CNTRLPLANE-2905: add network policies

[dusk125]

Adds NetworkPolicy resources for both operator and operand namespaces

Summary by CodeRabbit

• New Features
  • Added NetworkPolicy resources in controller-manager, route-controller-manager, and operator namespaces: default-deny policies that deny all traffic by default, plus allow rules that permit TCP ingress on port 8443 for controller/operator pods and permit broad egress where specified.

[openshift-ci-robot]

@dusk125: This pull request references CNTRLPLANE-2905 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Adds NetworkPolicy resources for both operator and operand namespaces

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[dusk125]

/retest-required

[dusk125]

/retest-required

[coderabbitai]

Walkthrough

Adds Kubernetes NetworkPolicy manifests: default-deny and explicit allow (ingress TCP 8443, unrestricted egress) for openshift-controller-manager, route-controller-manager, and openshift-controller-manager-operator; and registers four controller-manager-related assets in the operator's static resource list.

Changes

Cohort / File(s)	Summary
Network Policies - Controller Manager bindata/assets/openshift-controller-manager/networkpolicy-allow.yaml, bindata/assets/openshift-controller-manager/networkpolicy-default-deny.yaml	Adds default-deny for the namespace and an allow policy selecting controller-manager: "true" permitting ingress TCP 8443 and allowing all egress.
Network Policies - Route Controller Manager bindata/assets/openshift-controller-manager/route-controller-manager-networkpolicy-allow.yaml, bindata/assets/openshift-controller-manager/route-controller-manager-networkpolicy-default-deny.yaml	Adds default-deny for the namespace and an allow policy selecting route-controller-manager: "true" permitting ingress TCP 8443 and allowing all egress.
Network Policies - Operator manifests/0000_25_openshift-controller-manager-operator_01_network-policy-default-deny.yaml, manifests/0000_25_openshift-controller-manager-operator_01_network-policy-operator.yaml	Adds default-deny and allow-operator policies for openshift-controller-manager-operator; allow-operator selects app: openshift-controller-manager-operator, permits ingress TCP 8443, allows all egress, and includes HA/single-node annotations.
Operator Configuration pkg/operator/starter.go	Appends four new NetworkPolicy assets (the two controller-manager and two route-controller-manager manifests) to the StaticResourceController reconciliation asset list.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'CNTRLPLANE-2905: add network policies' directly and clearly summarizes the main change - adding network policies across multiple namespaces in the openshift-controller-manager-operator project.
Stable And Deterministic Test Names	✅ Passed	The PR exclusively adds YAML manifest files and updates starter.go to reference them. No Ginkgo test files or test code are present in this PR.
Test Structure And Quality	✅ Passed	This PR does not include any Ginkgo test code; it only modifies network policy YAML manifests and configuration files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

📝 Coding Plan for PR comments

• Generate coding plan

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@dusk125: This pull request references CNTRLPLANE-2905 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Adds NetworkPolicy resources for both operator and operand namespaces

Summary by CodeRabbit

• New Features
• Added Network Policies for enhanced cluster security, implementing default-deny rules that block all traffic by default while explicitly permitting essential communication paths for controller managers and operators.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@bindata/assets/openshift-controller-manager/networkpolicy-allow.yaml`:
- Around line 8-24: The NetworkPolicy named allow-controller-manager currently
permits ingress on port 8443 but lacks a source restriction; update the
spec.ingress of the allow-controller-manager NetworkPolicy to include a from
clause that limits traffic to the openshift-monitoring namespace (e.g., add a
from: - namespaceSelector with an appropriate label selector matching the
monitoring namespace) so only pods from openshift-monitoring can reach port 8443
on pods selected by spec.podSelector (app: openshift-controller-manager-a,
controller-manager: "true").

In
`@bindata/assets/openshift-controller-manager/route-controller-manager-networkpolicy-allow.yaml`:
- Around line 8-24: The NetworkPolicy named allow-route-controller-manager in
namespace openshift-route-controller-manager currently permits ingress to pods
matching labels app: route-controller-manager and route-controller-manager:
"true" on TCP port 8443 from any source; update the spec.ingress entry to
include a from block that restricts sources to the openshift-monitoring
namespace (use namespaceSelector with matchLabels or metadata.name selector for
the monitoring namespace) so Prometheus alone can scrape metrics, or if open
access is intended, change the comment above to say it allows ingress from any
source rather than from openshift-monitoring.

