From e7e398288e4866f021619f136814f245f31f6559 Mon Sep 17 00:00:00 2001
From: Wen Zhou <wenzhou@redhat.com>
Date: Mon, 19 Feb 2024 17:52:46 +0100
Subject: [PATCH] feat(nwp): add ingress from cluster-monitoring to
 applicationnamespace (#863)

* feat(nwp): add ingress from cluster-monitoring to applicationnamespace

Signed-off-by: Wen Zhou <wenzhou@redhat.com>

* update: code review and clean NWP not  needed for now

Signed-off-by: Wen Zhou <wenzhou@redhat.com>

---------

Signed-off-by: Wen Zhou <wenzhou@redhat.com>
---
 controllers/dscinitialization/utils.go | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/controllers/dscinitialization/utils.go b/controllers/dscinitialization/utils.go
index fc87113204e..4fce7baf52f 100644
--- a/controllers/dscinitialization/utils.go
+++ b/controllers/dscinitialization/utils.go
@@ -238,7 +238,7 @@ func (r *DSCInitializationReconciler) reconcileDefaultNetworkPolicy(ctx context.
 			r.Log.Error(err, "error to set networkpolicy in applications namespace", "path", networkpolicyPath)
 			return err
 		}
-	} else { // Expected namespace for the given name
+	} else { // Expected namespace for the given name in ODH
 		desiredNetworkPolicy := &netv1.NetworkPolicy{
 			TypeMeta: metav1.TypeMeta{
 				Kind:       "NetworkPolicy",
@@ -255,7 +255,11 @@ func (r *DSCInitializationReconciler) reconcileDefaultNetworkPolicy(ctx context.
 				Ingress: []netv1.NetworkPolicyIngressRule{
 					{
 						From: []netv1.NetworkPolicyPeer{
-							{
+							{ /* allow ODH namespace <->ODH namespace:
+								- default notebook project: rhods-notebooks
+								- redhat-odh-monitoring
+								- redhat-odh-applications / opendatahub
+								*/
 								NamespaceSelector: &metav1.LabelSelector{ // AND logic
 									MatchLabels: map[string]string{
 										cluster.ODHGeneratedNamespaceLabel: "true",
@@ -266,7 +270,7 @@ func (r *DSCInitializationReconciler) reconcileDefaultNetworkPolicy(ctx context.
 					},
 					{ // OR logic
 						From: []netv1.NetworkPolicyPeer{
-							{ // need this for access dashboard
+							{ // need this to access external-> dashboard
 								NamespaceSelector: &metav1.LabelSelector{
 									MatchLabels: map[string]string{
 										"network.openshift.io/policy-group": "ingress",
@@ -277,7 +281,7 @@ func (r *DSCInitializationReconciler) reconcileDefaultNetworkPolicy(ctx context.
 					},
 					{ // OR logic for PSI
 						From: []netv1.NetworkPolicyPeer{
-							{ // need this to access dashboard
+							{ // need this to access external->dashboard
 								NamespaceSelector: &metav1.LabelSelector{
 									MatchLabels: map[string]string{
 										"kubernetes.io/metadata.name": "openshift-host-network",
@@ -286,6 +290,17 @@ func (r *DSCInitializationReconciler) reconcileDefaultNetworkPolicy(ctx context.
 							},
 						},
 					},
+					{
+						From: []netv1.NetworkPolicyPeer{
+							{ // need this for cluster-monitoring work: cluster-monitoring->ODH namespaces
+								NamespaceSelector: &metav1.LabelSelector{
+									MatchLabels: map[string]string{
+										"kubernetes.io/metadata.name": "openshift-monitoring",
+									},
+								},
+							},
+						},
+					},
 				},
 				PolicyTypes: []netv1.PolicyType{
 					netv1.PolicyTypeIngress,