✨ Introduce NetworkPolicy for core component workloads. (#3579)

* Introduce NetworkPolicy for core component workloads.

[RFC](https://docs.google.com/document/d/10MZ4t2XgRydGa-NRs4uXFNVoTHH9SPKd7mV9IwT_i7M/edit?usp=sharing)

Signed-off-by: Per G. da Silva <[email protected]>

* specify namespace with selectors

* Fix formatting

Signed-off-by: Per G. da Silva <[email protected]>

* template network policy

Signed-off-by: Per G. da Silva <[email protected]>

* restrict kube-apiserver and dns traffic

Signed-off-by: Per G. da Silva <[email protected]>

* Address reviewer comments

Signed-off-by: Per G. da Silva <[email protected]>

---------

Signed-off-by: Per G. da Silva <[email protected]>
Co-authored-by: Per G. da Silva <[email protected]>

Author: anik120

deploy/chart/templates/0000_50_olm_01-networkpolicies.yaml

@@ -0,0 +1,86 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-all-traffic
+  namespace: {{ .Values.namespace }}
+spec:
+  podSelector: { }
+  policyTypes:
+    - Ingress
+    - Egress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: olm-operator
+  namespace: {{ .Values.namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      app: olm-operator
+  ingress:
+    - {{ .Values.networkPolicy.metrics | toYaml | nindent 6 | trimSuffix "\n" }}
+  egress:
+    - {{ .Values.networkPolicy.kubeAPIServer | toYaml | nindent 6 | trimSuffix "\n" }}
+    - {{ .Values.networkPolicy.dns | toYaml | nindent 6 | trimSuffix "\n" }}
+  policyTypes:
+    - Ingress
+    - Egress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: catalog-operator
+  namespace: {{ .Values.namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      app: catalog-operator
+  ingress:
+    - {{ .Values.networkPolicy.metrics | toYaml | nindent 6 | trimSuffix "\n" }}
+  egress:
+    - {{ .Values.networkPolicy.kubeAPIServer | toYaml | nindent 6 | trimSuffix "\n" }}
+    - {{ .Values.networkPolicy.dns | toYaml | nindent 6 | trimSuffix "\n" }}
+    - ports: # This is another distinct rule in the egress list
+      - protocol: TCP
+        port: {{ .Values.catalogGrpcPodPort }}
+  policyTypes:
+    - Ingress
+    - Egress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: packageserver
+  namespace: {{ .Values.namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      app: packageserver
+  ingress:
+    - ports:
+      - protocol: TCP
+        port: {{ .Values.package.service.internalPort }}
+  egress:
+    - {{ .Values.networkPolicy.dns | toYaml | nindent 6 | trimSuffix "\n" }}
+    - ports:
+      - protocol: TCP
+        port: {{ .Values.catalogGrpcPodPort }}
+  policyTypes:
+  - Ingress
+  - Egress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-allow-all
+  namespace: {{ .Values.operator_namespace }}
+spec:
+  podSelector: { }
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - { }
+  egress:
+    - { }

deploy/chart/templates/0000_50_olm_01-olm-operator.serviceaccount.yaml renamed to deploy/chart/templates/0000_50_olm_02-olm-operator.serviceaccount.yaml

@@ -19,6 +19,8 @@ writeStatusName: '""'
 imagestream: false
 debug: false
 installType: upstream
+catalogGrpcPodPort: 50051
+
 olm:
   replicaCount: 1
   image:
@@ -75,3 +77,19 @@ package:
 monitoring:
   enabled: false
   namespace: monitoring
+
+networkPolicy:
+  dns:
+    ports:
+      - protocol: TCP
+        port: 53
+      - protocol: UDP
+        port: 53
+  kubeAPIServer:
+    ports:
+      - protocol: TCP
+        port: 6443
+  metrics:
+    ports:
+      - protocol: TCP
+        port: metrics