OCPBUGS-61175: Create NetworkPolicy for Manila CSI driver

Manila csi driver controller pods reside in a custome namespace (`openshift-manila-csi-driver`). Hence, Manila csi driver operator must create NetworkPolicy for them expicitly.

Author: mpatlasov

assets/overlays/openstack-manila/base/network-policy-allow-all-egress.yaml

@@ -0,0 +1,22 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: allow-all-egress
+ namespace: ${NAMESPACE}
+ annotations:
+  include.release.openshift.io/hypershift: "true"
+  include.release.openshift.io/ibm-cloud-managed: "true"
+  include.release.openshift.io/self-managed-high-availability: "true"
+  include.release.openshift.io/single-node-developer: "true"
+  capability.openshift.io/name: Storage
+spec:
+ podSelector:
+   matchLabels:
+     openshift.storage.network-policy.all-egress: allow
+ egress:
+ - ports:
+   - protocol: TCP
+     port: 1
+     endPort: 65535
+ policyTypes:
+ - Egress

assets/overlays/openstack-manila/base/network-policy-allow-egress-to-api-server.yaml

@@ -0,0 +1,21 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: allow-egress-to-api-server
+ namespace: ${NAMESPACE}
+ annotations:
+  include.release.openshift.io/hypershift: "true"
+  include.release.openshift.io/ibm-cloud-managed: "true"
+  include.release.openshift.io/self-managed-high-availability: "true"
+  include.release.openshift.io/single-node-developer: "true"
+  capability.openshift.io/name: Storage
+spec:
+ podSelector:
+   matchLabels:
+     openshift.storage.network-policy.api-server: allow
+ egress:
+ - ports:
+   - protocol: TCP
+     port: 6443
+ policyTypes:
+ - Egress

assets/overlays/openstack-manila/base/network-policy-allow-ingress-to-metrics.yaml

@@ -0,0 +1,22 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: allow-ingress-to-metrics-range
+ namespace: ${NAMESPACE}
+ annotations:
+  include.release.openshift.io/hypershift: "true"
+  include.release.openshift.io/ibm-cloud-managed: "true"
+  include.release.openshift.io/self-managed-high-availability: "true"
+  include.release.openshift.io/single-node-developer: "true"
+  capability.openshift.io/name: Storage
+spec:
+ podSelector:
+   matchLabels:
+     openshift.storage.network-policy.metrics-range: allow
+ ingress:
+ - ports:
+   - protocol: TCP
+     port: 9201
+     endPort: 9223
+ policyTypes:
+ - Ingress

assets/overlays/openstack-manila/base/network-policy-allow-to-dns.yaml

@@ -0,0 +1,30 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: allow-to-dns
+ namespace: ${NAMESPACE}
+ annotations:
+  include.release.openshift.io/hypershift: "true"
+  include.release.openshift.io/ibm-cloud-managed: "true"
+  include.release.openshift.io/self-managed-high-availability: "true"
+  include.release.openshift.io/single-node-developer: "true"
+  capability.openshift.io/name: Storage
+spec:
+  podSelector:
+    matchLabels:
+      openshift.storage.network-policy.dns: allow
+  egress:
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: openshift-dns
+      podSelector:
+        matchLabels:
+          dns.operator.openshift.io/daemonset-dns: default
+    ports:
+    - protocol: TCP
+      port: dns-tcp
+    - protocol: UDP
+      port: dns
+  policyTypes:
+  - Egress

assets/overlays/openstack-manila/generated/hypershift/manifests.yaml

@@ -3,6 +3,10 @@ controllerStaticAssetNames:
 - controller.yaml
 - controller_pdb.yaml
 - controller_sa.yaml
+- network-policy-allow-all-egress.yaml
+- network-policy-allow-egress-to-api-server.yaml
+- network-policy-allow-ingress-to-metrics.yaml
+- network-policy-allow-to-dns.yaml
 - service.yaml
 guestStaticAssetNames:
 - csidriver.yaml

assets/overlays/openstack-manila/generated/hypershift/network-policy-allow-all-egress.yaml

@@ -0,0 +1,28 @@
+# Generated file. Do not edit. Update using "make update".
+#
+# Loaded from overlays/openstack-manila/base/network-policy-allow-all-egress.yaml
+#
+#
+
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  annotations:
+    capability.openshift.io/name: Storage
+    include.release.openshift.io/hypershift: "true"
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+  name: allow-all-egress
+  namespace: ${NAMESPACE}
+spec:
+  egress:
+  - ports:
+    - endPort: 65535
+      port: 1
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      openshift.storage.network-policy.all-egress: allow
+  policyTypes:
+  - Egress

assets/overlays/openstack-manila/generated/hypershift/network-policy-allow-egress-to-api-server.yaml

@@ -0,0 +1,27 @@
+# Generated file. Do not edit. Update using "make update".
+#
+# Loaded from overlays/openstack-manila/base/network-policy-allow-egress-to-api-server.yaml
+#
+#
+
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  annotations:
+    capability.openshift.io/name: Storage
+    include.release.openshift.io/hypershift: "true"
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+  name: allow-egress-to-api-server
+  namespace: ${NAMESPACE}
+spec:
+  egress:
+  - ports:
+    - port: 6443
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      openshift.storage.network-policy.api-server: allow
+  policyTypes:
+  - Egress

assets/overlays/openstack-manila/generated/hypershift/network-policy-allow-ingress-to-metrics.yaml

@@ -0,0 +1,28 @@
+# Generated file. Do not edit. Update using "make update".
+#
+# Loaded from overlays/openstack-manila/base/network-policy-allow-ingress-to-metrics.yaml
+#
+#
+
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  annotations:
+    capability.openshift.io/name: Storage
+    include.release.openshift.io/hypershift: "true"
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+  name: allow-ingress-to-metrics-range
+  namespace: ${NAMESPACE}
+spec:
+  ingress:
+  - ports:
+    - endPort: 9223
+      port: 9201
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      openshift.storage.network-policy.metrics-range: allow
+  policyTypes:
+  - Ingress

assets/overlays/openstack-manila/generated/hypershift/network-policy-allow-to-dns.yaml

@@ -0,0 +1,36 @@
+# Generated file. Do not edit. Update using "make update".
+#
+# Loaded from overlays/openstack-manila/base/network-policy-allow-to-dns.yaml
+#
+#
+
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  annotations:
+    capability.openshift.io/name: Storage
+    include.release.openshift.io/hypershift: "true"
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+  name: allow-to-dns
+  namespace: ${NAMESPACE}
+spec:
+  egress:
+  - ports:
+    - port: dns-tcp
+      protocol: TCP
+    - port: dns
+      protocol: UDP
+    to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: openshift-dns
+      podSelector:
+        matchLabels:
+          dns.operator.openshift.io/daemonset-dns: default
+  podSelector:
+    matchLabels:
+      openshift.storage.network-policy.dns: allow
+  policyTypes:
+  - Egress

assets/overlays/openstack-manila/generated/standalone/manifests.yaml

@@ -5,6 +5,10 @@ controllerStaticAssetNames:
 - controller_sa.yaml
 - kube_rbac_proxy_binding.yaml
 - kube_rbac_proxy_role.yaml
+- network-policy-allow-all-egress.yaml
+- network-policy-allow-egress-to-api-server.yaml
+- network-policy-allow-ingress-to-metrics.yaml
+- network-policy-allow-to-dns.yaml
 - prometheus_binding.yaml
 - prometheus_role.yaml
 - service.yaml