Merge pull request #395 from sunzhaohua2/policy

openshift-merge-bot[bot] · web-flow · commit 6b845a208131 · 2025-07-10T02:26:06.000Z
OCPCLOUD-2978: add deny all network policy
diff --git a/manifests/0000_26_cloud-controller-manager-operator_10_networkpolicy-default-deny.yaml b/manifests/0000_26_cloud-controller-manager-operator_10_networkpolicy-default-deny.yaml
@@ -0,0 +1,32 @@
+# Default deny all ingress and egress traffic by default in this namespace
+# At the moment no other Network Policy should be needed:
+# - CCCMO & CCM pods are host-networked Pods, so they are not affected by network policies
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny
+  namespace: openshift-cloud-controller-manager-operator
+  annotations:
+    capability.openshift.io/name: CloudControllerManager
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny
+  namespace: openshift-cloud-controller-manager
+  annotations:
+    capability.openshift.io/name: CloudControllerManager
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress
