Adds the network policy for operator

[siddhibhor-56]

No description provided.

[coderabbitai]

Walkthrough

Enables the network-policy overlay in the default kustomization and adds two NetworkPolicy manifests (allow and deny-all) under config/network-policy. Updates the network-policy kustomization to include the new policies.

Changes

Cohort / File(s)	Summary of Changes
Default kustomization update config/default/kustomization.yaml	Uncomments and activates ../network-policy in resources.
NetworkPolicy manifests and kustomization config/network-policy/kustomization.yaml, config/network-policy/allow-network-traffic.yaml, config/network-policy/deny-all.yaml	Expands resources to include new policies; adds allow policy (Ingress: 8443, 8080; Egress: 6443) for pods labeled app: external-secrets-operator in external-secrets-operator namespace; adds deny-all policy for same label in system namespace.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description Check	⚠️ Warning	The pull request description is missing and does not describe any of the changes made, leaving reviewers without context on the newly added network-policy configurations.	Please add a concise description outlining the additions of network-policy YAML files and the kustomization updates to enable them, so reviewers understand the intent and scope of the changes.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The pull request title succinctly describes that a network policy is being added for the operator, which aligns directly with the main change of enabling network-policy resources in the kustomization and adding policy manifests.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🧪 Early access (Sonnet 4.5): enabled

We are currently testing the Sonnet 4.5 model, which is expected to improve code review quality. However, this model may lead to increased noise levels in the review comments. Please disable the early access features if the noise level causes any inconvenience.

Note:

• Public repositories are always opted into early access features.
• You can enable or disable early access features from the CodeRabbit UI or by updating the CodeRabbit configuration file.

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: siddhibhor-56
Once this PR has been reviewed and has the lgtm label, please assign bharath-b-rh for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pkg/controller/external_secrets/utils.go (1)

48-57: Bug: prependErr is dropped when updateStatus fails.

When updateStatus errors and prependErr is non-nil, the aggregate excludes prependErr, losing the original error context.

 		errUpdate := fmt.Errorf("failed to update %s/%s status: %w", externalsecrets.GetNamespace(), externalsecrets.GetName(), err)
 		if prependErr != nil {
-			return utilerrors.NewAggregate([]error{err, errUpdate})
+			return utilerrors.NewAggregate([]error{prependErr, errUpdate})
 		}

🧹 Nitpick comments (3)

config/network-policy/deny-all.yaml (1)

5-5: Avoid hardcoding namespace for portability

Let the overlay set the namespace via kustomize. Remove metadata.namespace to keep the resource reusable across overlays.

Apply this diff:

-  namespace: external-secrets-operator

config/network-policy/allow-network-traffic.yaml (1)

5-5: Avoid hardcoding namespace for portability

Let kustomize set the namespace; drop metadata.namespace.

Apply this diff:

-  namespace: external-secrets-operator

pkg/controller/external_secrets/utils.go (1)

94-106: Remove commented-out dead code.

This legacy block is now superseded and adds noise. It’s version-controlled; safe to delete.

-//// isCertManagerConfigEnabled returns whether CertManagerConfig is enabled in ExternalSecrets CR Spec.
-//func isCertManagerConfigEnabled(es *operatorv1alpha1.ExternalSecrets) bool {
-//	return es.Spec != (operatorv1alpha1.ExternalSecretsSpec{}) && es.Spec.ExternalSecretsConfig != nil &&
-//		es.Spec.ExternalSecretsConfig.CertManagerConfig != nil &&
-//		common.ParseBool(es.Spec.ExternalSecretsConfig.CertManagerConfig.Enabled)
-//}
-//
-//// isBitwardenConfigEnabled returns whether CertManagerConfig is enabled in ExternalSecrets CR Spec.
-//func isBitwardenConfigEnabled(es *operatorv1alpha1.ExternalSecrets) bool {
-//	return es.Spec != (operatorv1alpha1.ExternalSecretsSpec{}) && es.Spec.ExternalSecretsConfig != nil && es.Spec.ExternalSecretsConfig.BitwardenSecretManagerProvider != nil &&
-//		common.ParseBool(es.Spec.ExternalSecretsConfig.BitwardenSecretManagerProvider.Enabled)
-//}

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 9c19a74 and 9341c2e.

