feat(controller): support hostNetwork

This commit adds the support to enable host network in the Kubewarden
stack. This is done by enabling a CLI flag in the controller. Once this
is done, all the policy server deployments are configured to use host
network as well.

Furthermore, to allow user to fix port conflicts issues, 3 new fields
have been added to the policy server spec. This fields allow users to
define the ports to be used by the policy server deployment.

Assisted-by: Github Copilot
Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>

Author: jvanz

Makefile

@@ -54,6 +54,9 @@ helm-unittest:
 test-e2e: controller-image audit-scanner-image policy-server-image
 	$(GO_BUILD_ENV) go test ./e2e/ -v
 
+.PHONY: test-all
+test-all: test helm-unittest test-e2e
+
 .PHONY: fmt-go
 fmt-go:
 	$(GO_BUILD_ENV) go fmt ./...

api/policies/v1/factories.go

@@ -486,6 +486,9 @@ type PolicyServerBuilder struct {
 	limits                 corev1.ResourceList
 	requests               corev1.ResourceList
 	sigstoreTrustConfigMap string
+	webhookPort            *int32
+	readinessProbePort     *int32
+	metricsPort            *int32
 }
 
 func NewPolicyServerFactory() *PolicyServerBuilder {
@@ -529,6 +532,21 @@ func (f *PolicyServerBuilder) WithRequests(requests corev1.ResourceList) *Policy
 	return f
 }
 
+func (f *PolicyServerBuilder) WithWebhookPort(port int32) *PolicyServerBuilder {
+	f.webhookPort = &port
+	return f
+}
+
+func (f *PolicyServerBuilder) WithReadinessProbePort(port int32) *PolicyServerBuilder {
+	f.readinessProbePort = &port
+	return f
+}
+
+func (f *PolicyServerBuilder) WithMetricsPort(port int32) *PolicyServerBuilder {
+	f.metricsPort = &port
+	return f
+}
+
 func (f *PolicyServerBuilder) Build() *PolicyServer {
 	policyServer := PolicyServer{
 		ObjectMeta: metav1.ObjectMeta{
@@ -552,6 +570,9 @@ func (f *PolicyServerBuilder) Build() *PolicyServer {
 			Limits:              f.limits,
 			Requests:            f.requests,
 			SigstoreTrustConfig: f.sigstoreTrustConfigMap,
+			WebhookPort:         f.webhookPort,
+			ReadinessProbePort:  f.readinessProbePort,
+			MetricsPort:         f.metricsPort,
 			Env: []corev1.EnvVar{
 				{
 					Name:  "KUBEWARDEN_LOG_LEVEL",

api/policies/v1/policyserver_types.go

@@ -139,6 +139,28 @@ type PolicyServerSpec struct {
 	// remain unchanged, but new pods that reference it cannot be created.
 	// +optional
 	PriorityClassName string `json:"priorityClassName,omitempty"`
+
+	// Port where the policy server listens for incoming webhook requests.
+	// When unset, defaults to 8443. This is the port the Kubernetes API server
+	// reaches when evaluating admission requests.
+	// +optional
+	// +kubebuilder:validation:Minimum=1
+	// +kubebuilder:validation:Maximum=65535
+	WebhookPort *int32 `json:"webhookPort,omitempty"`
+
+	// Port used by the policy server to expose the readiness probe endpoint.
+	// When unset, defaults to 8081.
+	// +optional
+	// +kubebuilder:validation:Minimum=1
+	// +kubebuilder:validation:Maximum=65535
+	ReadinessProbePort *int32 `json:"readinessProbePort,omitempty"`
+
+	// Port used by the policy server to expose the metrics endpoint.
+	// When unset, defaults to 8080. Only relevant when metrics are enabled.
+	// +optional
+	// +kubebuilder:validation:Minimum=1
+	// +kubebuilder:validation:Maximum=65535
+	MetricsPort *int32 `json:"metricsPort,omitempty"`
 }
 
 type ReconciliationTransitionReason string
@@ -211,6 +233,33 @@ func (ps *PolicyServer) AppLabel() string {
 	return "kubewarden-" + ps.NameWithPrefix()
 }
 
