CNTRLPLANE-2610: Create network policies for AUTH components

bindata/oauth-apiserver/networkpolicy_namespace_default-deny-all.yaml

@@ -0,0 +1,10 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-all
+  namespace: openshift-oauth-apiserver
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress

bindata/oauth-apiserver/networkpolicy_oauth-apiserver.yaml

@@ -0,0 +1,72 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: oauth-apiserver-networkpolicy
+  namespace: openshift-oauth-apiserver
+spec:
+  podSelector:
+    matchLabels:
+      app: openshift-oauth-apiserver
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+    # allow metrics scraping from anywhere
+    - ports:
+      - protocol: TCP
+        port: 8443
+    # allow ingress from the oauth-server
+    - from:
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: openshift-authentication
+        podSelector:
+          matchLabels:
+            app: oauth-openshift
+      ports:
+      - protocol: TCP
+        port: 8443
+    # allow ingress from the cluster-authentication-operator due to health checks
+    - from:
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: openshift-authentication-operator
+        podSelector:
+          matchLabels:
+            app: authentication-operator
+      ports:
+      - protocol: TCP
+        port: 8443
+    # allow ingress TCP traffic
+    # required for ingress from the kube-apiserver due to the webhook authenticator and aggregated APIs
+    - ports:
+      - protocol: TCP
+        port: 8443
+  egress:
+    # allow egress to DNS
+    - to:
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: openshift-dns
+        podSelector:
+          matchLabels:
+            dns.operator.openshift.io/daemonset-dns: default
+      ports:
+      - protocol: TCP
+        port: 5353
+      - protocol: UDP
+        port: 5353
+    # allow egress to etcd
+    - to:
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: openshift-etcd
+        podSelector:
+          matchLabels:
+            app: etcd
+      ports:
+      - protocol: TCP
+        port: 2379
+    # allow all egress traffic
+    # required for egress to kube-apiserver pods
+    - {}

bindata/oauth-openshift/networkpolicy_namespace_default-deny-all.yaml

@@ -0,0 +1,10 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-all
+  namespace: openshift-authentication
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress

bindata/oauth-openshift/networkpolicy_oauth-server.yaml

@@ -0,0 +1,71 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: oauth-server-networkpolicy
+  namespace: openshift-authentication
+spec:
+  podSelector:
+    matchLabels:
+      app: oauth-openshift
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+    # allow metrics scraping from anywhere
+    - ports:
+      - protocol: TCP
+        port: 6443
+    # allow ingress from the router
+    - from:
+      - namespaceSelector:
+          matchLabels:
+            policy-group.network.openshift.io/ingress: ""
+      ports:
+      - protocol: TCP
+        port: 6443
+    # allow ingress from the cluster-authentication-operator due to health checks
+    - from:
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: openshift-authentication-operator
+        podSelector:
+          matchLabels:
+            app: authentication-operator
+      ports:
+      - protocol: TCP
+        port: 6443
+    # allow ingress from oauth-proxy as it can live in any namespace and pod (it's a sidecar)
+    - from:
+      - namespaceSelector: {}
+      ports:
+      - protocol: TCP
+        port: 6443
+  egress:
+    # allow egress to DNS
+    - to:
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: openshift-dns
+        podSelector:
+          matchLabels:
+            dns.operator.openshift.io/daemonset-dns: default
+      ports:
+      - protocol: TCP
+        port: 5353
+      - protocol: UDP
+        port: 5353
+    # allow egress traffic to oauth-apiserver pods to access oauth APIs
+    # this rule overlaps with the generic TCP egress rule but exists for documentation purposes
+    - to:
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: openshift-oauth-apiserver
+        podSelector:
+          matchLabels:
+            app: openshift-oauth-apiserver
+      ports:
+      - protocol: TCP
+        port: 8443
+    # allow all egress traffic
+    # required for egress to kube-apiserver pods and configured IDPs
+    - {}