📒 Files selected for processing (6)

• config/crd/bases/operator.openshift.io_externalsecrets.yaml (0 hunks)
• config/default/kustomization.yaml (1 hunks)
• config/network-policy/allow-network-traffic.yaml (1 hunks)
• config/network-policy/deny-all.yaml (1 hunks)
• config/network-policy/kustomization.yaml (1 hunks)
• pkg/controller/external_secrets/utils.go (1 hunks)

💤 Files with no reviewable changes (1)

• config/crd/bases/operator.openshift.io_externalsecrets.yaml

🔇 Additional comments (4)

config/network-policy/kustomization.yaml (1)

3-4: Kustomization entries look good

The new resources are correctly referenced; order doesn’t affect policy behavior.

config/network-policy/allow-network-traffic.yaml (1)

7-9: Verify pod label selector matches the operator pods

Using app: external-secrets-operator may not match the Deployment’s pod template labels (often control-plane: controller-manager in Kubebuilder scaffolding). Mismatch means policies won’t apply.

Use the script shared on config/default/kustomization.yaml to confirm and adjust matchLabels accordingly.

pkg/controller/external_secrets/utils.go (2)

109-113: Nil-safe, clearer implementation — confirmed: omitted/empty Enabled evaluates to false.

ParseBool returns true only for "true" (pkg/controller/common/utils.go:380); CertManagerConfig.Enabled is a string (api/v1alpha1/external_secrets_types.go:179), so empty/omitted -> false.

---

115-121: Confirm Bitwarden Enabled defaults to disabled

CRD has +kubebuilder:default:="false" for Bitwarden.Enabled and common.ParseBool(val) returns true only for "true" — unspecified or default "false" evaluates to false.

[coderabbitai]

⚠️ Potential issue

🧩 Analysis chain

Enabling network policies: verify selector alignment and traffic impact

Including ../network-policy will enforce the new deny/allow rules. Ensure the podSelector labels in those policies match the operator Deployment labels; otherwise, policies won’t apply or, worse, could over/under-block traffic.

Run this to inspect Deployment labels and reconcile with the NetworkPolicy podSelectors:

---

🏁 Script executed:

#!/bin/bash
# Show deployments and pod template labels under config/
rg -nC5 -g '!**/vendor/**' -P '^\s*kind:\s*Deployment\b' config | sed -n '1,200p'
echo '---'
# List any places labeling pods with "app:" or "control-plane:" for the operator
rg -nC3 -P 'labels:\s*$|^\s*app:\s*external-secrets-operator\b|^\s*control-plane:\s*controller-manager\b' config

Length of output: 46592

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
echo "=== config/default/kustomization.yaml ==="
sed -n '1,200p' config/default/kustomization.yaml || true
echo
echo "=== config/network-policy/deny-all.yaml ==="
sed -n '1,200p' config/network-policy/deny-all.yaml || true
echo
echo "=== config/network-policy/allow-network-traffic.yaml ==="
sed -n '1,200p' config/network-policy/allow-network-traffic.yaml || true
echo
echo "=== config/network-policy/allow-metrics-traffic.yaml ==="
sed -n '1,200p' config/network-policy/allow-metrics-traffic.yaml || true
echo
echo "=== config/manager/manager.yaml ==="
sed -n '1,240p' config/manager/manager.yaml || true
echo
echo "=== config/default/metrics_service.yaml ==="
sed -n '1,200p' config/default/metrics_service.yaml || true

Length of output: 11582

---

NetworkPolicy namespace mismatch — policies won't apply to the Deployment

Deployment runs in namespace "system" with label app: external-secrets-operator (config/manager/manager.yaml). deny-all.yaml and allow-network-traffic.yaml are scoped to namespace "external-secrets-operator" (config/network-policy/*) so they will NOT affect the Deployment; allow-metrics-traffic.yaml is in "system" and will apply.