+// EffectiveWebhookPort returns the port the policy server listens on for
+// admission webhook requests, using the CRD field when set or the default constant.
+func (ps *PolicyServer) EffectiveWebhookPort() int32 {
+	if ps.Spec.WebhookPort != nil {
+		return *ps.Spec.WebhookPort
+	}
+	return constants.PolicyServerListenPort
+}
+
+// EffectiveReadinessProbePort returns the port used for the readiness probe,
+// using the CRD field when set or the default constant.
+func (ps *PolicyServer) EffectiveReadinessProbePort() int32 {
+	if ps.Spec.ReadinessProbePort != nil {
+		return *ps.Spec.ReadinessProbePort
+	}
+	return constants.PolicyServerReadinessProbePort
+}
+
+// EffectiveMetricsPort returns the port used to expose the metrics endpoint,
+// using the CRD field when set or the default constant.
+func (ps *PolicyServer) EffectiveMetricsPort() int32 {
+	if ps.Spec.MetricsPort != nil {
+		return *ps.Spec.MetricsPort
+	}
+	return constants.PolicyServerMetricsPort
+}
+
 // CommonLabels returns the common labels to be used with the resources
 // associated to a Policy Server. The labels defined follow
 // Kubernetes guidelines: https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/#labels

api/policies/v1/policyserver_webhook.go

@@ -131,6 +131,7 @@ func (v *policyServerValidator) validate(ctx context.Context, policyServer *Poli
 	}
 
 	allErrs = append(allErrs, validateLimitsAndRequests(policyServer.Spec.Limits, policyServer.Spec.Requests)...)
+	allErrs = append(allErrs, validatePorts(policyServer)...)
 
 	if len(allErrs) == 0 {
 		return nil
@@ -208,3 +209,38 @@ func validateLimitsAndRequests(limits, requests corev1.ResourceList) field.Error
 
 	return allErrs
 }
+
+// validatePorts checks that the port fields in the PolicyServer spec do not
+// conflict with each other. Effective ports (field value or constant default)
+// are compared so that partial overrides are also caught.
+func validatePorts(policyServer *PolicyServer) field.ErrorList {
+	var allErrs field.ErrorList
+
+	webhookPort := policyServer.EffectiveWebhookPort()
+	readinessPort := policyServer.EffectiveReadinessProbePort()
+	metricsPort := policyServer.EffectiveMetricsPort()
+
+	if webhookPort == readinessPort {
+		allErrs = append(allErrs, field.Invalid(
+			field.NewPath("spec").Child("readinessProbePort"),
+			readinessPort,
+			fmt.Sprintf("readinessProbePort must differ from webhookPort (%d)", webhookPort),
+		))
+	}
+	if webhookPort == metricsPort {
+		allErrs = append(allErrs, field.Invalid(
+			field.NewPath("spec").Child("metricsPort"),
+			metricsPort,
+			fmt.Sprintf("metricsPort must differ from webhookPort (%d)", webhookPort),
+		))
+	}
+	if readinessPort == metricsPort {
+		allErrs = append(allErrs, field.Invalid(
+			field.NewPath("spec").Child("metricsPort"),
+			metricsPort,
+			fmt.Sprintf("metricsPort must differ from readinessProbePort (%d)", readinessPort),
+		))
+	}
+
+	return allErrs
+}

api/policies/v1/policyserver_webhook_test.go

@@ -279,3 +279,80 @@ func TestPolicyServerValidateSigstoreTrustConfig(t *testing.T) {
 		})
 	}
 }
+
+func TestValidatePorts(t *testing.T) {
+	tests := []struct {
+		name        string
+		webhookPort *int32
+		readiness   *int32
+		metrics     *int32
+		errContains string
+	}{
+		{
+			name:        "all defaults, no conflict",
+			errContains: "",
+		},
+		{
+			name:        "webhookPort equals readinessProbePort",
+			webhookPort: ptr.To[int32](8081),
+			readiness:   ptr.To[int32](8081),
+			errContains: "readinessProbePort must differ from webhookPort",
+		},
+		{
+			name:        "webhookPort equals metricsPort",
+			webhookPort: ptr.To[int32](8080),
+			metrics:     ptr.To[int32](8080),
+			errContains: "metricsPort must differ from webhookPort",
+		},
+		{
+			name:        "readinessProbePort equals metricsPort",
+			readiness:   ptr.To[int32](9000),
+			metrics:     ptr.To[int32](9000),
+			errContains: "metricsPort must differ from readinessProbePort",
+		},
+		{
+			name:        "all three ports the same",
+			webhookPort: ptr.To[int32](9999),
+			readiness:   ptr.To[int32](9999),
+			metrics:     ptr.To[int32](9999),
+			errContains: "readinessProbePort must differ from webhookPort",
+		},
+		{
+			name:        "all three ports distinct custom values",
+			webhookPort: ptr.To[int32](9443),
+			readiness:   ptr.To[int32](9081),
+			metrics:     ptr.To[int32](9080),
+			errContains: "",
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			k8sClient := fake.NewClientBuilder().Build()
+			builder := NewPolicyServerFactory()
+			if test.webhookPort != nil {
+				builder = builder.WithWebhookPort(*test.webhookPort)
+			}
+			if test.readiness != nil {
+				builder = builder.WithReadinessProbePort(*test.readiness)
+			}
+			if test.metrics != nil {
+				builder = builder.WithMetricsPort(*test.metrics)
+			}
+			policyServer := builder.Build()
+
+			validator := policyServerValidator{
+				deploymentsNamespace: "default",
+				k8sClient:            k8sClient,
+				logger:               logr.Discard(),
+			}
+			err := validator.validate(t.Context(), policyServer)
+
+			if test.errContains != "" {
+				require.ErrorContains(t, err, test.errContains)
+			} else {
+				require.NoError(t, err)
+			}
+		})
+	}
+}

