add NetworkPolicy support to operator installation

Apply three default NetworkPolicies to every operator namespace
(except openshift-operators): allow intra-namespace traffic, allow
ingress from cluster nodes for admission webhook access, and allow
ingress from the OpenShift monitoring stack.

Operators can opt out of all default policies via the new
disableDefaultNetworkPolicies flag, and opt in to additional
cross-namespace ingress policies via allowIngressFrom (a list of
name/namespaceSelector pairs). The schema forbids combining
allowIngressFrom with disableDefaultNetworkPolicies: true, since
disabling defaults while selectively re-allowing traffic is
semantically inconsistent.

Operators with exposed routes (quay-operator, ACM, cincinnati,
pipelines, ODF, LVMS) are configured with allowIngressFrom for the
OpenShift ingress namespace. MCE and ACM are configured with
bidirectional allowIngressFrom to preserve east-west traffic between
the two operators that collaborate at runtime.

cert-manager and openshift-gitops require policies in secondary
namespaces (cert-manager and openshift-gitops) that are created by
the operators themselves rather than by the generic installation
task; these are handled in each operator's own tasks.yaml.

The kube-apiserver NetworkPolicy uses ipBlock with machineNetwork
rather than a namespaceSelector for openshift-kube-apiserver.
kube-apiserver pods run with hostNetwork: true in OpenShift, meaning
their traffic originates from node IPs rather than pod-network
addresses. A namespaceSelector only matches pod-network traffic, so
it silently failed to allow webhook calls, leaving the implicit deny
in place and causing context deadline exceeded errors when creating
resources with admission webhooks (observed with the OCM webhook at
ocm-webhook.multicluster-engine.svc:443). Using ipBlock with
machineNetwork correctly covers all cluster nodes including the
control plane.

Signed-off-by: Rafa Porres Molina <rporresm@redhat.com>
Assisted-by: Claude <noreply@anthropic.com>

Author: rporres

defaults/operators.yaml

@@ -7,20 +7,39 @@ operators:
     init_version: 3.15.0
     namespace: quay-enterprise
     source: cs-redhat-operator-index-v4-20
+    allowIngressFrom:
+      - name: ingress
+        namespaceSelector:
+          matchLabels:
+            network.openshift.io/policy-group: ingress
 
   - name: multicluster-engine
     version: 2.10.1
     channel: stable-2.10
     init_version: 2.10.0
     namespace: multicluster-engine
     source: cs-redhat-operator-index-v4-20
+    allowIngressFrom:
+      - name: acm
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: open-cluster-management
 
   - name: advanced-cluster-management
     version: 2.15.1
     channel: release-2.15
     init_version: 2.15.0
     namespace: open-cluster-management
     source: cs-redhat-operator-index-v4-20
+    allowIngressFrom:
+      - name: ingress
+        namespaceSelector:
+          matchLabels:
+            network.openshift.io/policy-group: ingress
+      - name: mce
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: multicluster-engine
 
   - name: cincinnati-operator
     version: 5.0.3
@@ -30,6 +49,11 @@ operators:
     source: cs-redhat-operator-index-v4-20
     csvNames:
       - update-service-operator
+    allowIngressFrom:
+      - name: ingress
+        namespaceSelector:
+          matchLabels:
+            network.openshift.io/policy-group: ingress
 
   - name: openshift-gitops-operator
     version: 1.19.2
@@ -46,6 +70,11 @@ operators:
     namespace: openshift-pipelines
     source: cs-redhat-operator-index-v4-20
     global: true
+    allowIngressFrom:
+      - name: ingress
+        namespaceSelector:
+          matchLabels:
+            network.openshift.io/policy-group: ingress
 
   - name: netobserv-operator
     version: 1.11.0

defaults/storage_operators.yaml

@@ -0,0 +1,41 @@
+storage_operators:  # Install operator depending blockStorageBackend variable
+  odf:
+    - name: odf-operator
+      version: 4.20.7-rhodf
+      channel: stable-4.20
+      init_version: 4.20.7-rhodf
+      namespace: openshift-storage
+      source: cs-redhat-operator-index-v4-20
+      csvNames:
+        - odf-operator
+        - odf-dependencies
+        - odf-csi-addons-operator
+        - rook-ceph-operator
+        - ocs-operator
+        - recipe
+        - mcg-operator
+        - odf-prometheus-operator
+        - ocs-client-operator
+        - cephcsi-operator
+        - odf-external-snapshotter-operator
+      csvMirror: true
+      extraMirrorPackages:
+        - odr-cluster-operator
+        - odr-hub-operator
+      allowIngressFrom:
+        - name: ingress
+          namespaceSelector:
+            matchLabels:
+              network.openshift.io/policy-group: ingress
+  lvms:
+    - name: lvms-operator
+      version: 4.20.0
+      channel: stable-4.20
+      init_version: 4.20.0
+      namespace: openshift-storage
+      source: cs-redhat-operator-index-v4-20
+      allowIngressFrom:
+        - name: ingress
+          namespaceSelector:
+            matchLabels:
+              network.openshift.io/policy-group: ingress

