NETOBSERV-1377 Add controller to deploy netobserv network policy

[OlivierCazade]

Description

Add controller to deploy netobserv network policy

Dependencies

n/a

Checklist

If you are not familiar with our processes or don't know what to answer in the list below, let us know in a comment: the maintainers will take care of that.

• Is this PR backed with a JIRA ticket? If so, make sure it is written as a title prefix (in general, PRs affecting the NetObserv/Network Observability product should be backed with a JIRA ticket - especially if they bring user facing changes).
• Does this PR require product documentation?
  • If so, make sure the JIRA epic is labelled with "documentation" and provides a description relevant for doc writers, such as use cases or scenarios. Any required step to activate or configure the feature should be documented there, such as new CRD knobs.
• Does this PR require a product release notes entry?
  • If so, fill in "Release Note Text" in the JIRA.
• Is there anything else the QE team should know before testing? E.g: configuration changes, environment setup, etc.
  • If so, make sure it is described in the JIRA ticket.
• QE requirements (check 1 from the list):
  • Standard QE validation, with pre-merge tests unless stated otherwise.
  • Regression tests only (e.g. refactoring with no user-facing change).
  • No QE (e.g. trivial change with high reviewer's confidence, or per agreement with the QE team).

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from oliviercazade. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[codecov]

Codecov Report

Attention: Patch coverage is 81.37255% with 19 lines in your changes missing coverage. Please review.

Project coverage is 66.30%. Comparing base (bc0bcef) to head (73bf6b9).
Report is 20 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #690      +/-   ##
==========================================
- Coverage   66.60%   66.30%   -0.31%     
==========================================
  Files          70       73       +3     
  Lines        8115     8312     +197     
==========================================
+ Hits         5405     5511     +106     
- Misses       2315     2401      +86     
- Partials      395      400       +5     

Flag	Coverage Δ
unittests	66.30% <81.37%> (-0.31%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files	Coverage Δ
...s/flowcollector/v1beta1/zz_generated.conversion.go	39.27% <ø> (ø)
apis/flowcollector/v1beta2/flowcollector_types.go	100.00% <ø> (ø)
controllers/networkpolicy/np_objects.go	100.00% <100.00%> (ø)
pkg/manager/manager.go	66.66% <ø> (ø)
pkg/manager/status/status_manager.go	87.71% <ø> (ø)
controllers/networkpolicy/np_controller.go	88.09% <88.09%> (ø)
...pis/flowcollector/v1beta2/zz_generated.deepcopy.go	44.28% <64.70%> (+0.51%)	⬆️
controllers/reconcilers/reconcilers.go	59.39% <46.66%> (-1.62%)	⬇️

... and 12 files with indirect coverage changes

[jotak]

typo :-)

[jotak]

We could add more information about what this policy does, such as:

This network policy better isolates the NetObserv components to prevent undesired connections to them. It is recommended to install it.

(or something in that vein)

Also, shouldn't we name that Enable, like we do generally for anything that can be turned on/off ?

[jotak]

hmm I guess it's not the good text here :-)

[jotak]

We should mention here in particular what users need to care about:

• If they use Kafka and installed it in a separate namespace, they must add it here
• Same for any exporter

We can expect users misconfigurations here... Probably something that we'll have to worry about in docs & troubleshooting

[jotak]

I don't think Namespace is required here?

[jotak]

looking at the code it doesn't seem that currentNamespace is useful here

[jotak]

I don't think conn-track settings has any use here, right? I guess you can remove them

[jpinsonneau]

Code looks good ! Thanks @OlivierCazade