api/policies/v1/zz_generated.deepcopy.go

@@ -181,3 +181,20 @@ are configured.
 - {{ .Values.auditScanner.reportCRDsKind }}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Compute the effective affinity for the controller deployment.
+Uses the controller-specific affinity if set, otherwise falls back to
+global.affinity for backward compatibility.
+
+NOTE: When hostNetwork is enabled, users are responsible for setting
+appropriate podAntiAffinity rules to prevent host-port conflicts between
+controller replicas on the same node.
+*/}}
+{{- define "kubewarden-controller.effectiveAffinity" -}}
+{{- if .Values.affinity -}}
+  {{- toYaml .Values.affinity -}}
+{{- else if .Values.global.affinity -}}
+  {{- toYaml .Values.global.affinity -}}
+{{- end -}}
+{{- end -}}

charts/kubewarden-controller/templates/_helpers.tpl

@@ -32,8 +32,9 @@ spec:
       {{- include "imagePullSecrets" .Values.imagePullSecrets | nindent 8 }}
       {{- end }}
       serviceAccountName: {{ include "kubewarden-controller.serviceAccountName" . }}
-      {{- if .Values.global.affinity }}
-      affinity: {{ .Values.global.affinity | toYaml | nindent 8 }}
+      {{- $effectiveAffinity := include "kubewarden-controller.effectiveAffinity" . }}
+      {{- if $effectiveAffinity }}
+      affinity: {{ $effectiveAffinity | nindent 8 }}
       {{- end }}
       {{- if .Values.global.tolerations }}
       tolerations: {{ .Values.global.tolerations | toYaml | nindent 8 }}
@@ -45,12 +46,19 @@ spec:
       {{- if .Values.global.priorityClassName }}
       priorityClassName: {{ .Values.global.priorityClassName | toYaml | nindent 8 }}
       {{- end }}
+      {{- if .Values.hostNetwork }}
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+      {{- end }}
       containers:
       - name: controller
         args:
         - --leader-elect
         - --deployments-namespace={{ .Release.Namespace }}
         - --webhook-service-name={{ include "kubewarden-controller.fullname" . }}-webhook-service
+        - --webhook-server-port={{ .Values.ports.webhook }}
+        - --health-probe-bind-address=:{{ .Values.ports.healthProbe }}
+        - --metrics-bind-address=:{{ .Values.ports.metrics }}
         {{- if .Values.alwaysAcceptAdmissionReviewsOnDeploymentsNamespace }}
         - --always-accept-admission-reviews-on-deployments-namespace
         {{- end }}
@@ -62,6 +70,9 @@ spec:
        {{- if $imagePullSecretNames }}
         - --image-pull-secrets={{ $imagePullSecretNames }}
        {{- end }}
+       {{- if .Values.hostNetwork }}
+        - --host-network
+       {{- end }}
        {{- if or .Values.telemetry.metrics .Values.telemetry.tracing }}
        {{- if eq .Values.telemetry.mode "sidecar" }}
         - --enable-otel-sidecar
@@ -117,13 +128,13 @@ spec:
         livenessProbe:
           httpGet:
             path: /healthz
-            port: 8081
+            port: {{ .Values.ports.healthProbe }}
           initialDelaySeconds: 15
           periodSeconds: 20
         readinessProbe:
           httpGet:
             path: /readyz
-            port: 8081
+            port: {{ .Values.ports.healthProbe }}
           initialDelaySeconds: 5
           periodSeconds: 10
         {{- if and .Values.resources .Values.resources.controller }}
@@ -154,7 +165,7 @@ spec:
           readOnly: true
         {{- end }}
         ports:
-        - containerPort: 9443
+        - containerPort: {{ .Values.ports.webhook }}
           name: webhook-server
           protocol: TCP
       volumes:

charts/kubewarden-controller/templates/deployment.yaml

@@ -13,11 +13,11 @@ spec:
   {{- if .Values.telemetry.metrics }}
   - name: metrics
     port: 8080
-    targetPort: 8080
+    targetPort: {{ .Values.ports.metrics }}
   {{- end}}
   - name: https
     port: 8443
-    targetPort: https
+    targetPort: {{ .Values.ports.webhook }}
   selector:
     {{- include "kubewarden-controller.selectorLabels" . | nindent 4 }}
 ---
@@ -33,6 +33,6 @@ metadata:
 spec:
   ports:
   - port: 443
-    targetPort: 9443
+    targetPort: {{ .Values.ports.webhook }}
   selector:
 {{- include "kubewarden-controller.selectorLabels" . | nindent 4 }}