openshift · liouk · Mar 23, 2026
diff --git a/deploy/09_networkpolicy-operand.yaml b/deploy/09_networkpolicy-operand.yaml
@@ -0,0 +1,34 @@
+# NOTE: The operand DaemonSet uses hostNetwork: true and binds to 127.0.0.1,
+# so NetworkPolicy has no effect on it (NetworkPolicy only applies to
+# pod-network traffic). This resource is provided for documentation purposes
+# and as a safeguard in case the networking mode changes in the future.
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: run-once-duration-override-operand
+  namespace: openshift-run-once-duration-override-operator
+spec:
+  podSelector:
+    matchLabels:
+      runoncedurationoverride: "true"
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    # kube-apiserver -> webhook admission endpoint on port 9448 (TLS)
+    - ports:
+        - protocol: TCP
+          port: 9448
+  egress:
+    # DNS
+    - to:
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: openshift-dns
+      ports:
+      - protocol: TCP
+        port: 5353
+      - protocol: UDP
+        port: 5353
+    # Kubernetes API server (read-only: namespaces, webhook configs, flowcontrol)
+    - {}
diff --git a/deploy/09_networkpolicy-operator.yaml b/deploy/09_networkpolicy-operator.yaml
@@ -0,0 +1,30 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: run-once-duration-override-operator
+  namespace: openshift-run-once-duration-override-operator
+spec:
+  podSelector:
+    matchLabels:
+      runoncedurationoverride.operator: "true"
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    # kubelet health probes (readiness + liveness) on /healthz
+    - ports:
+        - protocol: TCP
+          port: 8080
+  egress:
+    # DNS
+    - to:
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: openshift-dns
+      ports:
+      - protocol: TCP
+        port: 5353
+      - protocol: UDP
+        port: 5353
+    # Kubernetes and OpenShift API server (watches, CRUD on operand resources)
+    - {}
diff --git a/deploy/10_networkpolicy-default-deny-all.yaml b/deploy/10_networkpolicy-default-deny-all.yaml
@@ -0,0 +1,10 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-all
+  namespace: openshift-run-once-duration-override-operator
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
diff --git a/test/e2e/bindata/assets/networkpolicy-default-deny-all.yaml b/test/e2e/bindata/assets/networkpolicy-default-deny-all.yaml
@@ -0,0 +1,10 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-all
+  namespace: openshift-run-once-duration-override-operator
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
diff --git a/test/e2e/bindata/assets/networkpolicy-operand.yaml b/test/e2e/bindata/assets/networkpolicy-operand.yaml
@@ -0,0 +1,34 @@
+# NOTE: The operand DaemonSet uses hostNetwork: true and binds to 127.0.0.1,
+# so NetworkPolicy has no effect on it (NetworkPolicy only applies to
+# pod-network traffic). This resource is provided for documentation purposes
+# and as a safeguard in case the networking mode changes in the future.
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: run-once-duration-override-operand
+  namespace: openshift-run-once-duration-override-operator
+spec:
+  podSelector:
+    matchLabels:
+      runoncedurationoverride: "true"
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    # kube-apiserver -> webhook admission endpoint on port 9448 (TLS)
+    - ports:
+        - protocol: TCP
+          port: 9448
+  egress:
+    # DNS
+    - to:
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: openshift-dns
+      ports:
+      - protocol: TCP
+        port: 5353
+      - protocol: UDP
+        port: 5353
+    # Kubernetes API server (read-only: namespaces, webhook configs, flowcontrol)
+    - {}
diff --git a/test/e2e/bindata/assets/networkpolicy-operator.yaml b/test/e2e/bindata/assets/networkpolicy-operator.yaml
@@ -0,0 +1,30 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: run-once-duration-override-operator
+  namespace: openshift-run-once-duration-override-operator
+spec:
+  podSelector:
+    matchLabels:
+      runoncedurationoverride.operator: "true"
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    # kubelet health probes (readiness + liveness) on /healthz
+    - ports:
+        - protocol: TCP
+          port: 8080
+  egress:
+    # DNS
+    - to:
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: openshift-dns
+      ports:
+      - protocol: TCP
+        port: 5353
+      - protocol: UDP
+        port: 5353
+    # Kubernetes and OpenShift API server (watches, CRUD on operand resources)
+    - {}
diff --git a/test/e2e/operator.go b/test/e2e/operator.go
@@ -176,6 +176,27 @@ func setupOperator(t testing.TB) (context.Context, context.CancelFunc, *k8sclien
 				return err
 			},
 		},
+		{
+			path: "assets/networkpolicy-operator.yaml",
+			readerAndApply: func(objBytes []byte) error {
+				_, _, err := resourceapply.ApplyNetworkPolicy(ctx, kubeClient.NetworkingV1(), eventRecorder, resourceread.ReadNetworkPolicyV1OrDie(objBytes), nil)
+				return err
+			},
+		},
+		{
+			path: "assets/networkpolicy-operand.yaml",
+			readerAndApply: func(objBytes []byte) error {
+				_, _, err := resourceapply.ApplyNetworkPolicy(ctx, kubeClient.NetworkingV1(), eventRecorder, resourceread.ReadNetworkPolicyV1OrDie(objBytes), nil)
+				return err
+			},
+		},
+		{
+			path: "assets/networkpolicy-default-deny-all.yaml",
+			readerAndApply: func(objBytes []byte) error {
+				_, _, err := resourceapply.ApplyNetworkPolicy(ctx, kubeClient.NetworkingV1(), eventRecorder, resourceread.ReadNetworkPolicyV1OrDie(objBytes), nil)
+				return err
+			},
+		},
 	}
 
 	// Apply all assets