feat(nwp): add ingress from cluster-monitoring to applicationnamespace (

#863) * feat(nwp): add ingress from cluster-monitoring to applicationnamespace Signed-off-by: Wen Zhou <[email protected]> * update: code review and clean NWP not needed for now Signed-off-by: Wen Zhou <[email protected]> --------- Signed-off-by: Wen Zhou <[email protected]>
opendatahub-io · Feb 19, 2024 · e7e3982 · e7e3982
1 parent 46ef53e
commit e7e3982
Showing 1 changed file with 19 additions and 4 deletions.
diff --git a/controllers/dscinitialization/utils.go b/controllers/dscinitialization/utils.go
@@ -238,7 +238,7 @@ func (r *DSCInitializationReconciler) reconcileDefaultNetworkPolicy(ctx context.
 			r.Log.Error(err, "error to set networkpolicy in applications namespace", "path", networkpolicyPath)
 			return err
 		}
-	} else { // Expected namespace for the given name
+	} else { // Expected namespace for the given name in ODH
 		desiredNetworkPolicy := &netv1.NetworkPolicy{
 			TypeMeta: metav1.TypeMeta{
 				Kind:       "NetworkPolicy",
@@ -255,7 +255,11 @@ func (r *DSCInitializationReconciler) reconcileDefaultNetworkPolicy(ctx context.
 				Ingress: []netv1.NetworkPolicyIngressRule{
 					{
 						From: []netv1.NetworkPolicyPeer{
-							{
+							{ /* allow ODH namespace <->ODH namespace:
+								- default notebook project: rhods-notebooks
+								- redhat-odh-monitoring
+								- redhat-odh-applications / opendatahub
+								*/
 								NamespaceSelector: &metav1.LabelSelector{ // AND logic
 									MatchLabels: map[string]string{
 										cluster.ODHGeneratedNamespaceLabel: "true",
@@ -266,7 +270,7 @@ func (r *DSCInitializationReconciler) reconcileDefaultNetworkPolicy(ctx context.
 					},
 					{ // OR logic
 						From: []netv1.NetworkPolicyPeer{
-							{ // need this for access dashboard
+							{ // need this to access external-> dashboard
 								NamespaceSelector: &metav1.LabelSelector{
 									MatchLabels: map[string]string{
 										"network.openshift.io/policy-group": "ingress",
@@ -277,7 +281,7 @@ func (r *DSCInitializationReconciler) reconcileDefaultNetworkPolicy(ctx context.
 					},
 					{ // OR logic for PSI
 						From: []netv1.NetworkPolicyPeer{
-							{ // need this to access dashboard
+							{ // need this to access external->dashboard
 								NamespaceSelector: &metav1.LabelSelector{
 									MatchLabels: map[string]string{
 										"kubernetes.io/metadata.name": "openshift-host-network",
@@ -286,6 +290,17 @@ func (r *DSCInitializationReconciler) reconcileDefaultNetworkPolicy(ctx context.
 							},
 						},
 					},
+					{
+						From: []netv1.NetworkPolicyPeer{
+							{ // need this for cluster-monitoring work: cluster-monitoring->ODH namespaces
+								NamespaceSelector: &metav1.LabelSelector{
+									MatchLabels: map[string]string{
+										"kubernetes.io/metadata.name": "openshift-monitoring",
+									},
+								},
+							},
+						},
+					},
 				},
 				PolicyTypes: []netv1.PolicyType{
 					netv1.PolicyTypeIngress,