operators/openshift-cert-manager-operator/tasks.yaml

@@ -1,4 +1,58 @@
 ---
+- name: "Ensure same-namespace NetworkPolicy exists in cert-manager"
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: networking.k8s.io/v1
+      kind: NetworkPolicy
+      metadata:
+        name: allow-from-same-namespace
+        namespace: cert-manager
+      spec:
+        podSelector: {}
+        ingress:
+          - from:
+              - podSelector: {}
+        policyTypes:
+          - Ingress
+
+- name: "Ensure monitoring can reach cert-manager"
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: networking.k8s.io/v1
+      kind: NetworkPolicy
+      metadata:
+        name: allow-ingress-from-monitoring
+        namespace: cert-manager
+      spec:
+        podSelector: {}
+        ingress:
+          - from:
+              - namespaceSelector:
+                  matchLabels:
+                    network.openshift.io/policy-group: monitoring
+        policyTypes:
+          - Ingress
+
+- name: "Ensure kube-apiserver can reach cert-manager webhook"
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: networking.k8s.io/v1
+      kind: NetworkPolicy
+      metadata:
+        name: allow-ingress-from-kube-apiserver
+        namespace: cert-manager
+      spec:
+        podSelector: {}
+        ingress:
+          - from:
+              - ipBlock:
+                  cidr: "{{ machineNetwork }}"
+        policyTypes:
+          - Ingress
+
 - name: Patch CertManager to set resources
   kubernetes.core.k8s:
     state: patched

operators/openshift-gitops-operator/tasks.yaml

@@ -1,3 +1,77 @@
 ---
-- ansible.builtin.debug: 
-    msg: "Operator configured properly, no further actions"
+# The gitops operator creates the openshift-gitops namespace where ArgoCD
+# components run. NetworkPolicies must be applied here separately since
+# configure_operator.yaml only manages the operator namespace
+# (openshift-gitops-operator).
+- name: "Ensure same-namespace NetworkPolicy exists in openshift-gitops"
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: networking.k8s.io/v1
+      kind: NetworkPolicy
+      metadata:
+        name: allow-from-same-namespace
+        namespace: openshift-gitops
+      spec:
+        podSelector: {}
+        ingress:
+          - from:
+              - podSelector: {}
+        policyTypes:
+          - Ingress
+
+- name: "Ensure kube-apiserver can reach openshift-gitops webhooks"
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: networking.k8s.io/v1
+      kind: NetworkPolicy
+      metadata:
+        name: allow-ingress-from-kube-apiserver
+        namespace: openshift-gitops
+      spec:
+        podSelector: {}
+        ingress:
+          - from:
+              - ipBlock:
+                  cidr: "{{ machineNetwork }}"
+        policyTypes:
+          - Ingress
+
+- name: "Ensure monitoring can reach openshift-gitops"
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: networking.k8s.io/v1
+      kind: NetworkPolicy
+      metadata:
+        name: allow-ingress-from-monitoring
+        namespace: openshift-gitops
+      spec:
+        podSelector: {}
+        ingress:
+          - from:
+              - namespaceSelector:
+                  matchLabels:
+                    network.openshift.io/policy-group: monitoring
+        policyTypes:
+          - Ingress
+
+- name: "Ensure ingress can reach openshift-gitops"
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: networking.k8s.io/v1
+      kind: NetworkPolicy
+      metadata:
+        name: allow-ingress-from-ingress
+        namespace: openshift-gitops
+      spec:
+        podSelector: {}
+        ingress:
+          - from:
+              - namespaceSelector:
+                  matchLabels:
+                    network.openshift.io/policy-group: ingress
+        policyTypes:
+          - Ingress

playbooks/tasks/configure_operator.yaml

@@ -10,6 +10,109 @@
   delay: "{{ k8s_delay }}"
   until: r_namespace_exists is success
 
