[wip] MON-4297 add networkpolicy for CMO/KSM/metrics-server/monitoring-plugin/OSM/prometheus-operator/telemeter-client

[juzhao]

task: https://issues.redhat.com/browse/MON-4297
this PR added

1. default-deny-networkpolicy for all traffic, file: default-deny-networkpolicy.yaml
2. cluster-monitoring-operator networkpolicy, file: cluster-monitoring-operator-networkpolicy.yaml
3. KSM networkpolicy, file: kube-state-metrics-networkpolicy.yaml
4. metrics-server networkpolicy, file: metrics-server-networkpolicy.yaml
5. monitoring-plugin networkpolicy, file: monitoring-plugin-networkpolicy.yaml
6. OSM networkpolicy, file: openshift-state-metrics-networkpolicy.yaml
7. prometheus-operator networkpolicy, file: prometheus-operator-networkpolicy.yaml
8. prometheus-operator-admission-webhook networkpolicy, file: prometheus-operator-admission-webhook-networkpolicy.yaml
9. telemeter-client networkpolicy, file: telemeter-client-networkpolicy.yaml

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: juzhao
Once this PR has been reviewed and has the lgtm label, please assign slashpai for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[juzhao]

/retitle [wip] MON-4297 add networkpolicy for CMO/KSM/metrics-server/monitoring-plugin/OSM/prometheus-operator/telemeter-client

[juzhao]

/retest-required

[juzhao]

/retest

[juzhao]

/test verify
/test e2e-aws-ovn

[jan--f]

/retest

[jan--f]

We need a policy for the different Prometheus' too don't we? What if a user configures remote write?

[openshift-ci]

@juzhao: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/okd-scos-e2e-aws-ovn	02eb990	link	false	/test okd-scos-e2e-aws-ovn
ci/prow/generate	02eb990	link	true	/test generate
ci/prow/e2e-hypershift-conformance	02eb990	link	true	/test e2e-hypershift-conformance
ci/prow/verify	02eb990	link	true	/test verify
ci/prow/e2e-aws-ovn	02eb990	link	true	/test e2e-aws-ovn

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[juzhao]

We need a policy for the different Prometheus' too don't we? What if a user configures remote write?

this PR does not include networkpolicy for Prometheus(will do in another PR), and I think

  egress:
  - {}

is enough for prometheus egress, since the remote write address is not a static ip, and above setting allows any ip/port and will use less cpu/memory

[jan--f]

We need a policy for the different Prometheus' too don't we? What if a user configures remote write?

this PR does not include networkpolicy for Prometheus(will do in another PR), and I think

  egress:
  - {}

is enough for prometheus egress, since the remote write address is not a static ip, and above setting allows any ip/port and will use less cpu/memory

Gotcha, thanks. We'll still need to generate the policies to get the generate target to pass.