update networkpolicy for checkendpoints

[rbaumgar]

add port for checkendpoints

Summary by CodeRabbit

• Chores
  • Updated network configuration to allow OpenShift API Server traffic on an additional TCP port, enabling expanded communication routes for the platform infrastructure.

[coderabbitai]

Warning

Review limit reached

@rbaumgar, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 37 minutes and 59 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: f52e3f19-eac5-48c2-9ea0-08f3d58b6c59

📥 Commits

Reviewing files that changed from the base of the PR and between 47a8c16 and 2f82a72.

📒 Files selected for processing (1)

• bindata/v3.11.0/openshift-apiserver/networkpolicy-allow.yaml

Walkthrough

The NetworkPolicy manifest for openshift-apiserver is updated to allow ingress traffic on TCP port 17698 in addition to the existing TCP port 8443. No other policy fields, egress rules, or manifests are modified.

Changes

NetworkPolicy Ingress Port Expansion

Layer / File(s)	Summary
Add TCP 17698 to ingress allowlist bindata/v3.11.0/openshift-apiserver/networkpolicy-allow.yaml	Adds a new ingress port entry for TCP 17698 alongside the existing TCP 8443 allowance in the NetworkPolicy spec.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'update networkpolicy for checkendpoints' accurately describes the main change in the PR, which adds TCP port 17698 to the NetworkPolicy for openshift-apiserver.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR only modifies a NetworkPolicy YAML configuration file and contains no Ginkgo test files or test name declarations, making the check not applicable.
Test Structure And Quality	✅ Passed	PR does not contain Ginkgo test code. All test files use standard Go testing package, not Ginkgo, so the check is not applicable.
Microshift Test Compatibility	✅ Passed	This PR modifies only a NetworkPolicy YAML configuration file and does not add any Ginkgo e2e tests. The custom check for MicroShift test compatibility does not apply when no tests are added.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. The PR only modifies a YAML NetworkPolicy configuration file, making the SNO test compatibility check not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	Change adds port 17698 to NetworkPolicy, a networking rule only. Does not introduce scheduling constraints affecting topology compatibility (SNO, TNF, HyperShift, etc.).
Ote Binary Stdout Contract	✅ Passed	PR only modifies a YAML NetworkPolicy config file. The OTE Binary Stdout Contract check applies to Go source code in process-level contexts. No Go code was changed.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR only modifies a Kubernetes NetworkPolicy YAML configuration file (networkpolicy-allow.yaml), adding port 17698 for checkendpoints. It contains no Ginkgo e2e tests (It, Describe, Context, Wh...
No-Weak-Crypto	✅ Passed	Pull request modifies only a Kubernetes NetworkPolicy YAML config file adding a port specification. Contains no cryptographic code, weak algorithms, or secret comparisons.
Container-Privileges	✅ Passed	The PR modifies a NetworkPolicy resource, which defines network access rules and does not contain container specifications or security contexts. The check for container privileges is not applicable...
No-Sensitive-Data-In-Logs	✅ Passed	The NetworkPolicy YAML file contains no logging output, passwords, tokens, API keys, PII, session IDs, hostnames, or sensitive data.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hi @rbaumgar. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign tjungblu for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

bindata/v3.11.0/openshift-apiserver/networkpolicy-allow.yaml (2)

11-12: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Update header comment to document the new port.

The header comment only documents port 8443. With port 17698 now allowed, update the comment to reflect both ports and explain that 17698 is for checkendpoints.

 # Ingress:
-# - Allow ingress on port 8443 for API requests and metrics scraping.
+# - Allow ingress on port 8443 for API requests and metrics scraping,
+#   and on port 17698 for checkendpoints.
 #   The apiserver performs its own authentication/authorization.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@bindata/v3.11.0/openshift-apiserver/networkpolicy-allow.yaml` around lines 11
- 12, The header comment in the networkpolicy-allow.yaml file currently only
documents port 8443 for ingress. Since port 17698 has been added to allow
ingress for checkendpoints, update the comment block that begins with "#
Ingress:" to document both ports. Specifically, mention that port 8443 is for
API requests and metrics scraping, and add documentation that port 17698 is for
checkendpoints.

---

23-29: ⚠️ Potential issue | 🟡 Minor

Consider combining ports under a single ingress rule for consistency.

Both ports can be listed under a single ingress rule rather than creating separate rules. This is more idiomatic in Kubernetes NetworkPolicy manifests:

Suggested change

  ingress:
  - ports:
    - protocol: TCP
      port: 8443
-  - ports:
     - protocol: TCP
       port: 17698

Add e2e test coverage for port 17698.

The port 17698 is added to the NetworkPolicy but is not validated in the e2e test suite. The testAPIServerNetworkPolicyEnforcement() function in test/e2e/network_policy_enforcement.go currently only verifies port 8443. Add a test case to confirm connectivity is allowed on port 17698 for the apiserver pods.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@bindata/v3.11.0/openshift-apiserver/networkpolicy-allow.yaml` around lines 23
- 29, The NetworkPolicy manifest currently has two separate ingress rules for
ports 8443 and 17698, but these should be combined into a single ingress rule
with both ports listed under the same ports array for consistency and idiomatic
Kubernetes practices. Additionally, the newly added port 17698 is not validated
in the e2e test suite. Update the testAPIServerNetworkPolicyEnforcement()
function in test/e2e/network_policy_enforcement.go to add a test case that
verifies connectivity is allowed on port 17698 for apiserver pods, similar to
how port 8443 is currently being tested.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@bindata/v3.11.0/openshift-apiserver/networkpolicy-allow.yaml`:
- Around line 11-12: The header comment in the networkpolicy-allow.yaml file
currently only documents port 8443 for ingress. Since port 17698 has been added
to allow ingress for checkendpoints, update the comment block that begins with
"# Ingress:" to document both ports. Specifically, mention that port 8443 is for
API requests and metrics scraping, and add documentation that port 17698 is for
checkendpoints.
- Around line 23-29: The NetworkPolicy manifest currently has two separate
ingress rules for ports 8443 and 17698, but these should be combined into a
single ingress rule with both ports listed under the same ports array for
consistency and idiomatic Kubernetes practices. Additionally, the newly added
port 17698 is not validated in the e2e test suite. Update the
testAPIServerNetworkPolicyEnforcement() function in
test/e2e/network_policy_enforcement.go to add a test case that verifies
connectivity is allowed on port 17698 for apiserver pods, similar to how port
8443 is currently being tested.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: d9b2e09a-c96f-4e9f-86ae-f5fc02b8e635

📥 Commits

Reviewing files that changed from the base of the PR and between 3814944 and 47a8c16.

📒 Files selected for processing (1)

• bindata/v3.11.0/openshift-apiserver/networkpolicy-allow.yaml