add ingress/egress network policy

Author: huali9

install/0000_90_machine-api-operator_05_networkpolicy-allow-egress.yaml

@@ -0,0 +1,34 @@
+# Allow egress from apps in openshift-machine-api to kube api
+# Allow egress from apps in openshift-machine-api to DNS
+# Allow egress from apps in openshift-machine-api to external cloud platforms
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-egress
+  namespace: openshift-machine-api
+  annotations:
+    capability.openshift.io/name: MachineAPI
+    exclude.release.openshift.io/internal-openshift-hosted: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+spec:
+  egress:
+  - ports:
+    - protocol: TCP
+      port: 1
+      endPort: 65535
+  - ports:
+    - protocol: UDP
+      port: 5353 
+  podSelector:
+    matchExpressions:
+    - key: k8s-app
+      operator: In
+      values:
+      - cluster-autoscaler-operator
+      - cluster-baremetal-operator
+      - control-plane-machine-set-operator
+      - controller
+      - machine-api-operator
+  policyTypes:
+  - Egress

install/0000_90_machine-api-operator_05_networkpolicy-allow-ingress-cluster.yaml

@@ -0,0 +1,31 @@
+# Allow ingress to the openshift-machine-api namespace pods for internal cluster request
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-ingress-cluster
+  namespace: openshift-machine-api
+  annotations:
+    capability.openshift.io/name: MachineAPI
+    exclude.release.openshift.io/internal-openshift-hosted: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+spec:
+  ingress:
+  - ports:
+    - protocol: TCP
+      port: 9440
+      endPort: 9442
+    - protocol: TCP
+      port: 8443
+  podSelector:
+    matchExpressions:
+    - key: k8s-app
+      operator: In
+      values:
+      - cluster-autoscaler-operator
+      - cluster-baremetal-operator
+      - control-plane-machine-set-operator
+      - controller
+      - machine-api-operator
+  policyTypes:
+  - Ingress

install/0000_90_machine-api-operator_05_networkpolicy-allow-ingress-kubeapi.yaml

@@ -0,0 +1,30 @@
+# Allow ingress to the openshift-machine-api namespace pods for kubeapi requests
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-ingress-kubeapi
+  namespace: openshift-machine-api
+  annotations:
+    capability.openshift.io/name: MachineAPI
+    exclude.release.openshift.io/internal-openshift-hosted: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+spec:
+  ingress:
+  - ports:
+    - protocol: TCP
+      port: 8443
+    - protocol: TCP
+      port: 9443
+  podSelector:
+    matchExpressions:
+    - key: k8s-app
+      operator: In
+      values:
+      - cluster-autoscaler-operator
+      - cluster-baremetal-operator
+      - control-plane-machine-set-operator
+      - controller
+      - machine-api-operator
+  policyTypes:
+  - Ingress

install/0000_90_machine-api-operator_05_networkpolicy-allow-ingress-metrics.yaml

@@ -0,0 +1,32 @@
+# Allow ingress to the openshift-machine-api namespace pods for metrics request
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-ingress-metrics
+  namespace: openshift-machine-api
+  annotations:
+    capability.openshift.io/name: MachineAPI
+    exclude.release.openshift.io/internal-openshift-hosted: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+spec:
+  ingress:
+  - ports:
+    - protocol: TCP
+      port: 8440
+      endPort: 8444
+    - protocol: TCP
+      port: 9191
+      endPort: 9192
+  podSelector:
+    matchExpressions:
+    - key: k8s-app
+      operator: In
+      values:
+      - cluster-autoscaler-operator
+      - cluster-baremetal-operator
+      - control-plane-machine-set-operator
+      - controller
+      - machine-api-operator
+  policyTypes:
+  - Ingress

install/0000_90_machine-api-operator_05_networkpolicy-default-deny.yaml

@@ -0,0 +1,16 @@
+# Default deny all ingress and egress
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny
+  namespace: openshift-machine-api
+  annotations:
+    capability.openshift.io/name: MachineAPI
+    exclude.release.openshift.io/internal-openshift-hosted: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress