[release-1.0] ESO-222: Implementation of Network Policy for external secrets Operator

[openshift-cherrypick-robot]

This is an automated cherry-pick of #67

/assign bharath-b-rh

[openshift-ci-robot]

@openshift-cherrypick-robot: Ignoring requests to cherry-pick non-bug issues: ESO-222

In response to this:

This is an automated cherry-pick of #67

/assign bharath-b-rh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

Adds two Kubernetes NetworkPolicy manifests for pods labeled app: external-secrets-operator in the system namespace: one denying all traffic and one allowing specific ingress and egress. Updates kustomization to include these policies alongside the existing allow-metrics-traffic.yaml.

Changes

Cohort / File(s)	Summary
NetworkPolicy manifests config/network-policy/allow-network-traffic.yaml, config/network-policy/deny-all.yaml	New policies: allow-egress-api permits egress TCP to 6443 and ingress TCP to 8443/8080; deny-all-traffic selects same pods and denies all by specifying both policyTypes without rules.
Kustomization update config/network-policy/kustomization.yaml	Adds allow-network-traffic.yaml and deny-all.yaml to resources list with existing allow-metrics-traffic.yaml.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 17f2cae and 284edad.

📒 Files selected for processing (3)

• config/network-policy/allow-network-traffic.yaml (1 hunks)
• config/network-policy/deny-all.yaml (1 hunks)
• config/network-policy/kustomization.yaml (1 hunks)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

@openshift-cherrypick-robot: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[bharath-b-rh]

This is an automated cherry-pick PR, hence adding all required labels
/lgtm
/approve
/label px-approved
/label docs-approved
/label qe-approved

[openshift-ci-robot]

@openshift-cherrypick-robot: This pull request references ESO-222 which is a valid jira issue.

In response to this:

This is an automated cherry-pick of #67

/assign bharath-b-rh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bharath-b-rh, openshift-cherrypick-robot

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [bharath-b-rh]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[emmajiafan]

@CodeRabbit review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.