CORENET-6958: add remaining CNO NetworkPolicies

[danwinship]

Primarily policies for HyperShift, which we had dropped from #2892 due to lack of CI signal, but this also includes the policies for CNCC, which were accidentally omitted from that PR. (I think I got confused before because CNCC's namespace is created from the manifests rather than from bindata...)

Summary by CodeRabbit

• New Features

  • Added NetworkPolicy resources to allow/limit ingress and egress for cloud-network-config-controller, network-node-identity, and OVN Kubernetes components in hosted and self-hosted environments.

• Chores

  • Added a default-deny NetworkPolicy for the cloud network config controller namespace to block all traffic by default.

[openshift-ci-robot]

@danwinship: This pull request references CORENET-6958 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Primarily policies for HyperShift, which we had dropped from #2892 due to lack of CI signal, but this also includes the policies for CNCC, which were accidentally omitted from that PR. (I think I got confused before because CNCC's namespace is created from the manifests rather than from bindata...)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: ad0caf3b-5991-4d67-b54b-8bc0f02f134b

📥 Commits

Reviewing files that changed from the base of the PR and between f02e217 and 5f788de.

📒 Files selected for processing (4)

• bindata/cloud-network-config-controller/managed/networkpolicy.yaml
• bindata/cloud-network-config-controller/self-hosted/networkpolicy.yaml
• bindata/network/ovn-kubernetes/managed/networkpolicy.yaml
• manifests/01-cncc-namespace.yaml

✅ Files skipped from review due to trivial changes (3)

• bindata/cloud-network-config-controller/self-hosted/networkpolicy.yaml
• bindata/cloud-network-config-controller/managed/networkpolicy.yaml
• manifests/01-cncc-namespace.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• bindata/network/ovn-kubernetes/managed/networkpolicy.yaml

---

Walkthrough

Five new Kubernetes NetworkPolicy manifests were added: cloud-network-config-controller (managed and self-hosted), network-node-identity, ovn-kubernetes, and a default-deny policy in the CNCC namespace, each declaring pod selectors and appropriate ingress/egress rules.

Changes

Cohort / File(s)	Summary
Cloud Network Config Controller Policies bindata/cloud-network-config-controller/managed/networkpolicy.yaml, bindata/cloud-network-config-controller/self-hosted/networkpolicy.yaml	Added NetworkPolicy resources selecting pods with app: cloud-network-config-controller that set policyTypes: [Egress] and include an allow-all egress rule (egress: - {}).
Network Node Identity Policy bindata/network/node-identity/managed/node-identity-networkpolicy.yaml	Added NetworkPolicy named network-node-identity selecting app: network-node-identity with policyTypes: [Ingress, Egress]; ingress allows traffic to {{.NetworkNodeIdentityPort}}, egress set to allow-all (- {}).
OVN Kubernetes Policy bindata/network/ovn-kubernetes/managed/networkpolicy.yaml	Added NetworkPolicy ovn-kubernetes selecting app: ovnkube-control-plane with policyTypes: [Ingress, Egress]; ingress restricted to container port 9108, egress allow-all (- {}).
Default Deny Policy manifests/01-cncc-namespace.yaml	Appended NetworkPolicy default-deny in namespace openshift-cloud-network-config-controller with podSelector: {} and policyTypes: [Ingress, Egress], explicitly setting ingress: [] and egress: [] to deny all traffic.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 10

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the primary change: adding NetworkPolicy manifests for CNO components, specifically the remaining policies for HyperShift and CNCC that were previously omitted.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	This PR adds only Kubernetes NetworkPolicy YAML manifest files and contains no Ginkgo test files or test code.
Test Structure And Quality	✅ Passed	This PR contains only Kubernetes manifest YAML files, not Ginkgo test code. The custom check is designed to review Ginkgo test quality and is not applicable here.
Microshift Test Compatibility	✅ Passed	PR adds only Kubernetes manifest files (YAML), not Ginkgo e2e tests, so the check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR adds only Kubernetes NetworkPolicy YAML manifests without introducing any Ginkgo e2e tests.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds only Kubernetes NetworkPolicy resources, which are network security policies without any scheduling constraints.
Ote Binary Stdout Contract	✅ Passed	This PR only modifies static YAML manifest files containing no executable code, making the OTE Binary Stdout Contract check inapplicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds only Kubernetes NetworkPolicy YAML manifests, not Ginkgo e2e tests, so the custom check requiring IPv6 and disconnected network compatibility validation is not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: danwinship

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [danwinship]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@danwinship: This pull request references CORENET-6958 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Primarily policies for HyperShift, which we had dropped from #2892 due to lack of CI signal, but this also includes the policies for CNCC, which were accidentally omitted from that PR. (I think I got confused before because CNCC's namespace is created from the manifests rather than from bindata...)

