Skip to content

Adds the network policy for operator #67

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
+43 −1
Open

Adds the network policy for operator #67

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1c98266
Adds the network policy for operator
siddhibhor-56 Sep 24, 2025
8d0e3cd
deny-all changes
siddhibhor-56 Sep 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion config/default/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ resources:
# Only Pod(s) running a namespace labeled with 'metrics: enabled' will be able to gather the metrics.
# Only CR(s) which requires webhooks and are applied on namespaces labeled with 'webhooks: enabled' will
# be able to communicate with the Webhook Server.
#- ../network-policy
- ../network-policy
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

🧩 Analysis chain

Enabling network policies: verify selector alignment and traffic impact

Including ../network-policy will enforce the new deny/allow rules. Ensure the podSelector labels in those policies match the operator Deployment labels; otherwise, policies won’t apply or, worse, could over/under-block traffic.

Run this to inspect Deployment labels and reconcile with the NetworkPolicy podSelectors:

🏁 Script executed:

#!/bin/bash
# Show deployments and pod template labels under config/
rg -nC5 -g '!**/vendor/**' -P '^\s*kind:\s*Deployment\b' config | sed -n '1,200p'
echo '---'
# List any places labeling pods with "app:" or "control-plane:" for the operator
rg -nC3 -P 'labels:\s*$|^\s*app:\s*external-secrets-operator\b|^\s*control-plane:\s*controller-manager\b' config

Length of output: 46592

🏁 Script executed:

#!/bin/bash
set -euo pipefail
echo "=== config/default/kustomization.yaml ==="
sed -n '1,200p' config/default/kustomization.yaml || true
echo
echo "=== config/network-policy/deny-all.yaml ==="
sed -n '1,200p' config/network-policy/deny-all.yaml || true
echo
echo "=== config/network-policy/allow-network-traffic.yaml ==="
sed -n '1,200p' config/network-policy/allow-network-traffic.yaml || true
echo
echo "=== config/network-policy/allow-metrics-traffic.yaml ==="
sed -n '1,200p' config/network-policy/allow-metrics-traffic.yaml || true
echo
echo "=== config/manager/manager.yaml ==="
sed -n '1,240p' config/manager/manager.yaml || true
echo
echo "=== config/default/metrics_service.yaml ==="
sed -n '1,200p' config/default/metrics_service.yaml || true

Length of output: 11582

NetworkPolicy namespace mismatch — policies won't apply to the Deployment

Deployment runs in namespace "system" with label app: external-secrets-operator (config/manager/manager.yaml). deny-all.yaml and allow-network-traffic.yaml are scoped to namespace "external-secrets-operator" (config/network-policy/*) so they will NOT affect the Deployment; allow-metrics-traffic.yaml is in "system" and will apply.

  • Action: align namespaces so policies target the same namespace as the Deployment — either change config/network-policy/deny-all.yaml and config/network-policy/allow-network-traffic.yaml to namespace: system, or move the Deployment to external-secrets-operator.
  • Action: re-evaluate deny-all and allow-network-traffic semantics to avoid inadvertently blocking API/metrics/webhook traffic (files: config/network-policy/deny-all.yaml, config/network-policy/allow-network-traffic.yaml, config/network-policy/allow-metrics-traffic.yaml, config/manager/manager.yaml; config/default/kustomization.yaml includes ../network-policy).
🤖 Prompt for AI Agents 
In config/default/kustomization.yaml around line 34, the included network-policy
manifests target namespace "external-secrets-operator" while the Deployment in
config/manager/manager.yaml runs in namespace "system", so those NetworkPolicies
won't apply; update the NetworkPolicy YAMLs (config/network-policy/deny-all.yaml
and config/network-policy/allow-network-traffic.yaml) to namespace: system so
they target the Deployment's namespace (or alternatively change the Deployment
namespace to external-secrets-operator if that's desired), and then re-evaluate
and adjust the deny-all and allow-network-traffic rules to ensure they don't
block necessary API/metrics/webhook traffic (compare with
allow-metrics-traffic.yaml and modify podSelector/ingress/egress rules and
namespaceSelector as needed).


# Uncomment the patches line if you enable Metrics, and/or are using webhooks and cert-manager
patches:
Expand Down
24 changes: 24 additions & 0 deletions config/network-policy/allow-network-traffic.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-operator-traffic
namespace: external-secrets-operator
spec:
podSelector:
matchLabels:
app: external-secrets-operator
policyTypes:
- Ingress
- Egress
egress:
- ports:
- protocol: TCP
port: 6443 # Required: Kubernetes API server
ingress:
Comment on lines +10 to +17
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Egress rule is too restrictive; will break DNS and external provider access

Allowing only TCP 6443 egress blocks DNS (53) and external APIs (443), which external-secrets-operator typically needs to fetch secrets. If you must keep egress policy, add DNS and 443 (and any others you require). Otherwise, remove egress from policyTypes and drop the egress block.

Two options:

  • Preferred (ingress-only policy):
   policyTypes:
-    - Ingress
-    - Egress
+    - Ingress
-  egress:
-    - ports:
-        - protocol: TCP
-          port: 6443 # Required: Kubernetes API server
  • If keeping egress, minimally allow DNS and HTTPS:
   egress:
-    - ports:
-        - protocol: TCP
-          port: 6443 # Required: Kubernetes API server
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+          podSelector:
+            matchLabels:
+              k8s-app: kube-dns
+      ports:
+        - protocol: UDP
+          port: 53
+        - protocol: TCP
+          port: 53
+    - ports:
+        - protocol: TCP
+          port: 443
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
policyTypes:
- Ingress
- Egress
egress:
- ports:
- protocol: TCP
port: 6443 # Required: Kubernetes API server
ingress:
policyTypes:
- Ingress
ingress:
Suggested change
policyTypes:
- Ingress
- Egress
egress:
- ports:
- protocol: TCP
port: 6443 # Required: Kubernetes API server
ingress:
policyTypes:
- Ingress
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- protocol: UDP
port: 53
- protocol: TCP
port: 53
- ports:
- protocol: TCP
port: 443
ingress:
🤖 Prompt for AI Agents 
In config/network-policy/allow-network-traffic.yaml around lines 10 to 17, the
egress block only allows TCP 6443 which blocks DNS and external HTTPS calls;
either remove "Egress" from policyTypes and delete the entire egress section to
make this an ingress-only policy, or expand the egress rules to minimally allow
DNS and HTTPS by adding UDP 53 and TCP 53 for DNS plus TCP 443 for external APIs
(and any other provider ports you require); implement one of these two changes
so DNS resolution and external-secrets/operator HTTPS calls are not blocked.

# Optional: expose metrics (8443 and 8080 based on user configuration)
- ports:
- protocol: TCP
port: 8443
- ports:
- protocol: TCP
port: 8080
Comment on lines +18 to +24
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Ingress is overly permissive; it allows any source to metrics ports

Without a from selector, any pod can scrape 8443/8080. Either:

  • Remove these rules and rely on the existing allow-metrics-traffic.yaml, or
  • Restrict sources to namespaces labeled metrics: "enabled".

Also, 8080 may be unused if HTTPS metrics are enabled.

Preferred fix (de-duplicate and restrict):

   ingress:
-    # Optional: expose metrics (8443 and 8080 based on user configuration)
-    - ports:
-        - protocol: TCP
-          port: 8443
-    - ports:
-        - protocol: TCP
-          port: 8080
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              metrics: "enabled"
+      ports:
+        - protocol: TCP
+          port: 8443

If you keep 8080, mirror the same from selector.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# Optional: expose metrics (8443 and 8080 based on user configuration)
- ports:
- protocol: TCP
port: 8443
- ports:
- protocol: TCP
port: 8080
- from:
- namespaceSelector:
matchLabels:
metrics: "enabled"
ports:
- protocol: TCP
port: 8443
🤖 Prompt for AI Agents 
config/network-policy/allow-network-traffic.yaml around lines 18-24: the current
ingress entries expose metrics ports (8443 and 8080) to all sources because they
lack a from selector; either remove these port rules and rely on
allow-metrics-traffic.yaml to avoid duplication, or restrict each ingress to
only allow pods/namespaces labeled metrics: "enabled" by adding an appropriate
from selector; if HTTPS metrics (8443) is used and 8080 is unused, remove 8080,
otherwise ensure 8080 has the same from selector as 8443 so both ports are
consistently restricted.

16 changes: 16 additions & 0 deletions config/network-policy/deny-all.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
app: external-secrets-operator
app.kubernetes.io/name: external-secrets-operator
app.kubernetes.io/managed-by: kustomize
name: deny-all-traffic
namespace: system
spec:
podSelector:
matchLabels:
app: external-secrets-operator
policyTypes:
- Ingress
- Egress
Comment on lines +10 to +16
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Default deny egress will likely break the operator (DNS, cloud providers, webhooks)

Denying all egress without explicit exceptions will block:

  • DNS (TCP/UDP 53 to kube-dns)
  • External secret providers (e.g., AWS/GCP/Vault over 443)
  • Calls to the kube-apiserver when not explicitly permitted

If the goal is to “protect metrics/webhook,” prefer ingress-only default deny. Otherwise, explicitly add egress allows (DNS + required external endpoints).

Suggested minimal fix (ingress-only deny):

 spec:
   podSelector:
     matchLabels:
       app: external-secrets-operator
   policyTypes:
     - Ingress
-    - Egress
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
spec:
podSelector:
matchLabels:
app: external-secrets-operator
policyTypes:
- Ingress
- Egress
spec:
podSelector:
matchLabels:
app: external-secrets-operator
policyTypes:
- Ingress
🤖 Prompt for AI Agents 
In config/network-policy/deny-all.yaml around lines 6 to 12, the NetworkPolicy
currently denies all egress which will break the operator (DNS, cloud provider
APIs, webhooks); either change the policy to be ingress-only by removing or
replacing the policyTypes entry so only Ingress is enforced, OR keep Egress but
add explicit egress allow rules for UDP/TCP port 53 to kube-dns (cluster DNS
CIDR / kube-dns label), TCP 443 to the operator’s required external endpoints
(cloud provider metadata/API and secret backends), and TCP to the
kube-apiserver, ensuring the selectors and CIDRs match cluster addresses.

2 changes: 2 additions & 0 deletions config/network-policy/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,4 @@
resources:
- allow-metrics-traffic.yaml
- allow-network-traffic.yaml
- deny-all.yaml