort must differ from webhookPort",
+		},
+		{
+			name:        "readinessProbePort equals metricsPort",
+			readiness:   ptr.To[int32](9000),
+			metrics:     ptr.To[int32](9000),
+			errContains: "metricsPort must differ from readinessProbePort",
+		},
+		{
+			name:        "all three ports the same",
+			webhookPort: ptr.To[int32](9999),
+			readiness:   ptr.To[int32](9999),
+			metrics:     ptr.To[int32](9999),
+			errContains: "readinessProbePort must differ from webhookPort",
+		},
+		{
+			name:        "all three ports distinct custom values",
+			webhookPort: ptr.To[int32](9443),
+			readiness:   ptr.To[int32](9081),
+			metrics:     ptr.To[int32](9080),
+			errContains: "",
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			k8sClient := fake.NewClientBuilder().Build()
+			builder := NewPolicyServerFactory()
+			if test.webhookPort != nil {
+				builder = builder.WithWebhookPort(*test.webhookPort)
+			}
+			if test.readiness != nil {
+				builder = builder.WithReadinessProbePort(*test.readiness)
+			}
+			if test.metrics != nil {
+				builder = builder.WithMetricsPort(*test.metrics)
+			}
+			policyServer := builder.Build()
+
+			validator := policyServerValidator{
+				deploymentsNamespace: "default",
+				k8sClient:            k8sClient,
+				logger:               logr.Discard(),
+			}
+			err := validator.validate(t.Context(), policyServer)
+
+			if test.errContains != "" {
+				require.ErrorContains(t, err, test.errContains)
+			} else {
+				require.NoError(t, err)
+			}
+		})
+	}
+}

api/policies/v1/zz_generated.deepcopy.go

@@ -181,3 +181,20 @@ are configured.
 - {{ .Values.auditScanner.reportCRDsKind }}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Compute the effective affinity for the controller deployment.
+Uses the controller-specific affinity if set, otherwise falls back to
+global.affinity for backward compatibility.
+
+NOTE: When hostNetwork is enabled, users are responsible for setting
+appropriate podAntiAffinity rules to prevent host-port conflicts between
+controller replicas on the same node.
+*/}}
+{{- define "kubewarden-controller.effectiveAffinity" -}}
+{{- if .Values.affinity -}}
+  {{- toYaml .Values.affinity -}}
+{{- else if .Values.global.affinity -}}
+  {{- toYaml .Values.global.affinity -}}
+{{- end -}}
+{{- end -}}

charts/kubewarden-controller/templates/_helpers.tpl

@@ -32,8 +32,9 @@ spec:
       {{- include "imagePullSecrets" .Values.imagePullSecrets | nindent 8 }}
       {{- end }}
       serviceAccountName: {{ include "kubewarden-controller.serviceAccountName" . }}
-      {{- if .Values.global.affinity }}
-      affinity: {{ .Values.global.affinity | toYaml | nindent 8 }}
+      {{- $effectiveAffinity := include "kubewarden-controller.effectiveAffinity" . }}
+      {{- if $effectiveAffinity }}
+      affinity: {{ $effectiveAffinity | nindent 8 }}
       {{- end }}
       {{- if .Values.global.tolerations }}
       tolerations: {{ .Values.global.tolerations | toYaml | nindent 8 }}
@@ -45,12 +46,19 @@ spec:
       {{- if .Values.global.priorityClassName }}
       priorityClassName: {{ .Values.global.priorityClassName | toYaml | nindent 8 }}
       {{- end }}
+      {{- if .Values.hostNetwork }}
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+      {{- end }}
       containers:
       - name: controller
         args:
         - --leader-elect
         - --deployments-namespace={{ .Release.Namespace }}
         - --webhook-service-name={{ include "kubewarden-controller.fullname" . }}-webhook-service
+        - --webhook-server-port={{ .Values.ports.webhook }}
+        - --health-probe-bind-address=:{{ .Values.ports.healthProbe }}
+        - --metrics-bind-address=:{{ .Values.ports.metrics }}
         {{- if .Values.alwaysAcceptAdmissionReviewsOnDeploymentsNamespace }}
         - --always-accept-admission-reviews-on-deployments-namespace
         {{- end }}
@@ -62,6 +70,9 @@ spec:
        {{- if $imagePullSecretNames }}
         - --image-pull-secrets={{ $imagePullSecretNames }}
        {{- end }}
+       {{- if .Values.hostNetwork }}
+        - --host-network
+       {{- end }}
        {{- if or .Values.telemetry.metrics .Values.telemetry.tracing }}
        {{- if eq .Values.telemetry.mode "sidecar" }}
         - --enable-otel-sidecar
@@ -117,13 +128,13 @@ spec:
         livenessProbe:
           httpGet:
             path: /healthz
-            port: 8081
+            port: {{ .Values.ports.healthProbe }}
           initialDelaySeconds: 15
           periodSeconds: 20
         readinessProbe:
           httpGet:
             path: /readyz
-            port: 8081
+            port: {{ .Values.ports.healthProbe }}
           initialDelaySeconds: 5
           periodSeconds: 10
         {{- if and .Values.resources .Values.resources.controller }}
@@ -154,7 +165,7 @@ spec:
           readOnly: true
         {{- end }}
         ports:
-        - containerPort: 9443
+        - containerPort: {{ .Values.ports.webhook }}
           name: webhook-server
           protocol: TCP
       volumes:

charts/kubewarden-controller/templates/deployment.yaml

@@ -13,11 +13,11 @@ spec:
   {{- if .Values.telemetry.metrics }}
   - name: metrics
     port: 8080
-    targetPort: 8080
+    targetPort: {{ .Values.ports.metrics }}
   {{- end}}
   - name: https
     port: 8443
-    targetPort: https
+    targetPort: {{ .Values.ports.webhook }}
   selector:
     {{- include "kubewarden-controller.selectorLabels" . | nindent 4 }}
 ---
@@ -33,6 +33,6 @@ metadata:
 spec:
   ports:
   - port: 443
-    targetPort: 9443
+    targetPort: {{ .Values.ports.webhook }}
   selector:
 {{- include "kubewarden-controller.selectorLabels" . | nindent 4 }}