Summary

OTA-1609 covers OSUS operand with a Network Policy that allows all egress to allow OSUS to scrape image registries. This Network Policy can be dynamically tightened to only allow egress to the specific cluster-internal endpoint if the UpdateService is configured to scrape cluster-internal (.svc) endpoint.

The namespace to allow egress to will need to be parsed out of the URL of the endpoint, which is ugly, or alternatively the UpdateService API will need to be extended with a 'reference to a service' field.

This is likely a stretch goal for OTA-1498, the OTA-1609 operand coverage is probably enough initially.

Definition of Done

1. If the UpdateService is configured to scrape a cluster-internal endpoint (.svc), the NetworkPolicy created for that UpdateService should restrict egress to the pods in that specific namespace

Testing

• Expected NetworkPolicy resources are created for each UpdateService instance
• OSUS must be able to work as normal, that means scrape image registry and serve the content through the route endpoint
• When UpdateService is configured to scrape cluster-internal endpoint, the OSUS Pods are not allowed to make cluster-external egress
• Will need testing for interaction with port filters OTA-1610 and interaction with cluster-wide proxy (which I think should not be used for cluster-internal communication)