+- name: "Ensure same-namespace NetworkPolicy exists"
+  when:
+    - operator.namespace != "openshift-operators"
+    - not (operator.disableDefaultNetworkPolicies | default(false))
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: networking.k8s.io/v1
+      kind: NetworkPolicy
+      metadata:
+        name: allow-from-same-namespace
+        namespace: "{{ operator.namespace }}"
+      spec:
+        podSelector: {}
+        ingress:
+          - from:
+              - podSelector: {}
+        policyTypes:
+          - Ingress
+  register: r_same_namespace_netpol
+  retries: "{{ k8s_retries }}"
+  delay: "{{ k8s_delay }}"
+  until: r_same_namespace_netpol is success
+
+- name: "Ensure kube-apiserver NetworkPolicy exists"
+  when:
+    - operator.namespace != "openshift-operators"
+    - not (operator.disableDefaultNetworkPolicies | default(false))
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: networking.k8s.io/v1
+      kind: NetworkPolicy
+      metadata:
+        name: allow-ingress-from-kube-apiserver
+        namespace: "{{ operator.namespace }}"
+      spec:
+        podSelector: {}
+        ingress:
+          - from:
+              - ipBlock:
+                  cidr: "{{ machineNetwork }}"
+        policyTypes:
+          - Ingress
+  register: r_kube_apiserver_netpol
+  retries: "{{ k8s_retries }}"
+  delay: "{{ k8s_delay }}"
+  until: r_kube_apiserver_netpol is success
+
+- name: "Ensure monitoring NetworkPolicy exists"
+  when:
+    - operator.namespace != "openshift-operators"
+    - not (operator.disableDefaultNetworkPolicies | default(false))
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: networking.k8s.io/v1
+      kind: NetworkPolicy
+      metadata:
+        name: allow-ingress-from-monitoring
+        namespace: "{{ operator.namespace }}"
+      spec:
+        podSelector: {}
+        ingress:
+          - from:
+              - namespaceSelector:
+                  matchLabels:
+                    network.openshift.io/policy-group: monitoring
+        policyTypes:
+          - Ingress
+  register: r_monitoring_netpol
+  retries: "{{ k8s_retries }}"
+  delay: "{{ k8s_delay }}"
+  until: r_monitoring_netpol is success
+
+- name: "Ensure ingress NetworkPolicies exist"
+  when:
+    - operator.namespace != "openshift-operators"
+    - not (operator.disableDefaultNetworkPolicies | default(false))
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: networking.k8s.io/v1
+      kind: NetworkPolicy
+      metadata:
+        name: "allow-ingress-from-{{ item.name }}"
+        namespace: "{{ operator.namespace }}"
+      spec:
+        podSelector: {}
+        ingress:
+          - from:
+              - namespaceSelector:
+                  matchLabels: "{{ item.namespaceSelector.matchLabels }}"
+        policyTypes:
+          - Ingress
+  loop: "{{ operator.allowIngressFrom | default([]) }}"
+  loop_control:
+    label: "{{ item.name }}"
+  register: r_ingress_netpols
+  retries: "{{ k8s_retries }}"
+  delay: "{{ k8s_delay }}"
+  until: r_ingress_netpols is success
+
 - name: "Check if OperatorGroup already exists in namespace"
   when: operator.namespace != "openshift-operators"
   kubernetes.core.k8s_info:

schemas/operators.yaml

@@ -41,6 +41,43 @@ definitions:
       global:
         type: boolean
         description: Configure operator to watch the entire cluster.
+      disableDefaultNetworkPolicies:
+        type: boolean
+        description: >-
+          Opt out of all three default NetworkPolicies: allow-from-same-namespace,
+          allow-ingress-from-kube-apiserver, and allow-ingress-from-monitoring.
+          When true, no default ingress rules are created and allowIngressFrom is forbidden.
+      allowIngressFrom:
+        type: array
+        description: Additional ingress NetworkPolicies based on namespace label selectors.
+        items:
+          type: object
+          additionalProperties: false
+          required:
+            - name
+            - namespaceSelector
+          properties:
+            name:
+              type: string
+              description: Identifier used to name the NetworkPolicy (allow-ingress-from-<name>).
+            namespaceSelector:
+              type: object
+              additionalProperties: false
+              required:
+                - matchLabels
+              properties:
+                matchLabels:
+                  type: object
+                  description: Label selector to match source namespaces.
+    if:
+      required:
+        - disableDefaultNetworkPolicies
+      properties:
+        disableDefaultNetworkPolicies:
+          const: true
+    then:
+      properties:
+        allowIngressFrom: false
     dependencies:
       csvMirror:
       - csvNames