allow the StaticResourceController to manage the networkpolicies after CVO application

Author: dusk125

bindata/assets/kube-apiserver/networkpolicy-operand-allow.yaml

@@ -0,0 +1,27 @@
+# Allow all egress for guard, installer, and pruner pods in the openshift-kube-apiserver namespace.
+#
+# These pods run on the pod network (unlike kube-apiserver which uses hostNetwork and
+# bypasses NetworkPolicy entirely). They need egress for:
+# - installer/pruner: API server access to manage static pod manifests
+# - guard: kube-apiserver health checks on port 6443
+# - all: DNS resolution via openshift-dns
+#
+# All egress is permitted because the API server address can vary by cluster configuration.
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-all-egress
+  namespace: openshift-kube-apiserver
+spec:
+  podSelector:
+    matchExpressions:
+    - key: app
+      operator: In
+      values:
+      - guard
+      - installer
+      - pruner
+  egress:
+  - {}
+  policyTypes:
+  - Egress

bindata/assets/kube-apiserver/networkpolicy-operand-default-deny.yaml

@@ -0,0 +1,22 @@
+# Default-deny policy for the openshift-kube-apiserver namespace.
+# This policy selects all pods in the namespace and enables default-deny for both
+# ingress and egress by specifying policyTypes without any allow rules.
+#
+# NetworkPolicies are additive (use OR logic):
+# - This policy enables default-deny for all pods
+# - Subsequent policies add specific allow rules
+# - If any policy allows traffic, that traffic is permitted
+# - Policies cannot override or block traffic allowed by other policies
+#
+# Note: kube-apiserver static pods use hostNetwork: true and bypass all NetworkPolicy rules.
+# This policy only affects pods running on the pod network (guard, installer, pruner).
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny
+  namespace: openshift-kube-apiserver
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress

manifests/0000_12_kube-apiserver-operand_networkpolicies.yaml

@@ -0,0 +1,30 @@
+# Allow all egress and metrics ingress for the kube-apiserver-operator pod.
+#
+# Egress is needed for:
+# - DNS resolution via openshift-dns
+# - Kubernetes API server communication (address varies by cluster configuration)
+# - kube-apiserver health checks on port 6443 (hostNetwork, accessed via node IPs)
+#
+# Ingress is needed for:
+# - Prometheus metrics scraping on port 8443
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-all-egress-and-metrics-ingress
+  namespace: openshift-kube-apiserver-operator
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+spec:
+  podSelector:
+    matchLabels:
+      app: kube-apiserver-operator
+  egress:
+  - {}
+  ingress:
+  - ports:
+    - protocol: TCP
+      port: 8443
+  policyTypes:
+  - Ingress
+  - Egress

manifests/0000_20_kube-apiserver-operator_11_networkpolicies.yaml

@@ -0,0 +1,24 @@
+# Default-deny policy for the openshift-kube-apiserver-operator namespace.
+# This policy selects all pods in the namespace and enables default-deny for both
+# ingress and egress by specifying policyTypes without any allow rules.
+#
+# NetworkPolicies are additive (use OR logic):
+# - This policy enables default-deny for all pods
+# - Subsequent policies add specific allow rules
+# - If any policy allows traffic, that traffic is permitted
+# - Policies cannot override or block traffic allowed by other policies
+#
+# Without this policy, all pods would have unrestricted network access (allow-all).
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny
+  namespace: openshift-kube-apiserver-operator
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress

manifests/0000_20_kube-apiserver-operator_networkpolicy-allow.yaml

@@ -240,6 +240,10 @@ func RunOperator(ctx context.Context, controllerContext *controllercmd.Controlle
 			"assets/alerts/kube-apiserver-requests.yaml",
 			"assets/alerts/kube-apiserver-slos-basic.yaml",
 			"assets/alerts/podsecurity-violations.yaml",
+			// Network policies
+			"assets/kube-apiserver/networkpolicy-operand-allow.yaml",
+			// Default-deny policies must be applied last
+			"assets/kube-apiserver/networkpolicy-operand-default-deny.yaml",
 		},
 		(&resourceapply.ClientHolder{}).
 			WithKubernetes(kubeClient).