In
`@manifests/0000_25_openshift-controller-manager-operator_01_network-policy-operator.yaml`:
- Around line 8-26: The doc/comment claims ingress is limited "from
openshift-monitoring" but the NetworkPolicy allow-operator (namespace
openshift-controller-manager-operator, podSelector app:
openshift-controller-manager-operator) currently has no from block and therefore
allows all sources; fix by adding a from block to the spec.ingress that
restricts traffic to the openshift-monitoring namespace (e.g., add a from: -
namespaceSelector: matchLabels: kubernetes.io/metadata.name:
openshift-monitoring) so the port: 8443 rule truly only allows Prometheus from
that namespace, or alternatively update the comment to accurately state that the
rule allows all sources—choose one and make the change in the NetworkPolicy
manifest.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 2eea60ce-ba75-46c4-9a24-3663c5f3bbdd

📥 Commits

Reviewing files that changed from the base of the PR and between ec06b68 and dd09c2f.

📒 Files selected for processing (7)

• bindata/assets/openshift-controller-manager/networkpolicy-allow.yaml
• bindata/assets/openshift-controller-manager/networkpolicy-default-deny.yaml
• bindata/assets/openshift-controller-manager/route-controller-manager-networkpolicy-allow.yaml
• bindata/assets/openshift-controller-manager/route-controller-manager-networkpolicy-default-deny.yaml
• manifests/0000_25_openshift-controller-manager-operator_01_network-policy-default-deny.yaml
• manifests/0000_25_openshift-controller-manager-operator_01_network-policy-operator.yaml
• pkg/operator/starter.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Same issue: comment mentions restricted source but ingress allows all.

Lines 8-10 claim ingress is "from the openshift-monitoring namespace", but the ingress rule has no from selector. This allows any source to connect to port 8443. Same fix as the route-controller-manager policy if restriction is intended.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@bindata/assets/openshift-controller-manager/networkpolicy-allow.yaml` around
lines 8 - 24, The NetworkPolicy named allow-controller-manager currently permits
ingress on port 8443 but lacks a source restriction; update the spec.ingress of
the allow-controller-manager NetworkPolicy to include a from clause that limits
traffic to the openshift-monitoring namespace (e.g., add a from: -
namespaceSelector with an appropriate label selector matching the monitoring
namespace) so only pods from openshift-monitoring can reach port 8443 on pods
selected by spec.podSelector (app: openshift-controller-manager-a,
controller-manager: "true").

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Comment claims restricted source but ingress rule allows all sources.

The comment on lines 8-10 states ingress is allowed "from the openshift-monitoring namespace", but the ingress rule at lines 21-24 has no from selector, meaning it allows TCP 8443 from any source in the cluster.

If the intent is to restrict to Prometheus only, add a namespace selector:

🔒 Proposed fix to restrict ingress source

   ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: openshift-monitoring
     ports:
     - protocol: TCP
       port: 8443

If allowing from all sources is intentional, update the comment to reflect that.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# Ingress:
	# - Allow ingress on port 8443 (metrics) from the openshift-monitoring namespace
	# so that Prometheus can scrape metrics from the route-controller-manager pods.
	apiVersion: networking.k8s.io/v1
	kind: NetworkPolicy
	metadata:
	name: allow-route-controller-manager
	namespace: openshift-route-controller-manager
	spec:
	podSelector:
	matchLabels:
	app: route-controller-manager
	route-controller-manager: "true"
	ingress:
	- ports:
	- protocol: TCP
	port: 8443
	# Ingress:
	# - Allow ingress on port 8443 (metrics) from the openshift-monitoring namespace
	# so that Prometheus can scrape metrics from the route-controller-manager pods.
	apiVersion: networking.k8s.io/v1
	kind: NetworkPolicy
	metadata:
	name: allow-route-controller-manager
	namespace: openshift-route-controller-manager
	spec:
	podSelector:
	matchLabels:
	app: route-controller-manager
	route-controller-manager: "true"
	ingress:
	- from:
	- namespaceSelector:
	matchLabels:
	kubernetes.io/metadata.name: openshift-monitoring
	ports:
	- protocol: TCP
	port: 8443

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@bindata/assets/openshift-controller-manager/route-controller-manager-networkpolicy-allow.yaml`
around lines 8 - 24, The NetworkPolicy named allow-route-controller-manager in
namespace openshift-route-controller-manager currently permits ingress to pods
matching labels app: route-controller-manager and route-controller-manager:
"true" on TCP port 8443 from any source; update the spec.ingress entry to
include a from block that restricts sources to the openshift-monitoring
namespace (use namespaceSelector with matchLabels or metadata.name selector for
the monitoring namespace) so Prometheus alone can scrape metrics, or if open
access is intended, change the comment above to say it allows ingress from any
source rather than from openshift-monitoring.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Same documentation inconsistency: comment says "from openshift-monitoring" but rule allows all sources.