• Action: align namespaces so policies target the same namespace as the Deployment — either change config/network-policy/deny-all.yaml and config/network-policy/allow-network-traffic.yaml to namespace: system, or move the Deployment to external-secrets-operator.
• Action: re-evaluate deny-all and allow-network-traffic semantics to avoid inadvertently blocking API/metrics/webhook traffic (files: config/network-policy/deny-all.yaml, config/network-policy/allow-network-traffic.yaml, config/network-policy/allow-metrics-traffic.yaml, config/manager/manager.yaml; config/default/kustomization.yaml includes ../network-policy).

🤖 Prompt for AI Agents

In config/default/kustomization.yaml around line 34, the included network-policy
manifests target namespace "external-secrets-operator" while the Deployment in
config/manager/manager.yaml runs in namespace "system", so those NetworkPolicies
won't apply; update the NetworkPolicy YAMLs (config/network-policy/deny-all.yaml
and config/network-policy/allow-network-traffic.yaml) to namespace: system so
they target the Deployment's namespace (or alternatively change the Deployment
namespace to external-secrets-operator if that's desired), and then re-evaluate
and adjust the deny-all and allow-network-traffic rules to ensure they don't
block necessary API/metrics/webhook traffic (compare with
allow-metrics-traffic.yaml and modify podSelector/ingress/egress rules and
namespaceSelector as needed).

[coderabbitai]

⚠️ Potential issue

Egress rule is too restrictive; will break DNS and external provider access

Allowing only TCP 6443 egress blocks DNS (53) and external APIs (443), which external-secrets-operator typically needs to fetch secrets. If you must keep egress policy, add DNS and 443 (and any others you require). Otherwise, remove egress from policyTypes and drop the egress block.

Two options:

• Preferred (ingress-only policy):

   policyTypes:
-    - Ingress
-    - Egress
+    - Ingress
-  egress:
-    - ports:
-        - protocol: TCP
-          port: 6443 # Required: Kubernetes API server

• If keeping egress, minimally allow DNS and HTTPS:

   egress:
-    - ports:
-        - protocol: TCP
-          port: 6443 # Required: Kubernetes API server
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+          podSelector:
+            matchLabels:
+              k8s-app: kube-dns
+      ports:
+        - protocol: UDP
+          port: 53
+        - protocol: TCP
+          port: 53
+    - ports:
+        - protocol: TCP
+          port: 443

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	policyTypes:
	- Ingress
	- Egress
	egress:
	- ports:
	- protocol: TCP
	port: 6443 # Required: Kubernetes API server
	ingress:
	policyTypes:
	- Ingress
	ingress:

Suggested change

	policyTypes:
	- Ingress
	- Egress
	egress:
	- ports:
	- protocol: TCP
	port: 6443 # Required: Kubernetes API server
	ingress:
	policyTypes:
	- Ingress
	- Egress
	egress:
	- to:
	- namespaceSelector:
	matchLabels:
	kubernetes.io/metadata.name: kube-system
	podSelector:
	matchLabels:
	k8s-app: kube-dns
	ports:
	- protocol: UDP
	port: 53
	- protocol: TCP
	port: 53
	- ports:
	- protocol: TCP
	port: 443
	ingress:

🤖 Prompt for AI Agents

In config/network-policy/allow-network-traffic.yaml around lines 10 to 17, the
egress block only allows TCP 6443 which blocks DNS and external HTTPS calls;
either remove "Egress" from policyTypes and delete the entire egress section to
make this an ingress-only policy, or expand the egress rules to minimally allow
DNS and HTTPS by adding UDP 53 and TCP 53 for DNS plus TCP 443 for external APIs
(and any other provider ports you require); implement one of these two changes
so DNS resolution and external-secrets/operator HTTPS calls are not blocked.

[coderabbitai]

⚠️ Potential issue

Ingress is overly permissive; it allows any source to metrics ports

Without a from selector, any pod can scrape 8443/8080. Either:

• Remove these rules and rely on the existing allow-metrics-traffic.yaml, or
• Restrict sources to namespaces labeled metrics: "enabled".

Also, 8080 may be unused if HTTPS metrics are enabled.

Preferred fix (de-duplicate and restrict):

   ingress:
-    # Optional: expose metrics (8443 and 8080 based on user configuration)
-    - ports:
-        - protocol: TCP
-          port: 8443
-    - ports:
-        - protocol: TCP
-          port: 8080
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              metrics: "enabled"
+      ports:
+        - protocol: TCP
+          port: 8443

If you keep 8080, mirror the same from selector.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# Optional: expose metrics (8443 and 8080 based on user configuration)
	- ports:
	- protocol: TCP
	port: 8443
	- ports:
	- protocol: TCP
	port: 8080
	- from:
	- namespaceSelector:
	matchLabels:
	metrics: "enabled"
	ports:
	- protocol: TCP
	port: 8443

🤖 Prompt for AI Agents

config/network-policy/allow-network-traffic.yaml around lines 18-24: the current
ingress entries expose metrics ports (8443 and 8080) to all sources because they
lack a from selector; either remove these port rules and rely on
allow-metrics-traffic.yaml to avoid duplication, or restrict each ingress to
only allow pods/namespaces labeled metrics: "enabled" by adding an appropriate
from selector; if HTTPS metrics (8443) is used and 8080 is unused, remove 8080,
otherwise ensure 8080 has the same from selector as 8443 so both ports are
consistently restricted.

[coderabbitai]

⚠️ Potential issue

Default deny egress will likely break the operator (DNS, cloud providers, webhooks)

Denying all egress without explicit exceptions will block:

• DNS (TCP/UDP 53 to kube-dns)
• External secret providers (e.g., AWS/GCP/Vault over 443)
• Calls to the kube-apiserver when not explicitly permitted

If the goal is to “protect metrics/webhook,” prefer ingress-only default deny. Otherwise, explicitly add egress allows (DNS + required external endpoints).

Suggested minimal fix (ingress-only deny):

 spec:
   podSelector:
     matchLabels:
       app: external-secrets-operator
   policyTypes:
     - Ingress
-    - Egress

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	spec:
	podSelector:
	matchLabels:
	app: external-secrets-operator
	policyTypes:
	- Ingress
	- Egress
	spec:
	podSelector:
	matchLabels:
	app: external-secrets-operator
	policyTypes:
	- Ingress

🤖 Prompt for AI Agents

In config/network-policy/deny-all.yaml around lines 6 to 12, the NetworkPolicy
currently denies all egress which will break the operator (DNS, cloud provider
APIs, webhooks); either change the policy to be ingress-only by removing or
replacing the policyTypes entry so only Ingress is enforced, OR keep Egress but
add explicit egress allow rules for UDP/TCP port 53 to kube-dns (cluster DNS
CIDR / kube-dns label), TCP 443 to the operator’s required external endpoints
(cloud provider metadata/API and secret backends), and TCP to the
kube-apiserver, ensuring the selectors and CIDRs match cluster addresses.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

config/network-policy/kustomization.yaml (1)

2-4: Consider reordering for clarity.

The resources are functionally correct, but listing deny-all.yaml before the allow policies would better reflect the conceptual model of "deny by default, then explicitly allow." While Kubernetes applies all NetworkPolicies additively regardless of order, this arrangement improves readability.

Apply this diff to reorder the resources:

 resources:
+- deny-all.yaml
 - allow-metrics-traffic.yaml
 - allow-network-traffic.yaml
-- deny-all.yaml

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 9341c2e and 8d0e3cd.

📒 Files selected for processing (4)

• config/default/kustomization.yaml (1 hunks)
• config/network-policy/allow-network-traffic.yaml (1 hunks)
• config/network-policy/deny-all.yaml (1 hunks)
• config/network-policy/kustomization.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• config/network-policy/deny-all.yaml
• config/network-policy/allow-network-traffic.yaml
• config/default/kustomization.yaml

[openshift-ci]

@siddhibhor-56: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.