feat(deploy/chart): optional networkPolicy for more containers

[jcpunk]

Fixes: #8369
Fixes: #8285

Pull Request Motivation

This PR merges the webhook policies into a single template and adds optional policies for the controller and the cainjector.

Kind

/kind feature

Release Note

Add a set of flags to permit setting NetworkPolicy across all deployed containers.
Remove redundant global IP ranges from example policies.

CyberArk tracker: VC-48226

[cert-manager-prow]

Hi @jcpunk. Thanks for your PR.

I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[hjoshi123]

Overall I am not opposed to the idea.. but do have some feedbacks.. Also would defer to others to see if there are any other ports that need to be added to the default list

Maybe we also want to consider this #8285 and keep the egress.to list empty to allow everything?

[jcpunk]

Tested on Cilium 1.18, with no IP block specified the egress filtering appears to work on my bare metal cluster allowing connectivity to the API server and DNS.

[hjoshi123]

/ok-to-test

[jcpunk]

I think I've sorted the tests...

[jcpunk]

I don't think these latest failures are me?

[erikgb]

/test pull-cert-manager-master-e2e-v1-34

[hjoshi123]

/test pull-cert-manager-master-e2e-v1-35

[jcpunk]

PR Rebased.

[hjoshi123]

@jcpunk could you add a release label to this since this is a user facing change?

[jcpunk]

Sure... umm, how do I do that?

[erikgb]

@jcpunk, you just have to edit the release note block I just added to the PR description. It is part of our PR template, but somehow it is gone.

[jcpunk]

Done, does that look OK?

[wallrj-cyberark]

Consider adding a links to https://cert-manager.io/docs/installation/best-practice/#network-requirements-and-network-policy in the the values.yaml comments,
so that Helm users can discover more about cert-manager + Network Policy.

And after we merge this, we should also update the best-practices documentation to explain how to use the builtin network policy features of the Helm chart.

• https://cert-manager.io/docs/installation/best-practice/#network-requirements-and-network-policy
• https://github.com/cert-manager/website/blob/master/content/docs/installation/best-practice.md
  And we should update the best-practices helm chart values so that these new values are tested by our periodic E2E tests:
• https://github.com/cert-manager/website/blob/master/public/docs/installation/best-practice/values.best-practice.yaml

Please ping the people who have commented on #2334 and ask them if this change will help them?

• #2334

[wallrj-cyberark]

@jcpunk In the PR description you describe these as redundant, but are you sure?

In #7726 you added this IPv6 configuration. Have you learned more about the defaults for these fields since then?

Please link to some documentation showing the network policy defaults, so that we can be confident that cilium, calico and other similar products will all treat an empty to as allow.

[jcpunk]

I've learned a bit about the defaults since then. Initially I added this as my IPv6 cluster had problems. However, since then I've discovered that if no ipBlock is specified, then no filtering on the IP range is performed. In effect, setting the ipBlock to those ranges was equivalent to leaving it unset, but with extra burden placed on the CNI to filter against an unlimited range. I migrated from calico to cilium, in my environment the removal of the ipBlock caused no issues. It in fact fixed an issue where cilium (tested with 1.18.3) wouldn't deliver the packets if the larger ipBlock was specified.

https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.35/#networkpolicyegressrule-v1-networking-k8s-io

My reading of "If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination)." is that we can safely drop the "any IPv4 and any IPv6" restriction as we are aiming for unrestricted.

[wallrj-cyberark]

Did you consider adding rules for the metrics port and pprof ports, if those features have been configured elsewhere in the Helm values?
It would be more convenient for users, but would add complexity to the chart.

The existing webhook ingress policy doesn't do that, so I suppose doing it this way provides consistency with what we already have.

And another advantage of doing it this way is that it keeps the Helm chart logic simple.

[jcpunk]

The default ingress I've got in the chart allows all traffic on all ports. I'd love to restrict this further, but I wasn't super confident in my knowledge of how to ensure if folks customize ports that the defaults would still work. If all the ports are named it should be workable...

[jcpunk]

I've updated the defaults to restrict the traffic to the named ports on each Deployment. I love the idea of setting stronger defaults, but was worried it might sidetrack the review. :)

[wallrj-cyberark]

Write more about what the defaults are and explain why users may wish to enable these and why they are disabled by default.
When @mjudeikis introduced NetworkPolicy to the Helm chart, in #5417 it at least said:

See NetworkPolicy documentation

But those words got lost somewhere in the Git history....I can't find where.

But in any case, I think we need to help users understand why they should enable NetworkPolicy and how to configure it.

[jcpunk]

In theory I've added the doc that was missing and provided some more information on what defaults were selected and why. In practice, is it enough? I didn't want to toss too much in and make a wall of text folks ignore...

[wallrj-cyberark]

@jcpunk Sorry it's taken me ages to test this, but I finally managed to get the E2E tests passing when using these new NetworkPolicy defaults, plus some additional egress rules for the various in-cluster services, such as pebble, bind, and vault.

I've documented those additional rules as examples for the documentation here:

• cert-manager/website#1911

And when this and that PR have merged, we can ask someone to review #8387 which configures the cert-manager nightly "best-practice" E2E tests to run with NetworkPolicy enabled.

• #8387

[wallrj]

/approve
/lgtm

[cert-manager-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: avani8507, wallrj, wallrj-cyberark

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [wallrj]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[wallrj-cyberark]

The cainjector does not connect to port 80. That's only necessary for the controller to perform HTTP01 self-checks.
I'll remove this (and from the webhook rules) in a followup PR.

[wallrj-cyberark]

@jcpunk: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-cert-manager-master-e2e-v1-35 a0c521d link unknown /test pull-cert-manager-master-e2e-v1-35
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

I see this the logs:

Jan 16 15:01:38.170: INFO: Expected Issuer acme-issuer-http01-5wggd condition Ready=True but it has: [{Ready False 2026-01-16 14:59:38 +0000 UTC ErrRegisterACMEAccount Failed to register ACME account: Post "https://pebble.pebble.svc.cluster.local/sign-me-up": net/http: request canceled (Client.Timeout exceeded while awaiting headers) 1}] (took 5m0s)

But I'm not sure why. Those tests are running with NetworkPolicy disabled (the default).
Perhaps a test flake (pebble crashing or hanging) but it's not clear why, in that case.
I see the same errors here in the recent cert-manager 1.18 periodic tests, which is confusing, but gives reassurance that the errors are not related to the changes in this PR:

• https://testgrid.k8s.io/cert-manager-periodics-release-1.18#ci-cert-manager-release-1.18-e2e-v1-33
• https://prow.infra.cert-manager.io/view/gs/cert-manager-prow-artifacts/logs/ci-cert-manager-release-1.18-e2e-v1-33/2012138962587488256

/retest

[wallrj-cyberark]

📢 The fix or feature is now available for testing

• https://github.com/cert-manager/cert-manager/releases/tag/v1.20.0-alpha.1

Please test and report back.