rh-ecosystem-edge
Adding network policies to kmm including to kmm bundle
Due to security concerns, we need to allow KMM operator only the nessecery traffic. This commits adds Network policies for each kmm pod.
- controller
- webhook
- build and sign This commit also changes e2e tests to verify the network policies affect. This commit also affects KMM bundle to include the network policy mainfests.
/hold /cc @ybettan @yevgeny-shnaidman
Summary by CodeRabbit
- New Features
- Added NetworkPolicies: default-deny for system namespace, targeted policies for controller (metrics/health, DNS/API egress), webhook (9443 ingress, API egress), and build-and-sign pods (egress). Included in deploy and OLM bundles.
- Refactor
- Simplified pod and service selectors to rely on control-plane labels, reducing reliance on app.kubernetes.io labels.
- Tests
- E2E assets and scripts now run in the openshift-kmm namespace for consistent isolation.
- Chores
- Updated project layout to Kubebuilder v4.
Deploy Preview for openshift-kmm ready!
| Name | Link |
|---|---|
| Latest commit | 727f38aaf4b0c7c8c61fe52fbac7e021a58237b4 |
| Latest deploy log | https://app.netlify.com/projects/openshift-kmm/deploys/69415985c0a419000840a160 |
| Deploy Preview | https://deploy-preview-1652--openshift-kmm.netlify.app |
| Preview on mobile | Toggle QR Code...Use your smartphone camera to open QR code link. |
To edit notification comments on pull requests, go to your Netlify project configuration.
![netlify[bot] avatar](https://avatars.githubusercontent.com/in/13473?v=4 "Published by a pub.dev verified publisher"){kind=small}
Walkthrough
This PR restructures bundle generation to include network policies. It adds new Makefile targets (bundle-old, bundle-hub-old) while updating active bundle targets to pass INCLUDE_NETWORK_POLICIES=true. The changes remove Kubernetes app labels from deployments and services across bundle manifests, add NetworkPolicy resources for controller and webhook pods, disable label includeSelectors in kustomization files, add namespace specifications to test resources, and extend the generate-bundle script to conditionally copy network-policy manifests.
Changes
| Cohort / File(s) | Summary |
|---|---|
Build configuration Makefile |
Added new targets bundle-old and bundle-hub-old to preserve existing workflows; updated bundle and bundle-hub targets to pass INCLUDE_NETWORK_POLICIES=true to ./hack/generate-bundle. |
Hack scripts hack/generate-bundle |
Added INCLUDE_NETWORK_POLICIES environment variable (default: false); conditional block copies network-policy YAML files from config/network-policy into generated bundle manifests when enabled. |
Bundle manifests—label removal bundle/manifests/kernel-module-management.clusterserviceversion.yaml, bundle-hub/manifests/kernel-module-management-hub.clusterserviceversion.yaml |
Removed app.kubernetes.io/component, app.kubernetes.io/name, and app.kubernetes.io/part-of labels from deployment selector.matchLabels and pod template metadata.labels for both controller and webhook deployments. |
Service manifests—selector simplification bundle/manifests/kmm-operator-controller-metrics-service_v1_service.yaml, bundle/manifests/kmm-operator-webhook-service_v1_service.yaml, bundle-hub/manifests/kmm-operator-hub-controller-metrics-service_v1_service.yaml, bundle-hub/manifests/kmm-operator-hub-webhook-service_v1_service.yaml |
Removed app.kubernetes.io/component, app.kubernetes.io/name, and app.kubernetes.io/part-of labels from spec.selector, leaving only control-plane labels. |
NetworkPolicy manifests—new config/network-policy/controller.yaml, config/network-policy/webhook.yaml, config/network-policy/kustomization.yaml, bundle/manifests/kmm-operator-controller_networking.k8s.io_v1_networkpolicy.yaml, bundle/manifests/kmm-operator-webhook_networking.k8s.io_v1_networkpolicy.yaml, bundle-hub/manifests/kmm-operator-hub-controller_networking.k8s.io_v1_networkpolicy.yaml, bundle-hub/manifests/kmm-operator-hub-webhook_networking.k8s.io_v1_networkpolicy.yaml |
Added NetworkPolicy resources restricting ingress/egress for controller (ports 8443, 8081) and webhook (port 9443) pods; policies allow egress to OpenShift DNS and Kubernetes API servers. |