The comment claims ingress is restricted to the openshift-monitoring namespace, but the ingress rule at lines 23-26 has no from selector. This is consistent with the other allow policies but the documentation should match the implementation.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@manifests/0000_25_openshift-controller-manager-operator_01_network-policy-operator.yaml`
around lines 8 - 26, The doc/comment claims ingress is limited "from
openshift-monitoring" but the NetworkPolicy allow-operator (namespace
openshift-controller-manager-operator, podSelector app:
openshift-controller-manager-operator) currently has no from block and therefore
allows all sources; fix by adding a from block to the spec.ingress that
restricts traffic to the openshift-monitoring namespace (e.g., add a from: -
namespaceSelector: matchLabels: kubernetes.io/metadata.name:
openshift-monitoring) so the port: 8443 rule truly only allows Prometheus from
that namespace, or alternatively update the comment to accurately state that the
rule allows all sources—choose one and make the change in the NetworkPolicy
manifest.

[dusk125]

/payload 4.22 nightly blocking
/payload 4.22 nightly informing

[openshift-ci]

@dusk125: trigger 14 job(s) of type blocking for the nightly release of OCP 4.22

• periodic-ci-openshift-release-main-ci-4.22-e2e-aws-upgrade-ovn-single-node
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-upgrade-fips
• periodic-ci-openshift-release-main-ci-4.22-e2e-azure-ovn-upgrade
• periodic-ci-openshift-release-main-ci-4.22-upgrade-from-stable-4.21-e2e-gcp-ovn-rt-upgrade
• periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-aws-ovn-conformance
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-serial-1of2
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-serial-2of2
• periodic-ci-openshift-release-main-ci-4.22-e2e-aws-ovn-techpreview
• periodic-ci-openshift-release-main-ci-4.22-e2e-aws-ovn-techpreview-serial-1of3
• periodic-ci-openshift-release-main-ci-4.22-e2e-aws-ovn-techpreview-serial-2of3
• periodic-ci-openshift-release-main-ci-4.22-e2e-aws-ovn-techpreview-serial-3of3
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-upgrade-fips-no-nat-instance
• periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ipi-ovn-ipv4
• periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ipi-ovn-ipv6

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/a53ecd80-1cb9-11f1-955c-2264a6e7c378-0

trigger 65 job(s) of type informing for the nightly release of OCP 4.22

• periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-azure-aks-ovn-conformance
• periodic-ci-openshift-release-main-nightly-4.22-console-aws
• periodic-ci-openshift-cluster-control-plane-machine-set-operator-release-4.22-periodics-e2e-aws
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-csi
• periodic-ci-openshift-release-main-ci-4.22-e2e-aws-ovn
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-cgroupsv2
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-fips
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-single-node
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-single-node-csi
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-single-node-serial
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-single-node-techpreview
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-single-node-techpreview-serial
• periodic-ci-openshift-release-main-nightly-4.22-upgrade-from-stable-4.21-e2e-aws-upgrade-ovn-single-node
• periodic-ci-openshift-release-main-ci-4.22-e2e-aws-ovn-upgrade-out-of-change
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-upi
• periodic-ci-openshift-cluster-control-plane-machine-set-operator-release-4.22-periodics-e2e-azure
• periodic-ci-openshift-release-main-nightly-4.22-e2e-azure-csi
• periodic-ci-openshift-release-main-ci-4.22-e2e-azure-ovn
• periodic-ci-openshift-release-main-ci-4.22-e2e-azure-ovn-serial
• periodic-ci-openshift-release-main-ci-4.22-e2e-azure-ovn-techpreview
• periodic-ci-openshift-release-main-ci-4.22-e2e-azure-ovn-techpreview-serial
• periodic-ci-openshift-release-main-ci-4.22-e2e-azure-ovn-upgrade-out-of-change
• periodic-ci-openshift-release-main-cnv-nightly-4.22-deploy-azure-kubevirt-ovn
• periodic-ci-openshift-cluster-control-plane-machine-set-operator-release-4.22-periodics-e2e-gcp
• periodic-ci-openshift-release-main-ci-4.22-e2e-gcp-ovn
• periodic-ci-openshift-release-main-nightly-4.22-e2e-gcp-ovn-csi
• periodic-ci-openshift-release-main-nightly-4.22-e2e-gcp-ovn-rt
• periodic-ci-openshift-release-main-nightly-4.22-e2e-gcp-ovn-serial
• periodic-ci-openshift-release-main-ci-4.22-e2e-gcp-ovn-techpreview
• periodic-ci-openshift-release-main-ci-4.22-e2e-gcp-ovn-techpreview-serial
• periodic-ci-openshift-release-main-ci-4.22-upgrade-from-stable-4.21-e2e-gcp-ovn-upgrade
• periodic-ci-openshift-release-main-ci-4.22-e2e-gcp-ovn-upgrade
• periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-azure-kubevirt-ovn
• periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ipi-ovn-dualstack
• periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ipi-ovn-dualstack-techpreview
• periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ipi-ovn-ipv6-techpreview
• periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ipi-ovn-serial-ipv4
• periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ipi-ovn-serial-virtualmedia-1of2
• periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ipi-ovn-serial-virtualmedia-2of2
• periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ipi-ovn-techpreview
• periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ipi-ovn-upgrade
• periodic-ci-openshift-release-main-nightly-4.22-upgrade-from-stable-4.21-e2e-metal-ipi-ovn-upgrade
• periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ipi-serial-ovn-ipv6
• periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ipi-serial-ovn-dualstack
• periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ipi-upgrade-ovn-ipv6
• periodic-ci-openshift-release-main-nightly-4.22-upgrade-from-stable-4.21-e2e-metal-ipi-upgrade-ovn-ipv6
• periodic-ci-openshift-release-main-nightly-4.22-metal-ovn-single-node-recert-cluster-rename
• periodic-ci-openshift-osde2e-main-nightly-4.22-osd-aws
• periodic-ci-openshift-release-main-nightly-4.22-e2e-osd-ccs-gcp
• periodic-ci-openshift-osde2e-main-nightly-4.22-osd-gcp
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-proxy
• periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ovn-single-node-live-iso
• periodic-ci-openshift-eng-ocp-qe-perfscale-ci-main-aws-4.22-nightly-x86-payload-control-plane-6nodes
• periodic-ci-openshift-release-main-nightly-4.22-e2e-telco5g
• periodic-ci-openshift-release-main-ci-4.22-upgrade-from-stable-4.21-e2e-aws-ovn-upgrade
• periodic-ci-openshift-release-main-nightly-4.22-e2e-vsphere-ovn
• periodic-ci-openshift-release-main-nightly-4.22-e2e-vsphere-ovn-csi
• periodic-ci-openshift-release-main-nightly-4.22-e2e-vsphere-ovn-serial
• periodic-ci-openshift-release-main-nightly-4.22-e2e-vsphere-ovn-techpreview
• periodic-ci-openshift-release-main-nightly-4.22-e2e-vsphere-ovn-techpreview-serial
• periodic-ci-openshift-release-main-ci-4.22-e2e-vsphere-ovn-upgrade
• periodic-ci-openshift-release-main-ci-4.22-upgrade-from-stable-4.21-e2e-vsphere-ovn-upgrade
• periodic-ci-openshift-release-main-nightly-4.22-e2e-vsphere-ovn-upi
• periodic-ci-openshift-release-main-nightly-4.22-e2e-vsphere-ovn-upi-serial
• periodic-ci-openshift-release-main-nightly-4.22-e2e-vsphere-static-ovn

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/a53ecd80-1cb9-11f1-955c-2264a6e7c378-1

[zhouying7780]

@LiangquanLi930 Could you please help approve , thanks .

[openshift-ci-robot]

@dusk125: This pull request references CNTRLPLANE-2905 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Adds NetworkPolicy resources for both operator and operand namespaces

Summary by CodeRabbit

• New Features
• Added NetworkPolicy resources in controller-manager, route-controller-manager, and operator namespaces: default-deny policies that deny all traffic by default, plus allow rules that permit TCP ingress on port 8443 for controller/operator pods and permit broad egress where specified.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[dusk125]

/label tide/merge-method-squash

[coderabbitai]

♻️ Duplicate comments (2)

bindata/assets/openshift-controller-manager/route-controller-manager-networkpolicy-allow.yaml (1)

8-23: ⚠️ Potential issue | 🟠 Major

Restrict metrics ingress or fix the comment.

