CNTRLPLANE-2916: restore conditional deletion of openshift-ingress NetworkPolicy

[csrwng]

Summary

• Reverts the revert PR OCPBUGS-87018: Revert conditional deletion of openshift-ingress NetworkPolicy #8662 to restore the original PR CNTRLPLANE-2916: conditionally create openshift-ingress network policy based on route labeling #7872 behavior
• Conditionally creates or deletes the openshift-ingress NetworkPolicy based on whether routes are labeled for the HCP router (LabelHCPRoutes)
• The OVN-Kubernetes port group race that prompted the revert is being properly addressed via ROSAENG-8224: feat(operator): add --hcp-egress-block-cidrs flag to stabilize NetworkPolicy egress exceptions #8689 (--hcp-egress-block-cidrs flag), making the blanket always-create workaround unnecessary

Test plan

• Unit tests restored with full coverage of create/delete scenarios across AWS, GCP, IBM Cloud, Agent, and KubeVirt platforms
• Verify in conjunction with ROSAENG-8224: feat(operator): add --hcp-egress-block-cidrs flag to stabilize NetworkPolicy egress exceptions #8689 that MC KAS rollouts do not cause HC API blackouts

🤖 Generated with Claude Code

Summary by CodeRabbit

Release Notes

• Bug Fixes

  • Improved handling of the ingress network policy. The “openshift-ingress” policy is now conditionally created or removed based on your route labeling configuration, better aligning network isolation with your ingress controller setup.

• Tests

  • Expanded coverage for ingress network policy behavior across more platform and publishing scenarios, including validation of both creation and deletion outcomes.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@csrwng: This pull request references CNTRLPLANE-2916 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

• Reverts the revert PR OCPBUGS-87018: Revert conditional deletion of openshift-ingress NetworkPolicy #8662 to restore the original PR CNTRLPLANE-2916: conditionally create openshift-ingress network policy based on route labeling #7872 behavior
• Conditionally creates or deletes the openshift-ingress NetworkPolicy based on whether routes are labeled for the HCP router (LabelHCPRoutes)
• The OVN-Kubernetes port group race that prompted the revert is being properly addressed via ROSAENG-8224: feat(operator): add --hcp-egress-block-cidrs flag to stabilize NetworkPolicy egress exceptions #8689 (--hcp-egress-block-cidrs flag), making the blanket always-create workaround unnecessary

Test plan

• Unit tests restored with full coverage of create/delete scenarios across AWS, GCP, IBM Cloud, Agent, and KubeVirt platforms
• Verify in conjunction with ROSAENG-8224: feat(operator): add --hcp-egress-block-cidrs flag to stabilize NetworkPolicy egress exceptions #8689 that MC KAS rollouts do not cause HC API blackouts

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: csrwng

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [csrwng]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 1e24cb79-0371-4116-b276-2fbf216b0e91

📥 Commits

Reviewing files that changed from the base of the PR and between 1b9f915 and a156efb.

📒 Files selected for processing (2)

• hypershift-operator/controllers/hostedcluster/network_policies.go
• hypershift-operator/controllers/hostedcluster/network_policies_test.go

🚧 Files skipped from review as they are similar to previous changes (2)

• hypershift-operator/controllers/hostedcluster/network_policies.go
• hypershift-operator/controllers/hostedcluster/network_policies_test.go

---

📝 Walkthrough

Walkthrough

reconcileNetworkPolicies is updated to delegate the openshift-ingress NetworkPolicy handling to a new helper function, reconcileIngressNetworkPolicy. This helper checks netutil.LabelHCPRoutes(hcp): when true, it deletes the existing openshift-ingress NetworkPolicy using k8sutil.DeleteIfNeeded; when false, it reconciles (creates/updates) the policy as before. The k8sutil package is added as an import. Tests in TestReconcileNetworkPolicies_OpenshiftIngressPolicy are extended with expectCreated and expectDeleted fields, new cases for AWS, GCP, IBM Cloud, Agent, and KubeVirt platforms, pre-creation of the policy for deletion scenarios, and conditional post-reconcile assertions.

