Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: 4.22
Component/s: Cluster Version Operator
Labels:
None

Activity Type:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Important
Regression:
Yes

Target Backport Versions:

4.20, 4.21, 4.22
Target Version:

4.22.0
Release Blocker:
Proposed
Sprint:
OTA 284
sprint_count:
1

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
In Progress
Release Note Type:
Enhancement
Release Note Text:
A new NetworkPolicy for the openshift-cluster-version namespace denies all ingress and egress traffic for Pods that are not host-networked.

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

    CVO should have default deny network policy to protect from unintended dataleaks/attacks from OCP 4.20

Version-Release number of selected component (if applicable):

    4.22.0-ec.3

How reproducible:

everytime

Steps to Reproduce:

1.Install a 4.22 latest Cluster

%oc get clusterversionNAME      VERSION       AVAILABLE   PROGRESSING   SINCE   STATUSversion   4.22.0-ec.3   True        False         29m     Cluster version is 4.22.0-ec.3

2. list CVO network Policies

Actual results:

%oc get NetworkPolicy -n openshift-cluster-version
No resources found in openshift-cluster-version namespace.

Expected results:

 % oc get networkpolicy -n openshift-cluster-version
NAME           POD-SELECTOR   AGE
default-deny   <none>         41m

% oc describe networkpolicy default-deny -n openshift-cluster-version   
Name:         default-deny
Namespace:    openshift-cluster-version
Created on:   2025-07-02 21:24:27 +0530 IST
Labels:       <none>
Annotations:  <none>
Spec:
  PodSelector:     <none> (Allowing the specific traffic to all pods in this namespace)
  Allowing ingress traffic:
    <none> (Selected pods are isolated for ingress connectivity)
  Allowing egress traffic:
    <none> (Selected pods are isolated for egress connectivity)
  Policy Types: Ingress, Egress
%

Additional info:

links to

openshift/cluster-version-operator#1333: OCPBUGS-77762: install/0000_00_cluster-version-operator_02_networkpolicy: Add inclusion annotations

openshift/cluster-version-operator#1334: OCPBUGS-77762: Add an e2e to check the default network polocy

Assignee:: W. Trevor King

Reporter:: Dinesh Kumar S

QA Contact:: Dinesh Kumar S

Need Info From:: None

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2026/03/04 9:43 AM

Updated:: 2026/03/05 12:46 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates