kubevirt · Acedus · Jul 29, 2025
diff --git a/cluster-sync/sync.sh b/cluster-sync/sync.sh
@@ -21,8 +21,8 @@ source ./cluster-up/hack/common.sh
 source ./cluster-up/cluster/${KUBEVIRT_PROVIDER}/provider.sh
 
 for i in $(seq 1 ${KUBEVIRT_NUM_NODES}); do
-    ./cluster-up/ssh.sh "node$(printf "%02d" ${i})" "sudo mkdir -p /var/hpvolumes"
-    ./cluster-up/ssh.sh "node$(printf "%02d" ${i})" "sudo chcon -t container_file_t -R /var/hpvolumes"
+  ./cluster-up/ssh.sh "node$(printf "%02d" ${i})" "sudo mkdir -p /var/hpvolumes"
+  ./cluster-up/ssh.sh "node$(printf "%02d" ${i})" "sudo chcon -t container_file_t -R /var/hpvolumes"
 done
 
 registry=${IMAGE_REGISTRY:-localhost:$(_port registry)}
@@ -52,24 +52,24 @@ EOF
 
   retry_counter=0
   while [[ $retry_counter -lt 10 ]] && [ "$observed_version" != "$UPGRADE_FROM" ]; do
-    observed_version=`_kubectl get Hostpathprovisioner -o=jsonpath='{.items[*].status.observedVersion}{"\n"}'`
-    target_version=`_kubectl get Hostpathprovisioner -o=jsonpath='{.items[*].status.targetVersion}{"\n"}'`
-    operator_version=`_kubectl get Hostpathprovisioner -o=jsonpath='{.items[*].status.operatorVersion}{"\n"}'`
+    observed_version=$(_kubectl get Hostpathprovisioner -o=jsonpath='{.items[*].status.observedVersion}{"\n"}')
+    target_version=$(_kubectl get Hostpathprovisioner -o=jsonpath='{.items[*].status.targetVersion}{"\n"}')
+    operator_version=$(_kubectl get Hostpathprovisioner -o=jsonpath='{.items[*].status.operatorVersion}{"\n"}')
     echo "observedVersion: $observed_version, operatorVersion: $operator_version, targetVersion: $target_version"
     retry_counter=$((retry_counter + 1))
-  sleep 5
+    sleep 5
   done
   if [ $retry_counter -eq 10 ]; then
-	echo "Unable to deploy to version $UPGRADE_FROM"
-	hpp_obj=$(_kubectl get Hostpathprovisioner -o yaml)
-	echo $hpp_obj
-	exit 1
+    echo "Unable to deploy to version $UPGRADE_FROM"
+    hpp_obj=$(_kubectl get Hostpathprovisioner -o yaml)
+    echo $hpp_obj
+    exit 1
   fi
 
 fi
 
 if [ ${HPP_NAMESPACE} == "hostpath-provisioner" ]; then
-_kubectl apply -f https://raw.githubusercontent.com/kubevirt/hostpath-provisioner-operator/main/deploy/namespace.yaml
+  _kubectl apply -f https://raw.githubusercontent.com/kubevirt/hostpath-provisioner-operator/main/deploy/namespace.yaml
 fi
 _kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.6.1/cert-manager.yaml
 _kubectl wait --for=condition=available -n cert-manager --timeout=120s --all deployments
@@ -107,21 +107,22 @@ volumeBindingMode: Immediate
 EOF
 echo "Waiting for hostpath provisioner to be available"
 _kubectl wait hostpathprovisioners.hostpathprovisioner.kubevirt.io/hostpath-provisioner --for=condition=Available --timeout=480s
+_kubectl apply -f "deploy/tests/network-policies.yaml" -n ${HPP_NAMESPACE}
 
 retry_counter=0
 while [[ $retry_counter -lt 10 ]] && [ "$observed_version" == "$UPGRADE_FROM" ]; do
-  observed_version=`_kubectl get Hostpathprovisioner -o=jsonpath='{.items[*].status.observedVersion}{"\n"}'`
-  target_version=`_kubectl get Hostpathprovisioner -o=jsonpath='{.items[*].status.targetVersion}{"\n"}'`
-  operator_version=`_kubectl get Hostpathprovisioner -o=jsonpath='{.items[*].status.operatorVersion}{"\n"}'`
+  observed_version=$(_kubectl get Hostpathprovisioner -o=jsonpath='{.items[*].status.observedVersion}{"\n"}')
+  target_version=$(_kubectl get Hostpathprovisioner -o=jsonpath='{.items[*].status.targetVersion}{"\n"}')
+  operator_version=$(_kubectl get Hostpathprovisioner -o=jsonpath='{.items[*].status.operatorVersion}{"\n"}')
   echo "observedVersion: $observed_version, operatorVersion: $operator_version, targetVersion: $target_version"
   retry_counter=$((retry_counter + 1))
-sleep 5
+  sleep 5
 done
 if [ $retry_counter -eq 20 ]; then
-echo "Unable to deploy to latest version"
-hpp_obj=$(_kubectl get hostpathprovisioner -o yaml)
-echo $hpp_obj
-exit 1
+  echo "Unable to deploy to latest version"
+  hpp_obj=$(_kubectl get hostpathprovisioner -o yaml)
+  echo $hpp_obj
+  exit 1
 fi
 
 function configure_prometheus {

diff --git a/deploy/tests/network-policies.yaml b/deploy/tests/network-policies.yaml
@@ -0,0 +1,115 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: deny-all-hpp
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress: []
+  egress: []
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: hpp-allow-operator-egress-to-dns
+spec:
+  podSelector:
+    matchLabels:
+      name: hostpath-provisioner-operator
+  policyTypes:
+    - Egress
+  egress:
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+          podSelector:
+            matchLabels:
+              k8s-app: "kube-dns"
+      ports:
+        - protocol: TCP
+        - protocol: UDP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: hpp-allow-operands-egress-to-dns
+spec:
+  podSelector:
+    matchLabels:
+      k8s-app: hostpath-provisioner
+  policyTypes:
+    - Egress
+  egress:
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+          podSelector:
+            matchLabels:
+              k8s-app: "kube-dns"
+      ports:
+        - protocol: TCP
+        - protocol: UDP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: hpp-allow-operator-egress-to-api-server
+spec:
+  podSelector:
+    matchLabels:
+      name: hostpath-provisioner-operator
+  policyTypes:
+    - Egress
+  egress:
+    - ports:
+        - protocol: TCP
+          port: 6443
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: hpp-allow-operands-egress-to-api-server
+spec:
+  podSelector:
+    matchLabels:
+      k8s-app: hostpath-provisioner
+  policyTypes:
+    - Egress
+  egress:
+    - ports:
+        - protocol: TCP
+          port: 6443
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: hpp-allow-ingress-to-operator-webhook-server
+spec:
+  podSelector:
+    matchLabels:
+      name: hostpath-provisioner-operator
+  policyTypes:
+    - Ingress
+  ingress:
+    - ports:
+        - protocol: TCP
+          port: 9443
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: hpp-allow-ingress-to-metrics
+spec:
+  podSelector:
+    matchLabels:
+      prometheus.hostpathprovisioner.kubevirt.io: "true"
+  policyTypes:
+    - Ingress
+  ingress:
+    - ports:
+        - port: 8080
+          protocol: TCP