create default network policy for shoot

pkg/apis/ironcore/types_infrastructure.go

@@ -21,6 +21,8 @@ type InfrastructureConfig struct {
 	// NATPortsPerNetworkInterface defines the minimum number of ports per network interface the NAT gateway should use.
 	// Has to be a power of 2. If empty, 2048 is the default.
 	NATPortsPerNetworkInterface *int32
+	//NetworkPolicy is reference to the NetworkPolicy to use for the Shoot creation.
+	NetworkPolicyRef *commonv1alpha1.LocalUIDReference
 }
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
@@ -35,4 +37,6 @@ type InfrastructureStatus struct {
 	NATGatewayRef commonv1alpha1.LocalUIDReference
 	// PrefixRef is the reference to the Prefix used
 	PrefixRef commonv1alpha1.LocalUIDReference
+	//NetworkPolicy is reference to the NetworkPolicy defined
+	NetworkPolicyRef commonv1alpha1.LocalUIDReference
 }

pkg/apis/ironcore/v1alpha1/types_infrastructure.go

@@ -21,6 +21,8 @@ type InfrastructureConfig struct {
 	// NATPortsPerNetworkInterface defines the minimum number of ports per network interface the NAT gateway should use.
 	// Has to be a power of 2. If empty, 2048 is the default.
 	NATPortsPerNetworkInterface *int32 `json:"natPortsPerNetworkInterface,omitempty"`
+	//NetworkPolicy is reference to the NetworkPolicy to use for the Shoot creation.
+	NetworkPolicyRef *commonv1alpha1.LocalUIDReference `json:"networkPolicyRef,omitempty"`
 }
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
@@ -35,4 +37,6 @@ type InfrastructureStatus struct {
 	NATGatewayRef commonv1alpha1.LocalUIDReference `json:"natGatewayRef,omitempty"`
 	// PrefixRef is the reference to the Prefix used
 	PrefixRef commonv1alpha1.LocalUIDReference `json:"prefixRef,omitempty"`
+	//NetworkPolicy is reference to the NetworkPolicy defined
+	NetworkPolicyRef commonv1alpha1.LocalUIDReference `json:"networkPolicyRef,omitempty"`
 }

pkg/controller/infrastructure/actuator_reconcile.go

@@ -66,10 +66,15 @@ func (a *actuator) reconcile(ctx context.Context, log logr.Logger, infra *extens
 		return err
 	}
 
+	networkPolicy, err := a.applyNetworkPolicy(ctx, ironcoreClient, namespace, config, cluster, network)
+	if err != nil {
+		return err
+	}
+
 	log.V(2).Info("Successfully reconciled infrastructure")
 
 	// update status
-	return a.updateProviderStatus(ctx, infra, network, natGateway, prefix)
+	return a.updateProviderStatus(ctx, infra, network, natGateway, prefix, networkPolicy)
 }
 
 func (a *actuator) applyPrefix(ctx context.Context, ironcoreClient client.Client, namespace string, cluster *controller.Cluster) (*ipamv1alpha1.Prefix, error) {
@@ -185,6 +190,49 @@ func (a *actuator) applyNetwork(ctx context.Context, ironcoreClient client.Clien
 	return network, nil
 }
 
+func (a *actuator) applyNetworkPolicy(ctx context.Context, ironcoreClient client.Client, namespace string, config *api.InfrastructureConfig, cluster *controller.Cluster, network *networkingv1alpha1.Network) (*networkingv1alpha1.NetworkPolicy, error) {
+	if config != nil && config.NetworkPolicyRef != nil {
+		networkPolicy := &networkingv1alpha1.NetworkPolicy{}
+		networkKey := client.ObjectKey{Namespace: namespace, Name: config.NetworkRef.Name}
+		if err := ironcoreClient.Get(ctx, networkKey, networkPolicy); err != nil {
+			return nil, fmt.Errorf("failed to get network policy %s: %w", networkKey, err)
+		}
+		return networkPolicy, nil
+	}
+
+	networkPolicy := &networkingv1alpha1.NetworkPolicy{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "NetworkPolicy",
+			APIVersion: "networking.ironcore.dev/v1alpha1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: namespace,
+			Name:      generateResourceNameFromCluster(cluster),
+		},
+		Spec: networkingv1alpha1.NetworkPolicySpec{
+			NetworkRef: corev1.LocalObjectReference{
+				Name: network.Name,
+			},
+			NetworkInterfaceSelector: metav1.LabelSelector{
+				MatchLabels: map[string]string{
+					ironcore.ClusterNameLabel: cluster.ObjectMeta.Name,
+				},
+			},
+			Ingress: []networkingv1alpha1.NetworkPolicyIngressRule{},
+			Egress:  []networkingv1alpha1.NetworkPolicyEgressRule{},
+			PolicyTypes: []networkingv1alpha1.PolicyType{
+				networkingv1alpha1.PolicyTypeIngress,
+				networkingv1alpha1.PolicyTypeEgress,
+			},
+		},
+	}
+
+	if _, err := controllerutil.CreateOrPatch(ctx, ironcoreClient, networkPolicy, nil); err != nil {
+		return nil, fmt.Errorf("failed to apply network policy %s: %w", client.ObjectKeyFromObject(networkPolicy), err)
+	}
+	return networkPolicy, nil
+}
+
 func generateResourceNameFromCluster(cluster *controller.Cluster) string {
 	// TODO: use cluster.Name
 	// alternatively shoot.status.technicalID
@@ -197,6 +245,7 @@ func (a *actuator) updateProviderStatus(
 	network *networkingv1alpha1.Network,
 	natGateway *networkingv1alpha1.NATGateway,
 	prefix *ipamv1alpha1.Prefix,
+	networkPolicy *networkingv1alpha1.NetworkPolicy,
 ) error {
 	infraStatus := &apiv1alpha1.InfrastructureStatus{
 		TypeMeta: metav1.TypeMeta{
@@ -215,6 +264,10 @@ func (a *actuator) updateProviderStatus(
 			Name: prefix.Name,
 			UID:  prefix.UID,
 		},
+		NetworkPolicyRef: v1alpha1.LocalUIDReference{
+			Name: networkPolicy.Name,
+			UID:  networkPolicy.UID,
+		},
 	}
 	infraBase := infra.DeepCopy()
 	infra.Status.ProviderStatus = &runtime.RawExtension{