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: restoring conditional deletion logic for the openshift-ingress NetworkPolicy based on route labeling configuration.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All test names in the modified test file are stable and deterministic, using static descriptive strings without any dynamic information like generated suffixes, timestamps, UUIDs, or node/namespace...
Test Structure And Quality	✅ Passed	Tests demonstrate strong quality: table-driven subtests provide single responsibility per case, meaningful error messages guide diagnosis, proper fake client isolation for each test, consistent cod...
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies NetworkPolicy reconciliation logic only (network security rules), not pod scheduling constraints (affinity, replicas, nodeSelector, topology spread, PDB). Check targets scheduling const...
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds standard Go unit tests, not Ginkgo e2e tests. Check requires Ginkgo tests (It(), Describe(), Context(), When()), so it's not applicable here.
No-Weak-Crypto	✅ Passed	The pull request modifies only network policy reconciliation code. No cryptographic operations, weak algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or non-con...
Container-Privileges	✅ Passed	PR modifies only Go source files (network_policies.go/test.go), not container/K8s manifests. The container-privileges check applies only to manifest files defining container security specs.
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data (passwords, tokens, API keys, PII, session IDs, hostnames, customer data) is exposed in logs. Error messages are generic with no credential leakage.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 55.55556% with 8 lines in your changes missing coverage. Please review.
✅ Project coverage is 41.79%. Comparing base (7507291) to head (a156efb).
⚠️ Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
...ator/controllers/hostedcluster/network_policies.go	55.55%	5 Missing and 3 partials ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #8754   +/-   ##
=======================================
  Coverage   41.79%   41.79%           
=======================================
  Files         759      759           
  Lines       94037    94048   +11     
=======================================
+ Hits        39304    39309    +5     
- Misses      51983    51987    +4     
- Partials     2750     2752    +2     

Files with missing lines	Coverage Δ
...ator/controllers/hostedcluster/network_policies.go	76.83% <55.55%> (-0.36%)	⬇️

Flag	Coverage Δ
cmd-support	35.11% <ø> (ø)
cpo-hostedcontrolplane	44.10% <ø> (ø)
cpo-other	43.45% <ø> (ø)
hypershift-operator	51.87% <55.55%> (-0.01%)	⬇️
other	31.56% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

🧹 Nitpick comments (1)

hypershift-operator/controllers/hostedcluster/network_policies_test.go (1)

477-497: ⚡ Quick win

Add an explicit KubeVirt delete-path case in the ingress policy matrix.

KubeVirt currently has only the create-path assertion. Please add a KubeVirt case where APIServer uses Route with hostname and assert deletion, so the matrix directly covers both outcomes for that platform and guards future branch drift.

💡 Suggested test-case addition

 		{
 			name: "When KubeVirt cluster uses KAS LoadBalancer it should create policy",
 			hcluster: &hyperv1.HostedCluster{
 				ObjectMeta: metav1.ObjectMeta{Name: "test", Namespace: "test-ns"},
 				Spec: hyperv1.HostedClusterSpec{
 					Platform: hyperv1.PlatformSpec{Type: hyperv1.KubevirtPlatform, Kubevirt: &hyperv1.KubevirtPlatformSpec{}},
 					Services: []hyperv1.ServicePublishingStrategyMapping{
 						{Service: hyperv1.APIServer, ServicePublishingStrategy: hyperv1.ServicePublishingStrategy{Type: hyperv1.LoadBalancer}},
 					},
 				},
 			},
 			hcp: &hyperv1.HostedControlPlane{
 				Spec: hyperv1.HostedControlPlaneSpec{
 					Platform: hyperv1.PlatformSpec{Type: hyperv1.KubevirtPlatform, Kubevirt: &hyperv1.KubevirtPlatformSpec{}},
 					Services: []hyperv1.ServicePublishingStrategyMapping{
 						{Service: hyperv1.APIServer, ServicePublishingStrategy: hyperv1.ServicePublishingStrategy{Type: hyperv1.LoadBalancer}},
 					},
 				},
 			},
 			expectCreated: true,
 		},
+		{
+			name: "When KubeVirt cluster uses KAS Route with hostname it should delete policy",
+			hcluster: &hyperv1.HostedCluster{
+				ObjectMeta: metav1.ObjectMeta{Name: "test", Namespace: "test-ns"},
+				Spec: hyperv1.HostedClusterSpec{
+					Platform: hyperv1.PlatformSpec{Type: hyperv1.KubevirtPlatform, Kubevirt: &hyperv1.KubevirtPlatformSpec{}},
+					Services: []hyperv1.ServicePublishingStrategyMapping{
+						{Service: hyperv1.APIServer, ServicePublishingStrategy: hyperv1.ServicePublishingStrategy{
+							Type:  hyperv1.Route,
+							Route: &hyperv1.RoutePublishingStrategy{Hostname: "api.example.com"},
+						}},
+					},
+				},
+			},
+			hcp: &hyperv1.HostedControlPlane{
+				Spec: hyperv1.HostedControlPlaneSpec{
+					Platform: hyperv1.PlatformSpec{Type: hyperv1.KubevirtPlatform, Kubevirt: &hyperv1.KubevirtPlatformSpec{}},
+					Services: []hyperv1.ServicePublishingStrategyMapping{
+						{Service: hyperv1.APIServer, ServicePublishingStrategy: hyperv1.ServicePublishingStrategy{
+							Type:  hyperv1.Route,
+							Route: &hyperv1.RoutePublishingStrategy{Hostname: "api.example.com"},
+						}},
+					},
+				},
+			},
+			expectDeleted: true,
+		},

