Loading...

XML

Word

Printable

Type: Feature
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: None
Component/s: None
Labels:
- 3.16-candidate

Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Color Status:
Not Selected

SFDC Cases Links:
SFDC Cases Open:
SFDC Cases Counter:

PX Impact Score:

Intelligence Requested:
Market:

Feature Overview (aka. Goal Summary)

This effort supports OCPSTRAT-819.

Refer to the document: Call for Action - OpenShift Network Policies for additional details.

All OpenShift Operators, including OLM-managed products, are expected to ensure required network policies are in place.

Goals (aka. expected user outcomes)

Develop and test tight ingress and egress K8s Network Policies to restrict communication to only the necessary communication.

Apply the network policies during the operator installation and upgrade.

Requirements (aka. Acceptance criteria):

The focus of this initial phase is on adding a tailored Network Policy for the Operator controller itself. Apply network policies during operator installation and upgrade.

The Network Policy for the Custom Resources (i.e., Operands) is out of scope in this initial phase.

List any affected packages or components.

Operators owned by the Quay engineering team:

Quay Operator Quay
Container Security Operator
Quay Bridge Operator

Relevant resources:

Developing Network Policies
Cillium network policy interactive editor
Slack #proj-ocp-shipping-network-policies-ocpstrat-819.
- Say hello, share that you started. Share any concerns (or happy news!)
- For assistance please mention
  - Engineering: Ben Bennett(@bbennett)
  - PM: Boaz Michaely(@Boaz Michaely)
Talk to ACS team for their experience in shipping NP for many years and handling some tricky obstacles on the way
Related Enhancement for a migration path for network policies in all OpenShift namespaces: https://github.com/openshift/enhancements/pull/1720

Other Operator teams:

OCPSTRAT-1969 [LVM Storage] Network Policies for OpenShift layered Components

OCPSTRAT-2211 Tailored Network Policies for Cluster Infrastructure team owned Operators

VIRTSTRAT-103 [VIRT] Protect from unintended data leaks / attacks via tailored Network Policies

ACM-19479 Protect from unintended data leaks / attacks via tailored Network Policies

OBSDA-1022 Tailored Network Policies for Cluster Logging Operator

SECFLOWOTL-273 Builds for OpenShift Network Policies

OCPSTRAT-2072 Network Policies for NFD operator

OCPSTRAT-2057 Secondary Scheduler Operator : Protect from unintended data leaks / attacks via tailored Network Policies

causes

PROJQUAY-9378 Implement network policies for CSO, QBO, and quay operator

Testing

Assignee:: Unassigned

Reporter:: Tony Wu

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2025/08/18 7:06 PM

Updated:: 2025/09/29 8:35 PM