add NetworkPolicy objects for catalogd and operator-controller

Signed-off-by: Joe Lanford <[email protected]>

Author: joelanford

config/base/catalogd/manager/kustomization.yaml

@@ -1,6 +1,7 @@
 resources:
 - manager.yaml
-- catalogd_service.yaml
+- service.yaml
+- network_policy.yaml
 - webhook/manifests.yaml
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization

config/base/catalogd/manager/network_policy.yaml

@@ -0,0 +1,22 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  podSelector:
+    matchLabels:
+      control-plane: catalogd-controller-manager
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - ports:
+        - protocol: TCP
+          port: 7443 # metrics
+        - protocol: TCP
+          port: 8443 # catalogd http server
+        - protocol: TCP
+          port: 9443 # webhook
+  egress:
+    - {}  # Allows all egress traffic (needed to pull catalog images from arbitrary image registries)

config/base/catalogd/manager/catalogd_service.yaml renamed to config/base/catalogd/manager/service.yaml

@@ -4,6 +4,7 @@ kind: Kustomization
 resources:
 - manager.yaml
 - service.yaml
+- network_policy.yaml
 
 images:
 - name: controller

config/base/operator-controller/manager/kustomization.yaml

@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  podSelector:
+    matchLabels:
+      control-plane: operator-controller-controller-manager
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - ports:
+        - protocol: TCP
+          port: 8443 # metrics
+  egress:
+    - {}  # Allows all egress traffic (needed to pull bundle images from arbitrary image registries)