Skip to content

LOG-7572: NetworkPolicy for ClusterLogForwarder #3101

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 4, 2025
Merged

LOG-7572: NetworkPolicy for ClusterLogForwarder #3101

merged 1 commit into from
Sep 4, 2025

Conversation

Clee2691
Copy link
Contributor

Description

This PR adds a default NetworkPolicy to allow all ingress and egress traffic for the collector pods.

This ensures logging continues to function in hardened environments that use AdminNetworkPolicy (ANP).

To be effective against a cluster-wide Deny rule, this policy requires a corresponding high-priority ANP that delegates traffic decisions (action: Pass) for the collector pods.

/cc @cahartma @vparfonov
/assign @jcantrill

Links

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Aug 29, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Aug 29, 2025
edited by openshift-ci bot
Loading

@Clee2691: This pull request references LOG-7572 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.8.0" version, but no target version was set.

In response to this:

Description

This PR adds a default NetworkPolicy to allow all ingress and egress traffic for the collector pods.

This ensures logging continues to function in hardened environments that use AdminNetworkPolicy (ANP).

To be effective against a cluster-wide Deny rule, this policy requires a corresponding high-priority ANP that delegates traffic decisions (action: Pass) for the collector pods.

/cc @cahartma @vparfonov
/assign @jcantrill

Links

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested review from cahartma and vparfonov August 29, 2025 18:57
jcantrill
jcantrill approved these changes Aug 29, 2025
View reviewed changes
docs/features/network_policy.adoc
@@ -0,0 +1,102 @@
= NetworkPolicy for Collector Pods

The Cluster Logging Operator automatically creates and manages a `NetworkPolicy` for its collector pods to ensure they function in restrictive network environments, even if a cluster-wide `AdminNetworkPolicy` would otherwise block their traffic.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This reminds me that we need an ingress NP for LFME since it is scraped by metrics. Ideally this could simply be added to the manifest which means maybe we can wait? I would be nice not to need to manage this policy

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes I think that would be possible since we can just target the LFME pods

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's add a JIRA to deploy policy based upon the occurrence of an LFME deployment. I think its reasonable to do the same and I don't want to have to wait for the OLM changes to land

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added JIRA for LFME NP

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Aug 29, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Clee2691, jcantrill

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 29, 2025
@Clee2691
Copy link
Contributor Author

Clee2691 commented Sep 3, 2025

/retest

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Sep 4, 2025

@Clee2691: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@jcantrill
Copy link
Contributor

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Sep 4, 2025
@openshift-merge-bot openshift-merge-bot bot merged commit d5ab2ce into openshift:master Sep 4, 2025
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jcantrill jcantrill jcantrill approved these changes

@cahartma cahartma Awaiting requested review from cahartma

@vparfonov vparfonov Awaiting requested review from vparfonov

Assignees

@jcantrill jcantrill

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. release/6.4
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Clee2691 @openshift-ci-robot @jcantrill