Opt-in for network-policies provided by hco-bundle for CNAO and its components pods #2341
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The hco-bundle should provide network-policies allow operators work as expected under network restrictions (global deny-all network-policy). The provided NPs affects pods who has the appropriate labels. Opt-in for hco-bundle NPs by adding the following labels: 1. hco.kubevirt.io/allow-access-cluster-services Allow CNAO pods egress access the cluster API and DNS. 2. hco.kubevirt.io/allow-prometheus-access Allow prometheus pods ingress the metrics endpoint With this change the manifest-templator & csv-gen should produce the project Deployment and CSV with the above labels. Allowing CNAO to operate under network restrictions when installed by HCO. Signed-off-by: Or Mergi <ormergi@redhat.com>
kubevirt-bot
added
release-note
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
The hco-bundle should provide network-policies allow operators work as expected under network restrictions (global deny-all network-policy). The provided NPs affects pods who have the appropriate labels. Opt-in for hco-bundle NPs by adding the following labels: 1. hco.kubevirt.io/allow-access-cluster-services Allow KMP pods egress access the cluster API and DNS. 2. hco.kubevirt.io/allow-prometheus-access Allow prometheus pods ingress the controller-manager metrics endpoint With this change CNAO should generate and install kubemacpool manifests with the above labels. Allowing kubemacpool operate under network restrictions when installed by CNAO and HCO. Signed-off-by: Or Mergi <ormergi@redhat.com>
The hco-bundle should provide network-policies allow operators work as expected under network restrictions (global deny-all network-policy). The provided NPs affects pods who have the appropriate labels. Opt-in for hco-bundle NPs by adding the "hco.kubevirt.io/allow-access-cluster-services" label. It allows kube-secondary-dns pods access the cluster API and DNS. With this change CNAO should generate and install kube-secondary- dns manifests with the above labels. Allowing ube-secondary-dns operate under network restrictions when installed by CNAO and HCO. Signed-off-by: Or Mergi <ormergi@redhat.com>
The hco-bundle should provide network-policies allow operators work as expected under network restrictions (global deny-all network-policy). The provided NPs affects pods who have the appropriate labels. Opt-in for hco-bundle NPs by adding the "hco.kubevirt.io/allow-access-cluster-services" label. It allows kubevirt-ipam-contoller pods access the cluster API and DNS. With this change CNAO should generate and install kubevirt-ipam-contoller manifests with the above labels. Allowing kubevirt-ipam-contoller operate under network restrictions when installed by CNAO and HCO. Signed-off-by: Or Mergi <ormergi@redhat.com>
|
ormergi
changed the title
|
@nunnatsa could you please confirm this PR adds the correct labels? |
ormergi
changed the title
|
The labels look good. Still need detailed review if the right pods got the right labels. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
Enable CNAO operator and its operands pors operate when network restrictions in form of defaultl deny-all network-policy is in place, when managed by HCO.
The hco-bundle should provide network-policies allowing its operands work when network restrictions are in place.
In order to opt-in pods for the provided network-policies pods should be labeled with the following labels:
hco.kubevirt.io/allow-access-cluster-servicesAllow access the cluster API and DNS.
This is a fundamental requirement for a k8s controller to oprate, it is requiremd for the following compoents:
hco.kubevirt.io/allow-prometheus-accessAllow Prometheus pods ingress the metrics endpoint
Required by CNAO opreator pods, allowing promethues scrape CNAO metrics.
With this change the project
manifest-templatorandcsv-gentool should produce the project Deployment and CSV with the above labels.Allowing CNAO to operate under network restrictions when managed by HCO.
In addition CNAO should generate and install kubemacpool, kubevirt-ipam-contoller and kube-secondary-dns with the above labels.
Allowing them to operate under network restrictions when managed by CNAO and HCO.
Special notes for your reviewer:
Release note: