openshift · isabella-janssen · Mar 9, 2026 · Mar 10, 2026 · Mar 10, 2026 · coderabbitai
diff --git a/install/0000_80_machine-config_00_networkpolicy-kube-rbac-proxy-crio.yaml b/install/0000_80_machine-config_00_networkpolicy-kube-rbac-proxy-crio.yaml
@@ -0,0 +1,16 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: kube-rbac-proxy-crio-deny-all
+  namespace: openshift-machine-config-operator
+  annotations:
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+spec:
+  podSelector:
+    matchLabels:
+      k8s-app: kube-rbac-proxy-crio
+  policyTypes:
+  - Ingress
+  - Egress
diff --git a/manifests/machineconfigdaemon/networkpolicy.yaml b/manifests/machineconfigdaemon/networkpolicy.yaml
@@ -0,0 +1,12 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: machine-config-daemon-deny-all
+  namespace: {{.TargetNamespace}}
+spec:
+  podSelector:
+    matchLabels:
+      k8s-app: machine-config-daemon
+  policyTypes:
+  - Ingress
+  - Egress
diff --git a/manifests/machineconfigserver/networkpolicy.yaml b/manifests/machineconfigserver/networkpolicy.yaml
@@ -0,0 +1,12 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: machine-config-server-deny-all
+  namespace: {{.TargetNamespace}}
+spec:
+  podSelector:
+    matchLabels:
+      k8s-app: machine-config-server
+  policyTypes:
+  - Ingress
+  - Egress