manifests/0000_10_networkpolicy_00_authentication-operator.yaml

@@ -0,0 +1,61 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: authentication-operator-networkpolicy
+  namespace: openshift-authentication-operator
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+spec:
+  podSelector:
+    matchLabels:
+      app: authentication-operator
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  # allow metrics scraping from anywhere
+  - ports:
+    - protocol: TCP
+      port: 8443
+  egress:
+  # allow egress to DNS
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: openshift-dns
+      podSelector:
+        matchLabels:
+          dns.operator.openshift.io/daemonset-dns: default
+    ports:
+    - protocol: TCP
+      port: 5353
+    - protocol: UDP
+      port: 5353
+  # allow egress traffic to oauth-server pods for health checks
+  # this rule overlaps with the generic TCP egress rule but exists for documentation purposes
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: openshift-authentication
+      podSelector:
+        matchLabels:
+          app: oauth-openshift
+    ports:
+    - protocol: TCP
+      port: 6443
+  # allow egress traffic to oauth-apiserver pods for health checks
+  # this rule overlaps with the generic TCP egress rule but exists for documentation purposes
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: openshift-oauth-apiserver
+      podSelector:
+        matchLabels:
+          app: openshift-oauth-apiserver
+    ports:
+    - protocol: TCP
+      port: 8443
+  # allow all egress traffic
+  # required for egress to kube-apiserver pods and openID provider discovery (external OIDC and via oauth)
+  - {}

manifests/0000_10_networkpolicy_99_namespace_default-deny-all.yaml

@@ -0,0 +1,13 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-all
+  namespace: openshift-authentication-operator
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress

pkg/cmd/mom/output_resources_command.go

@@ -41,6 +41,11 @@ func runOutputResources(ctx context.Context) (*libraryoutputresources.OutputReso
 				libraryoutputresources.ExactRoleBinding("openshift-config-managed", "system:openshift:oauth-servercert-trust"),
 
 				libraryoutputresources.ExactPDB("openshift-oauth-apiserver", "oauth-apiserver-pdb"),
+
+				libraryoutputresources.ExactResource("networking.k8s.io", "v1", "networkpolicies", "openshift-authentication", "oauth-server-networkpolicy"),
+				libraryoutputresources.ExactResource("networking.k8s.io", "v1", "networkpolicies", "openshift-authentication", "default-deny-all"),
+				libraryoutputresources.ExactResource("networking.k8s.io", "v1", "networkpolicies", "openshift-oauth-apiserver", "oauth-apiserver-networkpolicy"),
+				libraryoutputresources.ExactResource("networking.k8s.io", "v1", "networkpolicies", "openshift-oauth-apiserver", "default-deny-all"),
 			},
 			EventingNamespaces: []string{
 				"openshift-authentication-operator",

pkg/operator/starter.go

@@ -142,6 +142,8 @@ func prepareOauthOperator(
 		[]string{ // required resources
 			"oauth-openshift/audit-policy.yaml",
 			"oauth-openshift/ns.yaml",
+			"oauth-openshift/networkpolicy_oauth-server.yaml",
+			"oauth-openshift/networkpolicy_namespace_default-deny-all.yaml",
 			"oauth-openshift/authorization.openshift.io_rolebindingrestrictions.yaml",
 		},
 		resourceapply.NewKubeClientHolder(authOperatorInput.kubeClient).WithAPIExtensionsClient(authOperatorInput.apiextensionClient),
@@ -526,6 +528,8 @@ func prepareOauthAPIServerOperator(
 			{
 				Files: []string{
 					"oauth-apiserver/ns.yaml",
+					"oauth-apiserver/networkpolicy_oauth-apiserver.yaml",
+					"oauth-apiserver/networkpolicy_namespace_default-deny-all.yaml",
 				},
 			},
 			{

test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication-operator/core/events/3f86-body-authentication-operator.17fe72c59b829800.05fbd8b8.yaml

@@ -0,0 +1,24 @@
+apiVersion: v1
+count: 1
+eventTime: null
+firstTimestamp: "2024-10-14T22:38:20Z"
+involvedObject:
+  kind: Deployment
+  name: authentication-operator
+  namespace: openshift-authentication-operator
+kind: Event
+lastTimestamp: "2024-10-14T22:38:20Z"
+message: 'Writing updated section ("oauthAPIServer") of observed config: "@@ -1 +1,24
+  @@\n-null\n+{\n+ \"apiServerArguments\": {\n+  \"api-audiences\": [\n+   \"https://kubernetes.default.svc\"\n+  ],\n+  \"cors-allowed-origins\":
+  [\n+   \"//127\\\\.0\\\\.0\\\\.1(:|$)\",\n+   \"//localhost(:|$)\"\n+  ],\n+  \"feature-gates\":
+  [],\n+  \"tls-cipher-suites\": [\n+   \"TLS_AES_128_GCM_SHA256\",\n+   \"TLS_AES_256_GCM_SHA384\",\n+   \"TLS_CHACHA20_POLY1305_SHA256\",\n+   \"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\",\n+   \"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\",\n+   \"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\",\n+   \"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\n+   \"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256\",\n+   \"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n+  ],\n+  \"tls-min-version\":
+  \"VersionTLS12\"\n+ }\n+}\n"'
+metadata:
+  name: authentication-operator.17fe72c59b829800.05fbd8b8
+  namespace: openshift-authentication-operator
+reason: ObservedConfigChanged
+reportingComponent: ""
+reportingInstance: ""
+source:
+  component: cluster-authentication-operator-run-once-sync-context
+type: Normal