pkg/controller/infrastructure/actuator_reconcile_test.go

@@ -28,7 +28,7 @@ import (
 var _ = Describe("Infrastructure Reconcile", func() {
 	ns := SetupTest()
 
-	It("should create a network, natgateway and prefix for a given infrastructure configuration", func(ctx SpecContext) {
+	It("should create a network, natgateway, prefix and network policy for a given infrastructure configuration", func(ctx SpecContext) {
 		By("getting the cluster object")
 		cluster, err := extensionscontroller.GetCluster(ctx, k8sClient, ns.Name)
 		Expect(err).NotTo(HaveOccurred())
@@ -115,6 +115,21 @@ var _ = Describe("Infrastructure Reconcile", func() {
 			HaveField("Spec.Prefix", commonv1alpha1.MustParseNewIPPrefix("10.0.0.0/24")),
 		))
 
+		By("expecting a network policy being created")
+		networkPolicy := &networkingv1alpha1.NetworkPolicy{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: ns.Name,
+				Name:      generateResourceNameFromCluster(cluster),
+			},
+		}
+
+		Eventually(Object(networkPolicy)).Should(SatisfyAll(
+			HaveField("Spec.NetworkRef", corev1.LocalObjectReference{
+				Name: network.Name,
+			}),
+			HaveField("Spec.NetworkInterfaceSelector.MatchLabels", HaveKeyWithValue("extension.ironcore.dev/cluster-name", cluster.ObjectMeta.Name)),
+		))
+
 		By("ensuring that the infrastructure state contains the correct refs")
 		providerStatus := map[string]interface{}{
 			"apiVersion": "ironcore.provider.extensions.gardener.cloud/v1alpha1",
@@ -131,6 +146,10 @@ var _ = Describe("Infrastructure Reconcile", func() {
 				"name": prefix.Name,
 				"uid":  prefix.UID,
 			},
+			"networkPolicyRef": map[string]interface{}{
+				"name": networkPolicy.Name,
+				"uid":  networkPolicy.UID,
+			},
 		}
 		providerStatusJSON, err := json.Marshal(providerStatus)
 		Expect(err).NotTo(HaveOccurred())
@@ -139,7 +158,7 @@ var _ = Describe("Infrastructure Reconcile", func() {
 		))
 	})
 
-	It("should create a network, natgateway and prefix for a given infrastructure configuration", func(ctx SpecContext) {
+	It("should create a network, natgateway, prefix and network policy for a given infrastructure configuration", func(ctx SpecContext) {
 		By("getting the cluster object")
 		cluster, err := extensionscontroller.GetCluster(ctx, k8sClient, ns.Name)
 		Expect(err).NotTo(HaveOccurred())
@@ -223,6 +242,20 @@ var _ = Describe("Infrastructure Reconcile", func() {
 			HaveField("Spec.Prefix", commonv1alpha1.MustParseNewIPPrefix("10.0.0.0/24")),
 		))
 
+		By("expecting a network policy being created")
+		networkPolicy := &networkingv1alpha1.NetworkPolicy{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: ns.Name,
+				Name:      generateResourceNameFromCluster(cluster),
+			},
+		}
+
+		Eventually(Object(networkPolicy)).Should(SatisfyAll(
+			HaveField("Spec.NetworkRef", corev1.LocalObjectReference{
+				Name: network.Name,
+			}),
+		))
+
 		By("ensuring that the infrastructure state contains the correct refs")
 		providerStatus := map[string]interface{}{
 			"apiVersion": "ironcore.provider.extensions.gardener.cloud/v1alpha1",
@@ -239,6 +272,10 @@ var _ = Describe("Infrastructure Reconcile", func() {
 				"name": prefix.Name,
 				"uid":  prefix.UID,
 			},
+			"networkPolicyRef": map[string]interface{}{
+				"name": networkPolicy.Name,
+				"uid":  networkPolicy.UID,
+			},
 		}
 		providerStatusJSON, err := json.Marshal(providerStatus)
 		Expect(err).NotTo(HaveOccurred())