Configuring network policy for the operand

The External Secrets Operator for Red Hat OpenShift includes pre-defined NetworkPolicies for security, but you must configure additonal, custom policies through the ExternalSecretsConfig custom resource to set the external-secrets controller egress allow policies to communicate with external providers. These configurable policies are set via the ExternalSecretsConfig custom resource to establish the egress allow policy.

Adding a custom network policy to allow egress to all external providers

You must configure custom policies through the ExternalSecretsConfig custom resource to allow all egress to all external providers.

Prerequisites

An ExternalSecretsConfig must be predefined.
You must be able to define specific egress rules, including destination ports and protocols.

Procedure

Edit the ExternalSecretsConfig CR by running the following command:
```
$ oc edit externalsecretsconfigs.operator.openshift.io cluster
```

Set the policy by editing the networkPolicies section:

apiVersion: operator.openshift.io/v1alpha1
kind: ExternalSecretsConfig
metadata:
  name: cluster
spec:
  controllerConfig:
    networkPolicies:
      - name: allow-external-secrets-egress
        componentName: CoreController
        egress: # Allow all egress traffic

Adding a custom network policy to allow egress to a specific provider

You must configure custom policies through the ExternalSecretsConfig custom resource to allow all egress to a specific provider.

Prerequisites

An ExternalSecretsConfig must be predefined.
You must be able to define specific egress rules, including destination ports and protocols

Procedure

Edit the ExternalSecretsConfig CR by running the following command:
```
$ oc edit externalsecretsconfigs.operator.openshift.io cluster
```

Set the policy by editing the networkPolicies section. The following example shows how to allow egress to Amazon Web Services (AWS) endpoints.

apiVersion: operator.openshift.io/v1alpha1
kind: ExternalSecretsConfig
metadata:
  name: cluster
spec:
  controllerConfig:
    networkPolicies:
      - componentName: ExternalSecretsCoreController
        egress:
          # Allow egress to Kubernetes API server, AWS endpoints, and DNS
          - ports:
              - port: 443   # HTTPS (AWS Secrets Manager)
                protocol: TCP
      - name: allow-external-secrets-egress

where:

componentName: Specifies the name for the core controller which is ExternalSecretsCoreController. Egress rules must specify the required ports, such as Transmission Control Protocol (TCP) port 443, for services such as the AWS Secrets Manager.

Default ingress and egress rules

The following table summarizes the default ingress and egress rules.

Component	Ingress ports	Egress ports	Description
`external-secrets`	8080	6443	Allows retrieving metrics and interacting with the API server
`external-secrets-webhook`	8080/10250	6443	Allows retrieving metrics, handling webhook requests, and interacting with the API server
`external-secrets-cert-controller`	8080	6443	Allows retrieving metrics and interacting with the API server
`external-secrets-bitwarden-server`	9998	6443	Handles Bitwarden server connections and interacts with the API server
`external-secrets-allow-dns`		5353	Enables DNS lookups to find external secret providers.