Skip to content

fix(security): harden default NetworkPolicy for client and admin ports#514

Open
miledxz wants to merge 1 commit intomainfrom
network-policy-update
Open

fix(security): harden default NetworkPolicy for client and admin ports#514
miledxz wants to merge 1 commit intomainfrom
network-policy-update

Conversation

@miledxz
Copy link
Copy Markdown
Contributor

@miledxz miledxz commented Apr 8, 2026

Fixes the issue #509 where the default NetworkPolicy was effectively granting
unrestricted access to port 6379 and allowing any pod with the
control-plane: controller-manager label to reach the admin port from
any namespace.

  • Restrict port 6379 (client) and memcached port to same-namespace pods only,
    instead of being open to the entire cluster
  • Pin admin port (9999) operator access to the operator's actual namespace using
    the kubernetes.io/metadata.name well-known label, preventing cross-namespace
    access via spoofed pod labels
  • Secure fallback: when the operator namespace cannot be determined, the admin
    port defaults to same-namespace-only access
  • Add POD_NAMESPACE env var to both Helm chart and kustomize deployment
    manifests via the Downward API for reliable namespace detection

@miledxz miledxz linked an issue Apr 8, 2026 that may be closed by this pull request
@miledxz miledxz requested review from Abhra303 and Copilot April 8, 2026 07:22
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the operator-generated default NetworkPolicy for Dragonfly instances to prevent unintended cluster-wide access to the client/memcached ports and to prevent cross-namespace access to the admin port via spoofed pod labels.

Changes:

  • Restrict client port (6379) and memcached port ingress to same-namespace pods only.
  • Pin admin port (9999) operator access to the operator’s namespace using kubernetes.io/metadata.name, with a secure same-namespace fallback when the operator namespace is unknown.
  • Add POD_NAMESPACE (Downward API) to kustomize and Helm deployment manifests and plumb the resolved operator namespace through controllers into resource generation.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated no comments.

Show a summary per file
File Description
internal/resources/resources.go Extends resource generation API to accept operatorNamespace and tightens NetworkPolicy ingress peers accordingly.
internal/resources/resources_test.go Updates/extends tests to validate same-namespace restrictions and operator-namespace pinning + fallback behavior.
internal/resources/image_test.go Updates tests for the new GenerateDragonflyResources signature.
internal/resources/const.go Adds the well-known namespace label key constant used for namespace pinning.
internal/controller/dragonfly_instance.go Passes operatorNamespace into resource generation during reconciliation.
internal/controller/base_controller.go Wires OperatorNamespace from reconciler into per-instance controller state.
config/manager/manager.yaml Adds POD_NAMESPACE env var via Downward API for kustomize deployment.
cmd/main.go Resolves operator namespace (env/file) and injects it into reconcilers; logs resolution outcome.
charts/dragonfly-operator/templates/deployment.yaml Adds POD_NAMESPACE env var via Downward API for Helm deployment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copy link
Copy Markdown
Contributor

@Abhra303 Abhra303 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Comment thread cmd/main.go
if ns, ok := os.LookupEnv("POD_NAMESPACE"); ok && ns != "" {
return ns
}
if data, err := os.ReadFile(saFile); err == nil {
Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

did you test this? (if POD_NAMESPACE is not available)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Newly added Networkpolicy is wrong

3 participants