As per coding guidelines, "Unit test any code changes and additions and include e2e tests when changes impact consumer behaviour."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hypershift-operator/controllers/hostedcluster/network_policies_test.go`
around lines 477 - 497, The KubeVirt platform test case in the test matrix only
covers the creation path where APIServer uses LoadBalancer type. Add a new test
case entry following the existing KubeVirt test to cover the deletion path by
creating a case where the KubeVirt cluster uses Route for the APIServer
ServicePublishingStrategy (instead of LoadBalancer) and set expectCreated to
false. This ensures the test matrix covers both creation and deletion outcomes
for the KubeVirt platform and prevents future branch drift.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@hypershift-operator/controllers/hostedcluster/network_policies_test.go`:
- Around line 477-497: The KubeVirt platform test case in the test matrix only
covers the creation path where APIServer uses LoadBalancer type. Add a new test
case entry following the existing KubeVirt test to cover the deletion path by
creating a case where the KubeVirt cluster uses Route for the APIServer
ServicePublishingStrategy (instead of LoadBalancer) and set expectCreated to
false. This ensures the test matrix covers both creation and deletion outcomes
for the KubeVirt platform and prevents future branch drift.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 28896680-8e1c-4b7c-9df7-5e15e637232e

📥 Commits

Reviewing files that changed from the base of the PR and between 30a12e6 and 1b9f915.

📒 Files selected for processing (2)

• hypershift-operator/controllers/hostedcluster/network_policies.go
• hypershift-operator/controllers/hostedcluster/network_policies_test.go

[enxebre]

/lgtm

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aks-4-22
/test e2e-aws-4-22
/test e2e-aks
/test e2e-aws
/test e2e-aws-upgrade-hypershift-operator
/test e2e-azure-v2-self-managed
/test e2e-kubevirt-aws-ovn-reduced
/test e2e-v2-aws
/test e2e-v2-gke

[csrwng]

/test e2e-aks-422

The job failed during CI infrastructure setup — specifically while importing the initial-422 release payload —

[csrwng]

/test e2e-aks-4-22

[hypershift-jira-solve-ci]

AI Test Failure Analysis

Job: pull-ci-openshift-hypershift-main-e2e-aks | Build: 2067261699257274368 | Cost: $3.398175599999999 | Failed step: hypershift-azure-run-e2e

View full analysis report

---

_{Generated by hypershift-analyze-e2e-failure post-step using Claude claude-opus-4-6}

[cwbotbot]

Test Results

e2e-aws

• Status: ✅ PASS
• Started: 2026-06-17T15:04:17Z
• View Job
• View Job History

e2e-aks

• Status: ❌ FAIL
• Started: 2026-06-17T19:19:47Z
• View Job
• View Job History

Failed Tests

Total failed tests: 8

• TestNodePool
• TestNodePool/HostedCluster0
• TestNodePool/HostedCluster0/Main
• TestNodePool/HostedCluster0/Main/TestNodePoolReplaceUpgrade
• TestNodePool/HostedCluster2

... and 3 more failed tests

[csrwng]

/test e2e-aks

From failure analysis:

This failure is unrelated to the PR changes. PR #8754 modifies network_policies.go to conditionally create/delete the openshift-ingress NetworkPolicy based on whether HCP routes are labeled for the HCP router. The failing test (TestAdditionalTrustBundlePropagation) exercises NodePool config update propagation through the trust bundle mechanism — a completely different code path. The network policy changes cannot cause the NodePool controller to skip setting UpdatingConfig=True.