Kustomization—includeSelectors toggle config/default/kustomization.yaml, config/default-hub/kustomization.yaml, config/manifests/kustomization.yaml, config/manifests-hub/kustomization.yaml, config/olm/kustomization.yaml, config/olm-hub/kustomization.yaml |
Changed labels.includeSelectors from true to false across all kustomization files. |
Kustomization—network-policy inclusion config/deploy/kustomization.yaml, config/deploy-hub/kustomization.yaml |
Added ../network-policy to the resources list. |
Kustomization—webhook-server labels config/webhook-server/kustomization.yaml |
Removed includeSelectors: true; adjusted labels structure without functional change. |
CI/E2E configuration—namespace specification ci/e2e/module.yaml, ci/e2e/kustomization.yaml, ci/sign-key-certs/kustomization.yaml |
Added namespace: openshift-kmm to Module resource and to configMapGenerator/secretGenerator entries in kustomization files. |
CI scripts—namespace targeting ci/prow/e2e-incluster-build |
Updated all oc commands (wait, logs, get pods, module deletion) to explicitly specify -n openshift-kmm namespace for consistent pod operations and lifecycle management. |
Estimated code review effort
🎯 3 (Moderate) | ⏱️ ~20 minutes
- Verify label removal consistency: Ensure all app.kubernetes.io/* labels were removed from the correct manifest locations (deployments, services across both bundle and bundle-hub).
- Validate NetworkPolicy definitions: Confirm ingress/egress port mappings and namespace selectors are correct and won't inadvertently block critical traffic.
- Test bundle generation: Verify that the INCLUDE_NETWORK_POLICIES flag correctly gates network-policy file copying in the generate-bundle script.
- Check kustomization impact: Ensure disabling
includeSelectorsacross multiple kustomization files does not break label propagation or cause unintended manifest changes. - CI/E2E namespace consistency: Confirm that hardcoding
openshift-kmmnamespace in test scripts aligns with deployment assumptions.
Possibly related PRs
- #1641: Modifies the same Kubernetes manifests and kustomize configurations to add network policies and adjust service/deployment selectors; parallel or dependent work on network-policy rollout.
Suggested labels
lgtm
Suggested reviewers
- yevgeny-shnaidman
- ybettan
Pre-merge checks and finishing touches
✅ Passed checks (3 passed)
| Check name | Status | Explanation |
|---|---|---|
| Description Check | ✅ Passed | Check skipped - CodeRabbit’s high-level summary is enabled. |
| Title check | ✅ Passed | The title accurately describes the main change: adding network policies to KMM and including them in the KMM bundle. |
| Docstring Coverage | ✅ Passed | No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check. |
✨ Finishing touches
🧪 Generate unit tests (beta)
- [ ] Create PR with unit tests
- [ ] Post copyable unit tests in a comment
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.
Comment @coderabbitai help to get the list of available commands and usage tips.
![coderabbitai[bot] avatar](https://avatars.githubusercontent.com/in/347564?v=4 "Published by a pub.dev verified publisher"){kind=small}
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: TomerNewman
The full list of commands accepted by this bot can be found here.
The pull request process is described here
- ~~OWNERS~~ [TomerNewman]
Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment
![openshift-ci[bot] avatar](https://avatars.githubusercontent.com/in/91280?v=4 "Published by a pub.dev verified publisher"){kind=small}
We are currently waiting until OLM is stable in older versions of OCP and Konflux allows NP manifests in the bundles. Estimation is it will be done ~Q1 2026.
@TomerNewman: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:
| Test name | Commit | Details | Required | Rerun command |
|---|---|---|---|---|
| ci/prow/e2e | 727f38aaf4b0c7c8c61fe52fbac7e021a58237b4 | link | true | /test e2e |
| ci/prow/operator-upgrade | 727f38aaf4b0c7c8c61fe52fbac7e021a58237b4 | link | true | /test operator-upgrade |
| ci/prow/operator-hub-upgrade | 727f38aaf4b0c7c8c61fe52fbac7e021a58237b4 | link | true | /test operator-hub-upgrade |
Full PR test history. Your PR dashboard.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.