Newly added Networkpolicy is wrong

[xhejtman]

Hello,

noticed that you added default network policy for admin acces in the latest version 1.5.0. This policy is basicaly useless:

ingress:
  - ports:
      - port: 6379
        protocol: TCP
  - from:
      - namespaceSelector: {}
        podSelector:
          matchLabels:
            control-plane: controller-manager
      - podSelector:
          matchLabels:
            app: app-dragonfly
            app.kubernetes.io/name: dragonfly
            app.kubernetes.io/part-of: dragonfly
    ports:
      - port: 9999
        protocol: TCP

All the attacker needs to do is add the control-plane: controller-manager label to his pod, which then grants access to the admin port. The namespaceSelector should be configured (or at least be configurable) to restrict access to the operator’s namespace only.

[107142]

This policy effectively allows access to port 6379 to all pods. Calling it insecure is an understaement.

[xhejtman]

Yes, the instance namespace should also be set for the port 6379. While users can always broaden access by adding additional policies, they cannot apply a more restrictive policy once the port has been opened.

Adding a default network policy to the operator is indeed a very good idea and reinforces proper security habbits.

[miledxz]

@xhejtman @107142 thanks for heads up and opening an issue, I will try to fix it and open PR soon