Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-77958

Update NetworkPolicy egress in OLM to support HyperShift custom API ports

XMLWordPrintable

    • None
    • False
    • Hide

      None

      Show
      None
    • 1
    • None
    • None
    • Rejected
    • Yanma Sprint 285
    • 1
    • In Progress
    • Bug Fix
    • Hide
      Cause: NetworkPolicy egress rules in OLM v0 hardcoded port 6443 for kube-apiserver access across static manifests and generated policies. HyperShift allows custom API server ports that differ from 6443.

       Consequence: OLM v0 components (olm-operator, catalog-operator, packageserver) failed to communicate with kube-apiserver in HyperShift clusters using custom API ports, preventing operator installation and catalog operations.

       Fix: Updated NetworkPolicy egress rules to use wildcard (egress: [{}]) for kube-apiserver traffic in both static manifests and dynamic policy generation code. Added explicit DNS rules (ports 53, 5353) for future policy refinements.

       Result: OLM v0 now supports HyperShift deployments with any configured API server port.
      Show
      Cause: NetworkPolicy egress rules in OLM v0 hardcoded port 6443 for kube-apiserver access across static manifests and generated policies. HyperShift allows custom API server ports that differ from 6443.  Consequence: OLM v0 components (olm-operator, catalog-operator, packageserver) failed to communicate with kube-apiserver in HyperShift clusters using custom API ports, preventing operator installation and catalog operations.  Fix: Updated NetworkPolicy egress rules to use wildcard (egress: [{}]) for kube-apiserver traffic in both static manifests and dynamic policy generation code. Added explicit DNS rules (ports 53, 5353) for future policy refinements.  Result: OLM v0 now supports HyperShift deployments with any configured API server port.
    • None
    • None
    • None
    • None

      Description of problem:

      The current NetworkPolicy rules in operator-lifecycle-manager (OLM v0) hardcode port 6443 for Kubernetes API Server access and have restrictive egress rules for DNS. This breaks HyperShift deployments that customize the API server port via configuration options.

Current State: NetworkPolicy configurations in both static manifests and Go code hardcode port 6443 for kube-apiserver egress, which prevents OLM components from communicating with HyperShift clusters using custom API server ports.


Expected Behavior  Per latest guidance, NetworkPolicy egress rules should:
  1. kube-apiserver: Use wildcard to allow all IPs/Ports ({})
  2. DNS: Use wildcard to allow all IPs with ports 53 and 5353 (TCP and UDP)  This approach is already used by related projects like catalogd and operator-controller.  

Related Work:  This is the OLM v0 counterpart to OCPBUGS-66980, which addresses the same issue in operator-marketplace (static manifests).

      Version-Release number of selected component (if applicable):

      4.20+

      How reproducible:

      Always

      Steps to Reproduce:

      See OCPBUGS-66980 for detailed reproduction steps. The issue manifests identically in OLM v0 components when deployed on HyperShift clusters with custom API server ports.

      Actual results:

      OLM v0 components fail to communicate with the Kubernetes API server on HyperShift clusters using custom API ports, causing OLM to be non-functional. NetworkPolicy rules block egress traffic to any port other than 6443.

      Expected results:

      Installing an operator works

              rashmigottipati Rashmi Gottipati
              rashmigottipati Rashmi Gottipati
              Kui Wang Kui Wang
              None
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: