From fa17d81a15fb1e5514e3f195948316b3613553f5 Mon Sep 17 00:00:00 2001 From: Kenjiro Nakayama Date: Thu, 17 Jun 2021 13:59:02 +0900 Subject: [PATCH 1/2] Add NetworkPolicy for net-istio ingress. --- .../ingress/0.22/0-webhook-servicemesh.yaml | 45 ++++++++++++++++ .../hack/007-webhook-servicemesh.patch | 51 +++++++++++++++++++ .../hack/update-manifests.sh | 3 ++ 3 files changed, 99 insertions(+) create mode 100644 openshift-knative-operator/cmd/operator/kodata/ingress/0.22/0-webhook-servicemesh.yaml create mode 100644 openshift-knative-operator/hack/007-webhook-servicemesh.patch diff --git a/openshift-knative-operator/cmd/operator/kodata/ingress/0.22/0-webhook-servicemesh.yaml b/openshift-knative-operator/cmd/operator/kodata/ingress/0.22/0-webhook-servicemesh.yaml new file mode 100644 index 0000000000..ff040cbc2a --- /dev/null +++ b/openshift-knative-operator/cmd/operator/kodata/ingress/0.22/0-webhook-servicemesh.yaml @@ -0,0 +1,45 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: webhook + labels: + app: webhook + serving.knative.dev/release: devel + networking.knative.dev/ingress-provider: istio +spec: + podSelector: + matchLabels: + app: webhook + ingress: + - {} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: istio-webhook + labels: + app: istio-webhook + serving.knative.dev/release: devel + networking.knative.dev/ingress-provider: istio +spec: + podSelector: + matchLabels: + app: istio-webhook + ingress: + - {} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: domainmapping-webhook + labels: + app: domainmapping-webhook + serving.knative.dev/release: devel + networking.knative.dev/ingress-provider: istio +spec: + podSelector: + matchLabels: + app: domainmapping-webhook + ingress: + - {} +--- diff --git a/openshift-knative-operator/hack/007-webhook-servicemesh.patch b/openshift-knative-operator/hack/007-webhook-servicemesh.patch new file mode 100644 index 0000000000..fe71c554c7 --- /dev/null +++ b/openshift-knative-operator/hack/007-webhook-servicemesh.patch @@ -0,0 +1,51 @@ +diff --git a/openshift-knative-operator/cmd/operator/kodata/ingress/0.22/0-webhook-servicemesh.yaml b/openshift-knative-operator/cmd/operator/kodata/ingress/0.22/0-webhook-servicemesh.yaml +new file mode 100644 +index 00000000..3d46fbed +--- /dev/null ++++ b/openshift-knative-operator/cmd/operator/kodata/ingress/0.22/0-webhook-servicemesh.yaml +@@ -0,0 +1,45 @@ ++apiVersion: networking.k8s.io/v1 ++kind: NetworkPolicy ++metadata: ++ name: webhook ++ labels: ++ app: webhook ++ serving.knative.dev/release: devel ++ networking.knative.dev/ingress-provider: istio ++spec: ++ podSelector: ++ matchLabels: ++ app: webhook ++ ingress: ++ - {} ++--- ++apiVersion: networking.k8s.io/v1 ++kind: NetworkPolicy ++metadata: ++ name: istio-webhook ++ labels: ++ app: istio-webhook ++ serving.knative.dev/release: devel ++ networking.knative.dev/ingress-provider: istio ++spec: ++ podSelector: ++ matchLabels: ++ app: istio-webhook ++ ingress: ++ - {} ++--- ++apiVersion: networking.k8s.io/v1 ++kind: NetworkPolicy ++metadata: ++ name: domainmapping-webhook ++ labels: ++ app: domainmapping-webhook ++ serving.knative.dev/release: devel ++ networking.knative.dev/ingress-provider: istio ++spec: ++ podSelector: ++ matchLabels: ++ app: domainmapping-webhook ++ ingress: ++ - {} ++--- diff --git a/openshift-knative-operator/hack/update-manifests.sh b/openshift-knative-operator/hack/update-manifests.sh index 9f04c8a11e..f071c270ca 100755 --- a/openshift-knative-operator/hack/update-manifests.sh +++ b/openshift-knative-operator/hack/update-manifests.sh @@ -110,3 +110,6 @@ git apply "$root/openshift-knative-operator/hack/005-disable-hpa.patch" # TODO: Remove this once upstream fixed https://github.com/knative/operator/issues/376. # This is the eventing counterpart of SRVKS-670. git apply "$root/openshift-knative-operator/hack/006-eventing-pdb.patch" + +# Add networkpolicy for webhook when net-istio is enabled. +git apply "$root/openshift-knative-operator/hack/007-webhook-servicemesh.patch" From 3e4a5b82247129497320444660ec92f7d819ed90 Mon Sep 17 00:00:00 2001 From: Kenjiro Nakayama Date: Thu, 17 Jun 2021 14:09:03 +0900 Subject: [PATCH 2/2] Drop default namespace from smmr --- hack/lib/mesh_resources/smmr.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/hack/lib/mesh_resources/smmr.yaml b/hack/lib/mesh_resources/smmr.yaml index 8b8eb2a7d4..eb4115a93a 100644 --- a/hack/lib/mesh_resources/smmr.yaml +++ b/hack/lib/mesh_resources/smmr.yaml @@ -18,4 +18,3 @@ spec: - knative-serving - serving-tests - serving-tests-alt - - default