Epic Goal

Create network policies for all Builds for OpenShift operand components:

1. Shipwright build controller + conversion/mutating admission webhooks
2. Shared Resource CSI Driver DaemonSet

Out of Scope:
1. The operator deployment + bundle - see BUILD-1558
2. User workloads (builds)

Why is this important?

Without network policies, any pod within the Openshift cluster can communicate freely with other pods, regardless of their intended level of access. Attackers or compromised pods can exploit this lack of restriction to move laterally within the cluster and potentially compromise critical components. In the absence of network policies, pods may have unrestricted communication with external networks, this can result in unintended data leakage, where sensitive information is transmitted to unauthorized destinations.

Scenarios

• Block in-cluster communication from a compromised pod
• Prevent egress/exfiltration if a product pod is compromised (defense in depth)

Acceptance Criteria (Mandatory)

• Technical requirements TBD
• CI - MUST be running successfully with tests automated
• Release Technical Enablement - Provide necessary release enablement details and documents.
• ...

Dependencies (internal and external)

TBD

Previous Work (Optional):

• Call to Action - OpenShift Network Policy
• Developing Network Policy
• Kubernetes Network Policy

Open questions::

TBD

Done Checklist

• Acceptance criteria are met
• Non-functional properties of the Feature have been validated (such as performance, resource, UX, security or privacy aspects)
• User Journey automation is delivered
• Support and SRE teams are provided with enough skills to support the feature in production environment