-
Bug
-
Resolution: Unresolved
-
Critical
-
None
-
4.20, 4.21
Description of problem:
The current NetworkPolicy rules in operator-lifecycle-manager (OLM v0) hardcode port 6443 for Kubernetes API Server access and have restrictive egress rules for DNS. This breaks HyperShift deployments that customize the API server port via configuration options.
Current State: NetworkPolicy configurations in both static manifests and Go code hardcode port 6443 for kube-apiserver egress, which prevents OLM components from communicating with HyperShift clusters using custom API server ports.
Expected Behavior Per latest guidance, NetworkPolicy egress rules should:
1. kube-apiserver: Use wildcard to allow all IPs/Ports ({})
2. DNS: Use wildcard to allow all IPs with ports 53 and 5353 (TCP and UDP) This approach is already used by related projects like catalogd and operator-controller.
Related Work: This is the OLM v0 counterpart to OCPBUGS-66980, which addresses the same issue in operator-marketplace (static manifests).
Version-Release number of selected component (if applicable):
4.20+
How reproducible:
Always
Steps to Reproduce:
See OCPBUGS-66980 for detailed reproduction steps. The issue manifests identically in OLM v0 components when deployed on HyperShift clusters with custom API server ports.
Actual results:
OLM v0 components fail to communicate with the Kubernetes API server on HyperShift clusters using custom API ports, causing OLM to be non-functional. NetworkPolicy rules block egress traffic to any port other than 6443.
Expected results:
Installing an operator works
- clones
-
-
- POST
-
- links to