Goal

Add NetworkPolicy resources to the DAS operator so that the das-operator namespace has restricted ingress and egress, in line with OCPSTRAT-2061 / OCPSTRAT-819 requirements.

Implementation

Follow the kueue-operator pattern (same library-go + bindata/assets architecture).

New files:

• bindata/assets/instaslice-operator/networkpolicy/99-deny-all.yaml — Default deny all ingress and egress for all pods in the namespace
• bindata/assets/instaslice-operator/networkpolicy/10-allow-egress-api.yaml — Allow all DAS pods egress to kube-apiserver on port 6443
• bindata/assets/instaslice-operator/networkpolicy/10-allow-egress-cluster-dns.yaml — Allow all DAS pods egress to openshift-dns for name resolution
• bindata/assets/instaslice-operator/networkpolicy/10-allow-ingress-webhook.yaml — Allow kube-apiserver ingress to webhook pods on port 8443
• pkg/util/resourceapply/networking.go — NetworkPolicy apply helper (ported from kueue-operator, since library-go does not yet have ApplyNetworkPolicy)

Modified files:

• pkg/operator/target_config_reconciler.go — Add manageNetworkPolicies() function and call it in sync()

Acceptance Criteria

• All 4 NetworkPolicy resources are created in the das-operator namespace when the operator reconciles
• Operator, webhook, scheduler, and daemonset continue to function correctly with policies applied
• Policies are reconciled (recreated if deleted, updated if modified)
• Owner references set so policies are garbage collected with the DASOperator CR

Reference

• kueue-operator network policy implementation
• NTO network policy PR
• CVO network policy PR