The comment says port 8443 is only opened to openshift-monitoring, but this rule has no from selector, so it allows ingress on 8443 from all sources. That leaves the metrics endpoint broader than intended.

🔒 Proposed fix

   ingress:
-  - ports:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: openshift-monitoring
+    ports:
     - protocol: TCP
       port: 8443

If open access is intentional, update Lines 9-10 to say that explicitly.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@bindata/assets/openshift-controller-manager/route-controller-manager-networkpolicy-allow.yaml`
around lines 8 - 23, The NetworkPolicy named allow-route-controller-manager in
namespace openshift-route-controller-manager currently allows ingress to pods
with label route-controller-manager on TCP port 8443 from any source,
contradicting the comment that it should only allow openshift-monitoring; either
restrict the rule by adding a from clause that selects the openshift-monitoring
namespace (e.g., namespaceSelector matching metadata.name: openshift-monitoring
or a suitable podSelector) to limit ingress to Prometheus, or if open access was
intended, update the comment to state that port 8443 is intentionally open to
all sources.

bindata/assets/openshift-controller-manager/networkpolicy-allow.yaml (1)

8-23: ⚠️ Potential issue | 🟠 Major

Restrict metrics ingress or fix the comment.

Same issue here: Lines 9-10 say metrics ingress is from openshift-monitoring, but the rule has no from clause, so port 8443 is reachable from all sources.

🔒 Proposed fix

   ingress:
-  - ports:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: openshift-monitoring
+    ports:
     - protocol: TCP
       port: 8443

If cluster-wide access is intended, please make the comment match the actual policy.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@bindata/assets/openshift-controller-manager/networkpolicy-allow.yaml` around
lines 8 - 23, The NetworkPolicy named allow-controller-manager in namespace
openshift-controller-manager currently exposes port 8443 to all sources
(spec.ingress has no from clause) while the comment says it should allow ingress
only from the openshift-monitoring namespace; either update the comment to
reflect cluster-wide access or restrict the rule by adding a from clause under
spec.ingress that limits traffic to pods in the openshift-monitoring namespace
(e.g., a namespaceSelector matching metadata.name: openshift-monitoring or a
podSelector as appropriate) so the policy behavior matches the documented
intent.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@bindata/assets/openshift-controller-manager/networkpolicy-allow.yaml`:
- Around line 8-23: The NetworkPolicy named allow-controller-manager in
namespace openshift-controller-manager currently exposes port 8443 to all
sources (spec.ingress has no from clause) while the comment says it should allow
ingress only from the openshift-monitoring namespace; either update the comment
to reflect cluster-wide access or restrict the rule by adding a from clause
under spec.ingress that limits traffic to pods in the openshift-monitoring
namespace (e.g., a namespaceSelector matching metadata.name:
openshift-monitoring or a podSelector as appropriate) so the policy behavior
matches the documented intent.

In
`@bindata/assets/openshift-controller-manager/route-controller-manager-networkpolicy-allow.yaml`:
- Around line 8-23: The NetworkPolicy named allow-route-controller-manager in
namespace openshift-route-controller-manager currently allows ingress to pods
with label route-controller-manager on TCP port 8443 from any source,
contradicting the comment that it should only allow openshift-monitoring; either
restrict the rule by adding a from clause that selects the openshift-monitoring
namespace (e.g., namespaceSelector matching metadata.name: openshift-monitoring
or a suitable podSelector) to limit ingress to Prometheus, or if open access was
intended, update the comment to state that port 8443 is intentionally open to
all sources.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 9b517a00-bb3a-41e6-87b8-534a9184167e

📥 Commits

Reviewing files that changed from the base of the PR and between dd09c2f and 9d54941.

📒 Files selected for processing (2)

• bindata/assets/openshift-controller-manager/networkpolicy-allow.yaml
• bindata/assets/openshift-controller-manager/route-controller-manager-networkpolicy-allow.yaml

[liouk]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dusk125, liouk
Once this PR has been reviewed and has the lgtm label, please assign adambkaplan for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@dusk125: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.