Skip to content

[WIP] feat: add NetworkPolicy support for TektonTrigger#3531

Open
khrm wants to merge 2 commits into
tektoncd:mainfrom
khrm:feat/networkpolicy-support
Open

[WIP] feat: add NetworkPolicy support for TektonTrigger#3531
khrm wants to merge 2 commits into
tektoncd:mainfrom
khrm:feat/networkpolicy-support

Conversation

@khrm

@khrm khrm commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Changes

Changes:

Introduces opt-in NetworkPolicy support for the TektonTrigger component.

New shared infrastructure (pkg/reconciler/common/networkpolicy):

  • NetworkPolicyConfig API type embedded in component specs — supports disabled flag and per-policy overrides via a policies map
  • Generate() — merges user-supplied policies over defaults with deterministic sorted output for stable InstallerSet checksums
  • DefaultDenyPolicy() — shared helper for component-scoped or namespace-wide default-deny policies
  • Platform-specific defaults (PlatformParams) for Kubernetes and OpenShift DNS resolver and Prometheus namespace selectors
  • Rule constructors: DNSEgressRule, APIServerEgressRule, InternetEgressRule, PrometheusIngressRule, WebhookIngressRule

TektonTrigger wiring:

  • Five default NetworkPolicies applied as a named CustomSet (triggers-network-policies):
    • tekton-default-deny — default-deny scoped to app.kubernetes.io/part-of: tekton-triggers pods (temporary; will move to TektonPipeline and become namespace-wide once all components
      implement NP support)
    • triggers-controller — allows Prometheus ingress on port 9000
    • triggers-webhook — allows webhook ingress on 8443 and Prometheus ingress on 9000
    • triggers-core-interceptors — allows ingress on 8443 from all namespaces (EventListeners are user-controlled)
    • triggers-core-interceptors-egress-internet — allows egress on TCP 80/443 for external API calls
  • Platform detection via v1alpha1.IsOpenShiftPlatform() at controller startup; no extra parameters threaded through public APIs
  • Setting spec.networkPolicy.disabled: true cleans up all policies
  • NetworkPolicyConfig field also added to TektonConfigSpec (reconciler integration deferred)

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

See the contribution guide for more details.

Release Notes

NONE

@tekton-robot tekton-robot added release-note-none Denotes a PR that doesnt merit a release note. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. labels Jun 23, 2026
@tekton-robot

tekton-robot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please ask for approval from khrm after the PR has been reviewed.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. label Jun 23, 2026
khrm added 2 commits June 25, 2026 12:33
@khrm
feat: add NetworkPolicyConfig API type and shared networkpolicy package
f9bcff0 
Introduce NetworkPolicyConfig struct embedded in component specs, allowing
operators to disable NetworkPolicies or override individual policies by name.

Add pkg/reconciler/common/networkpolicy with:
- platform.go: PlatformParams for Kubernetes and OpenShift DNS/Prometheus defaults
- networkpolicy.go: Generate() with map-merge and deterministic sorted output
- networkpolicy_test.go: 13 unit tests covering merge, disable, and rule helpers

Wire NetworkPolicyConfig into TektonTriggerSpec and TektonConfigSpec (reconciler
integration for TektonConfig is deferred). Regenerate zz_generated.deepcopy.go.

Signed-off-by: Khurram Baig <khurram.baig@gmail.com>
Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com>
@khrm
feat(triggers): wire NetworkPolicy reconciliation into TektonTrigger
2c504d3 
Add triggersDefaultPolicies() defining four NetworkPolicies for the
Triggers workloads (controller, webhook, core-interceptors ingress,
core-interceptors egress). Platform-specific DNS and Prometheus values
are resolved at controller startup via v1alpha1.IsOpenShiftPlatform().

reconcileNetworkPolicies() applies policies as a named CustomSet
("triggers-network-policies") or cleans it up when disabled.

Signed-off-by: Khurram Baig <khurram.baig@gmail.com>
Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com>
@khrm khrm force-pushed the feat/networkpolicy-support branch from a483385 to 2c504d3 Compare June 25, 2026 07:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@enarha enarha Awaiting requested review from enarha
@pratap0007 pratap0007 Awaiting requested review from pratap0007

Assignees

No one assigned

Labels

do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. release-note-none Denotes a PR that doesnt merit a release note. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@khrm @tekton-robot