test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication-operator/core/events/de10-metadata-authentication-operator.17fe72c59b829800.2a24f1b5.yaml → test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication-operator/core/events/3f86-metadata-authentication-operator.17fe72c59b829800.05fbd8b8.yaml

@@ -1,7 +1,7 @@
 action: Create
 controllerInstanceName: ""
 generateName: ""
-name: authentication-operator.17fe72c59b829800.2a24f1b5
+name: authentication-operator.17fe72c59b829800.05fbd8b8
 namespace: openshift-authentication-operator
 resourceType:
   Group: ""

test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication-operator/core/events/53aa-body-authentication-operator.17fe72c59b829800.ec96ffd6.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+count: 1
+eventTime: null
+firstTimestamp: "2024-10-14T22:38:20Z"
+involvedObject:
+  kind: Deployment
+  name: authentication-operator
+  namespace: openshift-authentication-operator
+kind: Event
+lastTimestamp: "2024-10-14T22:38:20Z"
+message: Created NetworkPolicy.networking.k8s.io/default-deny-all -n openshift-authentication
+  because it was missing
+metadata:
+  name: authentication-operator.17fe72c59b829800.ec96ffd6
+  namespace: openshift-authentication-operator
+reason: NetworkPolicyCreated
+reportingComponent: ""
+reportingInstance: ""
+source:
+  component: cluster-authentication-operator-run-once-sync-context
+type: Normal

test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication-operator/core/events/5169-metadata-authentication-operator.17fe72c59b829800.ad6de22d.yaml → test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication-operator/core/events/53aa-metadata-authentication-operator.17fe72c59b829800.ec96ffd6.yaml

@@ -1,7 +1,7 @@
 action: Create
 controllerInstanceName: ""
 generateName: ""
-name: authentication-operator.17fe72c59b829800.ad6de22d
+name: authentication-operator.17fe72c59b829800.ec96ffd6
 namespace: openshift-authentication-operator
 resourceType:
   Group: ""

test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication-operator/core/events/6393-body-authentication-operator.17fe72c59b829800.c879600c.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+count: 1
+eventTime: null
+firstTimestamp: "2024-10-14T22:38:20Z"
+involvedObject:
+  kind: Deployment
+  name: authentication-operator
+  namespace: openshift-authentication-operator
+kind: Event
+lastTimestamp: "2024-10-14T22:38:20Z"
+message: Created NetworkPolicy.networking.k8s.io/default-deny-all -n openshift-oauth-apiserver
+  because it was missing
+metadata:
+  name: authentication-operator.17fe72c59b829800.c879600c
+  namespace: openshift-authentication-operator
+reason: NetworkPolicyCreated
+reportingComponent: ""
+reportingInstance: ""
+source:
+  component: cluster-authentication-operator-run-once-sync-context
+type: Normal

test-data/apply-configuration/overall/oauth-server-configobserver/expected-output/Management/Create/namespaces/openshift-authentication-operator/core/events/0dc4-metadata-authentication-operator.18599d2230299800.5f2cc1a1.yaml → test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/Create/namespaces/openshift-authentication-operator/core/events/6393-metadata-authentication-operator.17fe72c59b829800.c879600c.yaml

@@ -1,7 +1,7 @@
 action: Create
 controllerInstanceName: ""
 generateName: ""
-name: authentication-operator.18599d2230299800.5f2cc1a1
+name: authentication-operator.17fe72c59b829800.c879600c
 namespace: openshift-authentication-operator
 resourceType:
   Group: ""