Summary by CodeRabbit

Release Notes

• New Features

• Added network security policies for cloud network configuration controller, node identity, and OVN Kubernetes components to control ingress and egress network traffic flows and enhance overall platform security across hosted and self-hosted cluster environments.

• Chores

• Implemented default-deny network policies for the cloud network configuration operator namespace to restrict all traffic by default.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@manifests/01-cncc-namespace.yaml`:
- Around line 17-29: The NetworkPolicy named "default-deny" has
metadata.namespace set to openshift-cloud-network-config-operator while the
manifest's Namespace resource is openshift-cloud-network-config-controller;
update the NetworkPolicy's metadata.namespace to exactly
"openshift-cloud-network-config-controller" (or vice versa so both names match)
so the default-deny policy applies to the CNCC namespace, ensuring the resource
name "default-deny" and the metadata.namespace fields are consistent.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 04eb63c6-4d3c-4206-875c-c5f280324eb2

📥 Commits

Reviewing files that changed from the base of the PR and between bc5af87 and f02e217.

📒 Files selected for processing (5)

• bindata/cloud-network-config-controller/managed/networkpolicy.yaml
• bindata/cloud-network-config-controller/self-hosted/networkpolicy.yaml
• bindata/network/node-identity/managed/node-identity-networkpolicy.yaml
• bindata/network/ovn-kubernetes/managed/networkpolicy.yaml
• manifests/01-cncc-namespace.yaml

[openshift-ci-robot]

@danwinship: This pull request references CORENET-6958 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Primarily policies for HyperShift, which we had dropped from #2892 due to lack of CI signal, but this also includes the policies for CNCC, which were accidentally omitted from that PR. (I think I got confused before because CNCC's namespace is created from the manifests rather than from bindata...)

Summary by CodeRabbit

• New Features

• Added NetworkPolicy resources to allow/limit ingress and egress for cloud-network-config-controller, network-node-identity, and OVN Kubernetes components in hosted and self-hosted environments.

• Chores

• Added a default-deny NetworkPolicy for the cloud network config controller namespace to block all traffic by default.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[danwinship]

/retest

[openshift-ci]

@danwinship: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-metal-ipi-ovn-ipv6-ipsec	5f788de	link	true	/test e2e-metal-ipi-ovn-ipv6-ipsec
ci/prow/e2e-aws-ovn-upgrade	5f788de	link	true	/test e2e-aws-ovn-upgrade
ci/prow/e2e-metal-ipi-ovn-dualstack-bgp	5f788de	link	true	/test e2e-metal-ipi-ovn-dualstack-bgp
ci/prow/e2e-metal-ipi-ovn-dualstack-bgp-local-gw	5f788de	link	true	/test e2e-metal-ipi-ovn-dualstack-bgp-local-gw
ci/prow/e2e-aws-ovn-rhcos10-techpreview	5f788de	link	false	/test e2e-aws-ovn-rhcos10-techpreview
ci/prow/e2e-aws-ovn-hypershift-conformance	5f788de	link	true	/test e2e-aws-ovn-hypershift-conformance
ci/prow/e2e-ovn-ipsec-step-registry	5f788de	link	true	/test e2e-ovn-ipsec-step-registry
ci/prow/e2e-gcp-ovn	5f788de	link	true	/test e2e-gcp-ovn
ci/prow/security	5f788de	link	false	/test security
ci/prow/e2e-metal-ipi-ovn-ipv6	5f788de	link	true	/test e2e-metal-ipi-ovn-ipv6
ci/prow/4.22-upgrade-from-stable-4.21-e2e-aws-ovn-upgrade	5f788de	link	false	/test 4.22-upgrade-from-stable-4.21-e2e-aws-ovn-upgrade
ci/prow/4.22-upgrade-from-stable-4.21-e2e-azure-ovn-upgrade	5f788de	link	false	/test 4.22-upgrade-from-stable-4.21-e2e-azure-ovn-upgrade
ci/prow/hypershift-e2e-aks	5f788de	link	true	/test hypershift-e2e-aks

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.