Skip to content

NE-1476: Added network policies for the router #1263

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

NE-1476: Added network policies for the router #1263

wants to merge 1 commit into from

Conversation

knobunc
Copy link

@knobunc knobunc commented Aug 11, 2025

Added the framework for network policies for the router.

The operator has a deny all network policy that for the openshift-ingress-operator namespace and an allow policy for egress to the apiserver and dns ports at any IP.

The operator installs a deny all network policy for the openshift-ingress namespace.

Then for each ingresscontroller that it manages it installs an allow policy for ingress for http and https traffic and metrics.

It has to allow ingress from the router pods to any IP because the route endpoints can be at any ip or pod.

It also needs access to the api server, but that is covered by the wildcard allow policy.

https://issues.redhat.com/browse/NE-1476

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Aug 11, 2025
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Aug 11, 2025
edited by openshift-ci bot
Loading

@knobunc: This pull request references NE-1476 which is a valid jira issue.

In response to this:

Added the framework for network policies for the router.

The operator has a deny all network policy that for the openshift-ingress-operator namespace and an allow policy for egress to the apiserver and dns ports at any IP.

The operator installs a deny all network policy for the openshift-ingress namespace.

Then for each ingresscontroller that it manages it installs an allow policy for ingress for http and https traffic and metrics.

It has to allow ingress from the router pods to any IP because the route endpoints can be at any ip or pod.

It also needs access to the api server, but that is covered by the wildcard allow policy.

https://issues.redhat.com/browse/NE-1476

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@knobunc knobunc added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 11, 2025
@knobunc knobunc force-pushed the NE-1476-Network-Policies-For-Router branch from 9a40cd0 to b8fc7f7 Compare August 11, 2025 15:36
@openshift-ci openshift-ci bot requested review from Miciah and rfredette August 11, 2025 15:39
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Aug 11, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign rfredette for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@knobunc knobunc force-pushed the NE-1476-Network-Policies-For-Router branch 2 times, most recently from b392321 to 777addf Compare August 11, 2025 16:18
@knobunc
Copy link
Author

knobunc commented Aug 11, 2025

/retest-required

@knobunc knobunc force-pushed the NE-1476-Network-Policies-For-Router branch 5 times, most recently from 71e5e0a to abb8394 Compare August 13, 2025 01:54
@knobunc
NE-1476: Added network policies for the router
cf93ea5 
Added the framework for network policies for the router.

The operator has a deny all network policy that for the openshift-ingress-operator namespace and an allow policy for egress to the apiserver and dns ports at any IP.

The operator installs a deny all network policy for the openshift-ingress namespace.

Then for each ingresscontroller that it manages it installs an allow policy for ingress for http and https traffic and metrics.

It has to allow ingress from the router pods to any IP because the route endpoints can be at any ip or pod.

It also needs access to the api server, but that is covered by the wildcard allow policy.

https://issues.redhat.com/browse/NE-1476
@knobunc knobunc force-pushed the NE-1476-Network-Policies-For-Router branch from abb8394 to cf93ea5 Compare August 13, 2025 14:41
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Aug 13, 2025

@knobunc: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-gatewayapi-conformance 777addf link false /test e2e-aws-gatewayapi-conformance
ci/prow/e2e-aws-operator-techpreview cf93ea5 link false /test e2e-aws-operator-techpreview
ci/prow/e2e-aws-ovn-single-node cf93ea5 link false /test e2e-aws-ovn-single-node
ci/prow/e2e-aws-ovn-techpreview cf93ea5 link false /test e2e-aws-ovn-techpreview
ci/prow/okd-scos-e2e-aws-ovn cf93ea5 link false /test okd-scos-e2e-aws-ovn
ci/prow/e2e-gcp-ovn cf93ea5 link false /test e2e-gcp-ovn
ci/prow/e2e-azure-ovn cf93ea5 link false /test e2e-azure-ovn
ci/prow/e2e-aws-operator cf93ea5 link true /test e2e-aws-operator
ci/prow/e2e-gcp-operator cf93ea5 link true /test e2e-gcp-operator
ci/prow/e2e-aws-ovn-hypershift-conformance cf93ea5 link true /test e2e-aws-ovn-hypershift-conformance
ci/prow/e2e-aws-ovn cf93ea5 link true /test e2e-aws-ovn
ci/prow/e2e-azure-operator cf93ea5 link true /test e2e-azure-operator

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@candita
Copy link
Contributor

candita commented Aug 18, 2025

@knobunc the e2e-gcp-operator CI tests are failing with:

failed to create RBAC objects: could not create role "e2e-gcp-operator": Timeout: request did not complete within requested timeout - context deadline exceeded}

@knobunc
Copy link
Author

knobunc commented Aug 19, 2025
edited
Loading

@candita thanks. I've been focusing on the e2e-aws-ovn tests and those are consistently failing on:
[sig-network-edge][OCPFeatureGate:GatewayAPIController][Feature:Router][apigroup:gateway.networking.k8s.io] Ensure HTTPRoute object is created [Suite:openshift/conformance/parallel]

I am pretty sure the issue is that the test is creating a pod and it is unreachable without policy, but I haven't had time to chase it all the way down yet.

@lihongan
Copy link
Contributor

cc @melvinjoseph86

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Miciah Miciah Awaiting requested review from Miciah

@rfredette rfredette Awaiting requested review from rfredette

Assignees
No one assigned
Labels
do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@knobunc @openshift-ci-robot @candita @lihongan