-
Notifications
You must be signed in to change notification settings - Fork 576
deploy/chart: add static NetworkPolicies for CatalogSource gRPC ingress and bundle unpack egress #3863
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
deploy/chart: add static NetworkPolicies for CatalogSource gRPC ingress and bundle unpack egress #3863
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -85,3 +85,41 @@ spec: | |
| - { } | ||
| egress: | ||
| - { } | ||
| --- | ||
| # Complements per-CatalogSource NPs from the controller; covers the bootstrapping window before reconciliation. | ||
| apiVersion: networking.k8s.io/v1 | ||
| kind: NetworkPolicy | ||
| metadata: | ||
| name: catalog-source-grpc-server | ||
|
Collaborator
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. NP name collision risk The dynamic NP uses Since they have different specs ( Consider prefixing the static NP name, e.g.
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The only way to truly de-fang this challenge is to use a unique construction, which would make an accidental overlap less likely but do nothing to prevent a bad actor from seeing the public construction details and manufacturing a conflict. So how likely do we feel this would be? Do we think that we could dump the resources on the cluster and see that there's a catalogsource called 'catalog-source' and determine the network policies are impacting? I don't want to underplay this, but I'd like to understand the goal here. Just using a more complex or static name does not avoid the issue. |
||
| namespace: {{ .Values.catalog_namespace }} | ||
|
Collaborator
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. NPs become no-ops when The The bootstrap gap these NPs are meant to close remains open in split-namespace configurations. Options:
|
||
| spec: | ||
| podSelector: | ||
| matchExpressions: | ||
| - key: olm.catalogSource | ||
| operator: Exists | ||
| policyTypes: | ||
| - Ingress | ||
| ingress: | ||
| - ports: | ||
| - protocol: TCP | ||
| port: {{ .Values.catalogGrpcPodPort }} | ||
| --- | ||
| # Wildcard egress; API server port omitted intentionally — it is implementation-defined and not statically knowable. | ||
| apiVersion: networking.k8s.io/v1 | ||
| kind: NetworkPolicy | ||
| metadata: | ||
| name: bundle-unpack-egress | ||
| namespace: {{ .Values.catalog_namespace }} | ||
| spec: | ||
| podSelector: | ||
| matchExpressions: | ||
| - key: operatorframework.io/bundle-unpack-ref | ||
| operator: Exists | ||
| - key: olm.managed | ||
| operator: In | ||
| values: | ||
| - "true" | ||
| policyTypes: | ||
| - Egress | ||
| egress: | ||
| - { } | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Static broad-selector NPs persist permanently and cannot be narrowed by the controller
This NP allows TCP ingress on
catalogGrpcPodPortfrom any source (nofromrestriction) for all pods with theolm.catalogSourcelabel (Existsmatch). Since Kubernetes NetworkPolicies are additive (union semantics), if the controller later tightens its per-CatalogSource NPs to restrict ingress to specific source pods (e.g., only fromcatalog-operator), this static NP silently defeats that restriction — and the controller has no code path to delete or update Helm-managed resources.This is acceptable if the ingress source is intentionally unrestricted long-term. Worth noting as a design constraint.