Skip to content

Fix DRA NetworkPolicy: allow API server and DNS egress#1836

Merged
openshift-merge-bot[bot] merged 1 commit into
rh-ecosystem-edge:mainfrom
abyrne55:fix/dra-intree-nodeselector
Jul 2, 2026
Merged

Fix DRA NetworkPolicy: allow API server and DNS egress#1836
openshift-merge-bot[bot] merged 1 commit into
rh-ecosystem-edge:mainfrom
abyrne55:fix/dra-intree-nodeselector

Conversation

@abyrne55

@abyrne55 abyrne55 commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

The DRA NetworkPolicy (from edbb3a3) declares both Ingress and Egress policy types but has no egress rules, which blocks all outbound traffic from the DRA kubelet plugin pod. This prevents the plugin from reaching the API server to create/update ResourceSlices. This PR allows egress to the API server (TCP 443) and DNS (TCP/UDP 53).

This PR was written in part with the assistance of generative AI.

Summary by CodeRabbit

  • Bug Fixes
    • Updated network access rules for DRA pods to allow only the required outbound connections.
    • Egress traffic is now limited to HTTPS and DNS, improving cluster network security.
  • Tests
    • Adjusted coverage to verify the new outbound network rules and expected allowed ports/protocols.

@netlify

netlify Bot commented Jun 26, 2026

Copy link
Copy Markdown

Deploy Preview for openshift-kmm ready!

Name Link
🔨 Latest commit 60fd872
🔍 Latest deploy log https://app.netlify.com/projects/openshift-kmm/deploys/6a4693f705f7fe0009c0040a
😎 Deploy Preview https://deploy-preview-1836--openshift-kmm.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@openshift-ci

openshift-ci Bot commented Jun 26, 2026

Copy link
Copy Markdown

Hi @abyrne55. Thanks for your PR.

I'm waiting for a rh-ecosystem-edge member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@coderabbitai

coderabbitai Bot commented Jun 26, 2026

Copy link
Copy Markdown

Review Change Stack

Walkthrough

DRANetworkPolicy now defines explicit egress rules for TCP 443 and DNS over TCP/UDP 53, and the corresponding test assertions were updated to match the new policy spec.

Changes

DRA Network Policy Egress

Layer / File(s) Summary
Allow HTTPS and DNS egress in DRANetworkPolicy
internal/networkpolicy/networkpolicy.go
Adds NetworkPolicyEgressRule entries for TCP 443 and TCP/UDP 53 to the DRA network policy spec.
Update egress assertions
internal/networkpolicy/networkpolicy_test.go
Updates the test to expect two egress rules and verify the allowed ports and protocols.

Estimated code review effort: 2 (Simple) | ~10 minutes

Possibly related PRs

Suggested labels: lgtm

Suggested reviewers: ybettan, yevgeny-shnaidman

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: updating DRA NetworkPolicy to allow API server and DNS egress.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@abyrne55 abyrne55 force-pushed the fix/dra-intree-nodeselector branch from aec61d2 to 97a5983 Compare June 27, 2026 00:37
@abyrne55 abyrne55 changed the title Fix DRA DaemonSet nodeSelector for in-tree module mode Fix DRA for in-tree driver mode: nodeSelector and NetworkPolicy egress Jun 27, 2026
@abyrne55 abyrne55 force-pushed the fix/dra-intree-nodeselector branch from 97a5983 to 45def6e Compare June 27, 2026 00:39
@abyrne55 abyrne55 force-pushed the fix/dra-intree-nodeselector branch from 45def6e to db6aa1e Compare June 29, 2026 14:43
@abyrne55 abyrne55 changed the title Fix DRA for in-tree driver mode: nodeSelector and NetworkPolicy egress Fix DRA NetworkPolicy: add allow-all egress rule Jun 29, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/networkpolicy/networkpolicy.go`:
- Around line 204-206: Update the network policy test expectation to match
DRANetworkPolicy’s current egress behavior: the test in networkpolicy_test.go
should no longer assert that result.Spec.Egress is empty, and instead should
verify that it contains a single empty networkingv1.NetworkPolicyEgressRule
representing allow-all egress. Use the DRANetworkPolicy symbol and the egress
assertion in the test to locate the check and adjust it accordingly.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a5ad72af-3005-4408-b3ab-02156ea854c5

📥 Commits

Reviewing files that changed from the base of the PR and between aec61d2 and db6aa1e.

