application-stacks · kabicin · May 28, 2025 · May 28, 2025 · May 30, 2025 · Jun 2, 2025
diff --git a/api/v1/runtimecomponent_types.go b/api/v1/runtimecomponent_types.go
@@ -312,13 +312,37 @@ type RuntimeComponentNetworkPolicy struct {
 	// +operator-sdk:csv:customresourcedefinitions:order=46,type=spec,displayName="Disable",xDescriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch"
 	Disable *bool `json:"disable,omitempty"`
 
-	// Specify the labels of namespaces that incoming traffic is allowed from.
-	// +operator-sdk:csv:customresourcedefinitions:order=47,type=spec,displayName="Namespace Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text"
+	// Disable the creation of the network policy ingress. Defaults to false.
+	// +operator-sdk:csv:customresourcedefinitions:order=47,type=spec,displayName="Disable Ingress",xDescriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch"
+	DisableIngress *bool `json:"disableIngress,omitempty"`
+
+	// Disable the creation of the network policy egress. Defaults to false.
+	// +operator-sdk:csv:customresourcedefinitions:order=48,type=spec,displayName="Disable Egress",xDescriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch"
+	DisableEgress *bool `json:"disableEgress,omitempty"`
+
+	// Bypasses deny all egress rules to allow API server and DNS access. Defaults to false.
+	// +operator-sdk:csv:customresourcedefinitions:order=49,type=spec,displayName="Bypass Deny All Egress",xDescriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch"
+	BypassDenyAllEgress *bool `json:"bypassDenyAllEgress,omitempty"`
+
+	// Deprecated. .spec.networkPolicy.fromNamespaceLabels should be used instead. If both are specified, .spec.networkPolicy.fromNamespaceLabels will override this.
+	// +operator-sdk:csv:customresourcedefinitions:order=50,type=spec,displayName="Namespace Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text"
 	NamespaceLabels *map[string]string `json:"namespaceLabels,omitempty"`
 
+	// Specify the labels of namespaces that incoming traffic is allowed from.
+	// +operator-sdk:csv:customresourcedefinitions:order=51,type=spec,displayName="From Namespace Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text"
+	FromNamespaceLabels *map[string]string `json:"fromNamespaceLabels,omitempty"`
+
 	// Specify the labels of pod(s) that incoming traffic is allowed from.
-	// +operator-sdk:csv:customresourcedefinitions:order=48,type=spec,displayName="From Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text"
+	// +operator-sdk:csv:customresourcedefinitions:order=52,type=spec,displayName="From Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text"
 	FromLabels *map[string]string `json:"fromLabels,omitempty"`
+
+	// Specify the labels of namespaces that outgoing traffic is allowed to.
+	// +operator-sdk:csv:customresourcedefinitions:order=53,type=spec,displayName="To Namespace Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text"
+	ToNamespaceLabels *map[string]string `json:"toNamespaceLabels,omitempty"`
+
+	// Specify the labels of pod(s) that outgoing traffic is allowed to.
+	// +operator-sdk:csv:customresourcedefinitions:order=54,type=spec,displayName="To Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text"
+	ToLabels *map[string]string `json:"toLabels,omitempty"`
 }
 
 // Defines the desired state and cycle of applications.
@@ -876,7 +900,25 @@ func (s *RuntimeComponentService) GetBindable() *bool {
 	return s.Bindable
 }
 
-func (np *RuntimeComponentNetworkPolicy) GetNamespaceLabels() map[string]string {
+func (np *RuntimeComponentNetworkPolicy) GetToNamespaceLabels() map[string]string {
+	if np.ToNamespaceLabels != nil {
+		return *np.ToNamespaceLabels
+	}
+	return nil
+}
+
+func (np *RuntimeComponentNetworkPolicy) GetToLabels() map[string]string {
+	if np.ToLabels != nil {
+		return *np.ToLabels
+	}
+	return nil
+}
+
+func (np *RuntimeComponentNetworkPolicy) GetFromNamespaceLabels() map[string]string {
+	if np.FromNamespaceLabels != nil {
+		return *np.FromNamespaceLabels
+	}
+	// fallback to deprecated flag np.NamespaceLabels for when we only supported one type of network policy (ingress)
 	if np.NamespaceLabels != nil {
 		return *np.NamespaceLabels
 	}
@@ -894,6 +936,18 @@ func (np *RuntimeComponentNetworkPolicy) IsDisabled() bool {
 	return np.Disable != nil && *np.Disable
 }
 
+func (np *RuntimeComponentNetworkPolicy) IsIngressDisabled() bool {
+	return np.DisableIngress != nil && *np.DisableIngress
+}
+
+func (np *RuntimeComponentNetworkPolicy) IsEgressDisabled() bool {
+	return np.DisableEgress != nil && *np.DisableEgress
+}
+
+func (np *RuntimeComponentNetworkPolicy) IsBypassingDenyAllEgress() bool {
+	return np.BypassDenyAllEgress != nil && *np.BypassDenyAllEgress
+}
+
 // GetLabels returns labels to be added on ServiceMonitor
 func (m *RuntimeComponentMonitoring) GetLabels() map[string]string {
 	return m.Labels

diff --git a/api/v1/zz_generated.deepcopy.go b/api/v1/zz_generated.deepcopy.go
diff --git a/bundle/manifests/rc.app.stacks_runtimecomponents.yaml b/bundle/manifests/rc.app.stacks_runtimecomponents.yaml
@@ -3365,22 +3365,53 @@ spec:
               networkPolicy:
                 description: Defines the network policy
                 properties:
+                  bypassDenyAllEgress:
+                    description: Bypasses deny all egress rules to allow API server
+                      and DNS access. Defaults to false.
+                    type: boolean
                   disable:
                     description: Disable the creation of the network policy. Defaults
                       to false.
                     type: boolean
+                  disableEgress:
+                    description: Disable the creation of the network policy egress.
+                      Defaults to false.
+                    type: boolean
+                  disableIngress:
+                    description: Disable the creation of the network policy ingress.
+                      Defaults to false.
+                    type: boolean
                   fromLabels:
                     additionalProperties:
                       type: string
                     description: Specify the labels of pod(s) that incoming traffic
                       is allowed from.
                     type: object
-                  namespaceLabels:
+                  fromNamespaceLabels:
                     additionalProperties:
                       type: string
                     description: Specify the labels of namespaces that incoming traffic
                       is allowed from.
                     type: object
+                  namespaceLabels:
+                    additionalProperties:
+                      type: string
+                    description: Deprecated. .spec.networkPolicy.fromNamespaceLabels
+                      should be used instead. If both are specified, .spec.networkPolicy.fromNamespaceLabels
+                      will override this.
+                    type: object
+                  toLabels:
+                    additionalProperties:
+                      type: string
+                    description: Specify the labels of pod(s) that outgoing traffic
+                      is allowed to.
+                    type: object
+                  toNamespaceLabels:
+                    additionalProperties:
+                      type: string
+                    description: Specify the labels of namespaces that outgoing traffic
+                      is allowed to.
+                    type: object
                 type: object
               probes:
                 description: Define health checks on application container to determine

diff --git a/bundle/manifests/runtime-component.clusterserviceversion.yaml b/bundle/manifests/runtime-component.clusterserviceversion.yaml
@@ -71,7 +71,7 @@ metadata:
     categories: Application Runtime
     certified: "true"
     containerImage: icr.io/appcafe/runtime-component-operator:daily
-    createdAt: "2025-05-02T19:13:45Z"
+    createdAt: "2025-06-06T21:13:00Z"
     description: Deploys any runtime component with dynamic and auto-tuning configuration
     features.operators.openshift.io/disconnected: "true"
     features.operators.openshift.io/fips-compliant: "true"
@@ -480,18 +480,55 @@ spec:
         path: networkPolicy.disable
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
-      - description: Specify the labels of namespaces that incoming traffic is allowed
-          from.
+      - description: Disable the creation of the network policy ingress. Defaults
+          to false.
+        displayName: Disable Ingress
+        path: networkPolicy.disableIngress
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
+      - description: Disable the creation of the network policy egress. Defaults to
+          false.
+        displayName: Disable Egress
+        path: networkPolicy.disableEgress
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
+      - description: Bypasses deny all egress rules to allow API server and DNS access.
+          Defaults to false.
+        displayName: Bypass Deny All Egress
+        path: networkPolicy.bypassDenyAllEgress
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
+      - description: Deprecated. .spec.networkPolicy.fromNamespaceLabels should be
+          used instead. If both are specified, .spec.networkPolicy.fromNamespaceLabels
+          will override this.
         displayName: Namespace Labels
         path: networkPolicy.namespaceLabels
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:text
+      - description: Specify the labels of namespaces that incoming traffic is allowed
+          from.
+        displayName: From Namespace Labels
+        path: networkPolicy.fromNamespaceLabels
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:text
       - description: Specify the labels of pod(s) that incoming traffic is allowed
           from.
         displayName: From Labels
         path: networkPolicy.fromLabels
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:text
+      - description: Specify the labels of namespaces that outgoing traffic is allowed
+          to.
+        displayName: To Namespace Labels
+        path: networkPolicy.toNamespaceLabels
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:text
+      - description: Specify the labels of pod(s) that outgoing traffic is allowed
+          to.
+        displayName: To Labels
+        path: networkPolicy.toLabels
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:text
       - description: Hide liveness probe's Exec field
         displayName: Livness Probe's Exec
         path: probes.liveness.exec
@@ -1176,6 +1213,14 @@ spec:
           - list
           - update
           - watch
+        - apiGroups:
+          - ""
+          resources:
+          - endpoints
+          verbs:
+          - get
+          - list
+          - watch
         - apiGroups:
           - ""
           resources:

diff --git a/common/types.go b/common/types.go
@@ -140,7 +140,13 @@ type BaseComponentCertificate interface {
 
 // BaseComponentNetworkPolicy represents a basic network policy configuration
 type BaseComponentNetworkPolicy interface {
-	GetNamespaceLabels() map[string]string
+	IsDisabled() bool
+	IsIngressDisabled() bool
+	IsEgressDisabled() bool
+	IsBypassingDenyAllEgress() bool
+	GetToNamespaceLabels() map[string]string
+	GetToLabels() map[string]string
+	GetFromNamespaceLabels() map[string]string
 	GetFromLabels() map[string]string
 }
 

diff --git a/config/crd/bases/rc.app.stacks_runtimecomponents.yaml b/config/crd/bases/rc.app.stacks_runtimecomponents.yaml
@@ -3361,22 +3361,53 @@ spec:
               networkPolicy:
                 description: Defines the network policy
                 properties:
+                  bypassDenyAllEgress:
+                    description: Bypasses deny all egress rules to allow API server
+                      and DNS access. Defaults to false.
+                    type: boolean
                   disable:
                     description: Disable the creation of the network policy. Defaults
                       to false.
                     type: boolean
+                  disableEgress:
+                    description: Disable the creation of the network policy egress.
+                      Defaults to false.
+                    type: boolean
+                  disableIngress:
+                    description: Disable the creation of the network policy ingress.
+                      Defaults to false.
+                    type: boolean
                   fromLabels:
                     additionalProperties:
                       type: string
                     description: Specify the labels of pod(s) that incoming traffic
                       is allowed from.
                     type: object
-                  namespaceLabels:
+                  fromNamespaceLabels:
                     additionalProperties:
                       type: string
                     description: Specify the labels of namespaces that incoming traffic
                       is allowed from.
                     type: object
+                  namespaceLabels:
+                    additionalProperties:
+                      type: string
+                    description: Deprecated. .spec.networkPolicy.fromNamespaceLabels
+                      should be used instead. If both are specified, .spec.networkPolicy.fromNamespaceLabels
+                      will override this.
+                    type: object
+                  toLabels:
+                    additionalProperties:
+                      type: string
+                    description: Specify the labels of pod(s) that outgoing traffic
+                      is allowed to.
+                    type: object
+                  toNamespaceLabels:
+                    additionalProperties:
+                      type: string
+                    description: Specify the labels of namespaces that outgoing traffic
+                      is allowed to.
+                    type: object
                 type: object
               probes:
                 description: Define health checks on application container to determine