CM-576: Implementation of Network Policy for Cert Manager Operator

[PillaiManish]

This PR adds the NetworkPolicy for the operator:

1. Deny all over podSelector
2. Allow-egress-to-api-server
3. Allow-ingress-to-metrics

Steps followed:

• Update the library-go to latest version so that it contains the commit for the NetworkPolicy support
  • update the dependency libraries.
• adds parameter in the function call for the updated version code
• run the command make generate
• add the required NetworkPolicy files and a static controller to watch/reconcile on these resources

[openshift-ci-robot]

@PillaiManish: This pull request references CM-576 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@PillaiManish: This pull request references CM-576 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

In response to this:

This PR adds the NetworkPolicy for the operator:

1. Deny all over podSelector
2. Allow-egress-to-api-server
3. Allow-ingress-to-metrics

Steps followed:

• Update the library-go to latest version so that it contains the commit for the NetworkPolicy support
• update the dependency libraries.
• adds parameter in the function call for the updated version code
• run the command make generate
• add the required NetworkPolicy files and a static controller to watch/reconcile on these resources

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[swghosh]

E0610 17:30:08.850137       1 reflector.go:166] "Unhandled Error" err="k8s.io/client-go/informers/factory.go:160: Failed to watch *v1.NetworkPolicy: failed to list *v1.NetworkPolicy: networkpolicies.networking.k8s.io is forbidden: User \"system:serviceaccount:cert-manager-operator:cert-manager-operator-controller-manager\" cannot list resource \"networkpolicies\" in API group \"networking.k8s.io\" in the namespace \"cert-manager-operator\""
W0610 17:30:58.441258       1 reflector.go:569] k8s.io/client-go/informers/factory.go:160: failed to list *v1.NetworkPolicy: networkpolicies.networking.k8s.io is forbidden: User "system:serviceaccount:cert-manager-operator:cert-manager-operator-controller-manager" cannot list resource "networkpolicies" in API group "networking.k8s.io" in the namespace "cert-manager-operator"
E0610 17:30:58.441294       1 reflector.go:166] "Unhandled Error" err="k8s.io/client-go/informers/factory.go:160: Failed to watch *v1.NetworkPolicy: failed to list *v1.NetworkPolicy: networkpolicies.networking.k8s.io is forbidden: User \"system:serviceaccount:cert-manager-operator:cert-manager-operator-controller-manager\" cannot list resource \"networkpolicies\" in API group \"networking.k8s.io\" in the namespace \"cert-manager-operator\""

from the e2e operator pod logs it seems that the NetworkPolicy we intend to apply are not getting added at all. One way for the e2e to observe this as a failure is to add a status condition check for the new static-resource-controller being added, refer #279 for details. However, for this to work would need to check if your controller can effectively apply a NetworkPolicy object via library-go first, and resolve that RBAC issue too.

[swghosh]

This allows (operator pod to) egress ALL to any 6443 port to any pod on the cluster? Is my understanding correct?

[PillaiManish]

Yes, in the docs they have mentioned this way. They might tighten it later.

[swghosh]

coming in from upstream bump?

[PillaiManish]

Yes, in the upstream, that corevalidation

func validatePodResourceRequirements(requirements *core.ResourceRequirements, podClaimNames sets.Set[string], fldPath *field.Path, opts PodValidationOptions) field.ErrorList {
	return validateResourceRequirements(requirements, validatePodResourceName, podClaimNames, fldPath, opts)
}

func ValidateContainerResourceRequirements(requirements *core.ResourceRequirements, podClaimNames sets.Set[string], fldPath *field.Path, opts PodValidationOptions) field.ErrorList {
	return validateResourceRequirements(requirements, validateContainerResourceName, podClaimNames, fldPath, opts)
}

// Validates resource requirement spec.
func validateResourceRequirements(requirements *core.ResourceRequirements, resourceNameFn func(core.ResourceName, *field.Path) field.ErrorList, podClaimNames sets.Set[string], fldPath *field.Path, opts PodValidationOptions) field.ErrorList {

Two function have been added validatePodResourceRequirements, ValidateContainerResourceRequirements.

[swghosh]

I'm not sure what is changing the generated client-gen code.
Auto-generation update?

[PillaiManish]

Not sure, maybe the bump? I will once take a look on it.

[swghosh]

Let's check library-go implementation for the Static Resources Controller (especially informers),
my guess is that there is no informer/client for NetworkPolicy yet.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: PillaiManish
Once this PR has been reviewed and has the lgtm label, please assign trilokgeer for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[swghosh]

these bumps to kube 32, can go in as a separate PR (ideally with the upstream bump, but not a must)

[PillaiManish]

Do you mean with the PR ?

[swghosh]

E0610 17:30:08.850137       1 reflector.go:166] "Unhandled Error" err="k8s.io/client-go/informers/factory.go:160: Failed to watch *v1.NetworkPolicy: failed to list *v1.NetworkPolicy: networkpolicies.networking.k8s.io is forbidden: User \"system:serviceaccount:cert-manager-operator:cert-manager-operator-controller-manager\" cannot list resource \"networkpolicies\" in API group \"networking.k8s.io\" in the namespace \"cert-manager-operator\""
W0610 17:30:58.441258       1 reflector.go:569] k8s.io/client-go/informers/factory.go:160: failed to list *v1.NetworkPolicy: networkpolicies.networking.k8s.io is forbidden: User "system:serviceaccount:cert-manager-operator:cert-manager-operator-controller-manager" cannot list resource "networkpolicies" in API group "networking.k8s.io" in the namespace "cert-manager-operator"
E0610 17:30:58.441294       1 reflector.go:166] "Unhandled Error" err="k8s.io/client-go/informers/factory.go:160: Failed to watch *v1.NetworkPolicy: failed to list *v1.NetworkPolicy: networkpolicies.networking.k8s.io is forbidden: User \"system:serviceaccount:cert-manager-operator:cert-manager-operator-controller-manager\" cannot list resource \"networkpolicies\" in API group \"networking.k8s.io\" in the namespace \"cert-manager-operator\""

from the e2e operator pod logs it seems that the NetworkPolicy we intend to apply are not getting added at all. One way for the e2e to observe this as a failure is to add a status condition check for the new static-resource-controller being added, refer #279 for details. However, for this to work would need to check if your controller can effectively apply a NetworkPolicy object via library-go first, and resolve that RBAC issue too.

looks like apply-ing NetworkPolicy via Static Resource Controller was already added in openshift/library-go#1961: which suffices, so fixing the RBAC should fix your issue.

So additionally, we would need e2e to check that Status.Conditions is: - {status: "False", type: cert-manager-operator-static-resources-Degraded } (context of why we need it is in OCPBUGS-56758 FYR).

[PillaiManish]

/retest

[PillaiManish]

/retest

[TrilokGeer]

/hold
Hold for design review.

[openshift-ci]

@PillaiManish: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-operator	bd6195f	link	true	/test e2e-operator

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-merge-robot]

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.