📒 Files selected for processing (1)
  • internal/networkpolicy/networkpolicy.go

Comment on lines +204 to +206
Egress: []networkingv1.NetworkPolicyEgressRule{
{}, // Allow all egress — DRA kubelet plugin needs API server access for ResourceSlice management
},

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find the DRANetworkPolicy test and its Egress assertions
fd -t f 'networkpolicy_test.go' internal/networkpolicy --exec rg -n -C2 'Spec.Egress' {}

Repository: rh-ecosystem-edge/kernel-module-management

Length of output: 823


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the relevant portion of the test file with names and assertions
sed -n '150,235p' internal/networkpolicy/networkpolicy_test.go | cat -n

printf '\n---\n'

# Inspect the implementation around the allow-all egress rule
sed -n '180,225p' internal/networkpolicy/networkpolicy.go | cat -n

Repository: rh-ecosystem-edge/kernel-module-management

Length of output: 5099


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Locate the DRANetworkPolicy test and show its surrounding assertions
rg -n -C6 'DRANetworkPolicy|draNetworkPolicy' internal/networkpolicy/networkpolicy_test.go

Repository: rh-ecosystem-edge/kernel-module-management

Length of output: 1340


Update the DRA network policy test expectation
internal/networkpolicy/networkpolicy_test.go still asserts Expect(result.Spec.Egress).To(BeEmpty()), but DRANetworkPolicy now returns a single empty egress rule. Assert the allow-all egress rule instead.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/networkpolicy/networkpolicy.go` around lines 204 - 206, Update the
network policy test expectation to match DRANetworkPolicy’s current egress
behavior: the test in networkpolicy_test.go should no longer assert that
result.Spec.Egress is empty, and instead should verify that it contains a single
empty networkingv1.NetworkPolicyEgressRule representing allow-all egress. Use
the DRANetworkPolicy symbol and the egress assertion in the test to locate the
check and adjust it accordingly.

@abyrne55 abyrne55 force-pushed the fix/dra-intree-nodeselector branch from db6aa1e to 4c2f775 Compare June 29, 2026 15:10
@abyrne55 abyrne55 changed the title Fix DRA NetworkPolicy: add allow-all egress rule Fix DRA NetworkPolicy: allow API server and DNS egress Jun 29, 2026
@TomerNewman

Copy link
Copy Markdown
Member

@abyrne55 Great catch!
/ok-to-test
/approve
/lgtm

@openshift-ci

openshift-ci Bot commented Jun 30, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: abyrne55, TomerNewman

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@abyrne55

Copy link
Copy Markdown
Contributor Author

/retest

@yevgeny-shnaidman

Copy link
Copy Markdown
Member

@abyrne55 the PR is good, you just need to run "make fmt" and "make lint", and push the changes in order for the ci/prow/lint job to pass

The DRA NetworkPolicy declares both Ingress and Egress policy types
but has no egress rules, which blocks all outbound traffic from the
DRA kubelet plugin pod. This prevents the plugin from reaching the
API server to create/update ResourceSlices. Allow egress to the API
server (TCP 443) and DNS (TCP/UDP 53).

Signed-off-by: Anthony Byrne <abyrne@redhat.com>
@abyrne55 abyrne55 force-pushed the fix/dra-intree-nodeselector branch from 4c2f775 to 60fd872 Compare July 2, 2026 16:38
@openshift-ci openshift-ci Bot removed the lgtm label Jul 2, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
internal/networkpolicy/networkpolicy.go (1)

207-219: 🔒 Security & Privacy | 🔵 Trivial

Consider scoping DRA egress
A ports-only egress rule matches all destinations, so this allows TCP 443 and TCP/UDP 53 to any endpoint. Narrowing to to the API server and CoreDNS pods would reduce exposure where the cluster can express it; otherwise this is a common pattern.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/networkpolicy/networkpolicy.go` around lines 207 - 219, The DRA
egress rules in the NetworkPolicy are ports-only, so they currently allow TCP
443 and TCP/UDP 53 to any destination; update the policy-building logic in
networkpolicy.go to scope these rules with explicit destination selectors where
possible. In the code that constructs the DRA egress policy, add `to`
restrictions for the API server and CoreDNS pods instead of relying on
unrestricted `NetworkPolicyEgressRule` entries, while keeping the existing port
definitions intact.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@internal/networkpolicy/networkpolicy.go`:
- Around line 207-219: The DRA egress rules in the NetworkPolicy are ports-only,
so they currently allow TCP 443 and TCP/UDP 53 to any destination; update the
policy-building logic in networkpolicy.go to scope these rules with explicit
destination selectors where possible. In the code that constructs the DRA egress
policy, add `to` restrictions for the API server and CoreDNS pods instead of
relying on unrestricted `NetworkPolicyEgressRule` entries, while keeping the
existing port definitions intact.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bf709d44-1ddf-48b1-b8df-73f1d550d927

📥 Commits

Reviewing files that changed from the base of the PR and between db6aa1e and 60fd872.

📒 Files selected for processing (2)
  • internal/networkpolicy/networkpolicy.go
  • internal/networkpolicy/networkpolicy_test.go

@yevgeny-shnaidman

Copy link
Copy Markdown
Member

/lgtm

@openshift-ci openshift-ci Bot added the lgtm label Jul 2, 2026
@openshift-merge-bot openshift-merge-bot Bot merged commit 3138a60 into rh-ecosystem-edge:main Jul 2, 2026
19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants