Without network policies, any pod within the Openshift cluster can communicate freely with other pods, regardless of their intended level of access. Attackers or compromised pods can exploit this lack of restriction to move laterally within the cluster and potentially compromise critical components. In the absence of network policies, pods may have unrestricted communication with external networks, this can result in unintended data leakage, where sensitive information is transmitted to unauthorized destinations.

Red Hat Product Security has asked that we address this risk, by shipping OpenShift components with Kubernetes Network Policies starting with the control plane and followed by the optional Red Hat OpenShift Operators. More information on the threat assessment from Product Security is available in https://docs.google.com/document/d/1B7ZCfwEfl0AqPoQHqeoAIuBQNoCMAeWwEkMSV_TItjg/edit?usp=sharing.

Each operator will deploy Kubernetes Network Policy resources into the namespaces it is responsible for.

For more info, https://groups.google.com/a/redhat.com/g/aos-devel/c/fCUR7VH076M/m/KGwBT7hiBgAJ