[csrwng]

/test e2e-aws-4-22

This test failed the Karpenter test in the same way that e2e-aks-4-22 failed (and eventually passed):

    karpenter_test.go:1318: Created kubelet-config-checker pod on nodepool kubelet-config-test
    karpenter_test.go:1331: 
        Unexpected error:
            <*errors.StatusError | 0xc0073a6e60>: 
            Get "https://10.0.129.17:10250/containerLogs/kube-system/kubelet-config-checker/checker": net/http: TLS handshake timeout
            {
                ErrStatus: {
                    TypeMeta: {Kind: "", APIVersion: ""},
                    ListMeta: {
                        SelfLink: "",
                        ResourceVersion: "",
                        Continue: "",
                        RemainingItemCount: nil,
                    },
                    Status: "Failure",
                    Message: "Get \"https://10.0.129.17:10250/containerLogs/kube-system/kubelet-config-checker/checker\": net/http: TLS handshake timeout",
                    Reason: "",
                    Details: nil,
                    Code: 500,
                },
            }
        occurred
            --- FAIL: TestKarpenter/Main/Parallel_provisioning_tests/OpenshiftEC2NodeClass_Kubelet_propagation (719.11s)

[hypershift-jira-solve-ci]

AI Test Failure Analysis

Job: pull-ci-openshift-hypershift-main-e2e-aks | Build: 2067326323855986688 | Cost: $3.240120500000001 | Failed step: hypershift-azure-run-e2e

View full analysis report

---

_{Generated by hypershift-analyze-e2e-failure post-step using Claude claude-opus-4-6}

[openshift-ci]

@csrwng: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aks	a156efb	link	true	/test e2e-aks
ci/prow/e2e-kubevirt-aws-ovn-reduced	a156efb	link	true	/test e2e-kubevirt-aws-ovn-reduced

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[hypershift-jira-solve-ci]

I now have all the evidence I need. Let me compile the final report.

Test Failure Analysis Complete

Job Information

• Prow Job: pull-ci-openshift-hypershift-main-e2e-aks
• Build ID: 2067326323855986688
• Target: e2e-aks
• PR: #8754 — CNTRLPLANE-2916: restore conditional deletion of openshift-ingress NetworkPolicy
• Cluster: build01
• Duration: ~2h20m (19:19 → 21:39 UTC)
• Result: 387 tests, 46 skipped, 8 failures (2 leaf failures + 6 parent propagations)

Test Failure Analysis

Error

TestNodePool/HostedCluster0/Main/TestNodePoolReplaceUpgrade (952s):
  nodepool_upgrade_test.go:225: Failed to wait for NodePool to start the upgrade in 10m0s: context deadline exceeded
  wanted UpdatingVersion=True, got UpdatingVersion=False: AsExpected

TestNodePool/HostedCluster2/Main/TestAdditionalTrustBundlePropagation (930s):
  eventually.go:105: Failed to get *v1beta1.NodePool: client rate limiter Wait returned an error: context deadline exceeded
  nodepool_additionalTrustBundlePropagation_test.go:178: Failed to wait for NodePool to begin updating in 5m0s: context deadline exceeded
  wanted UpdatingConfig=True, got UpdatingConfig=False: AsExpected

Summary

Two NodePool e2e tests failed due to the NodePool controller not transitioning conditions (UpdatingVersion, UpdatingConfig) to True within their respective timeouts after NodePool spec updates were applied. These are pre-existing flaky tests unrelated to PR #8754's changes. The PR only modifies network_policies.go and network_policies_test.go (conditional deletion of the openshift-ingress NetworkPolicy), while the failing tests exercise NodePool version upgrades and config propagation — entirely separate control loops. All 8 other test suites (TestCreateCluster, TestUpgradeControlPlane, TestHAEtcdChaos, TestAutoscaling, etc.) passed, and even similar upgrade tests on the same HostedCluster0 (TestNodePoolInPlaceUpgrade, TestRollingUpgrade) succeeded.

Root Cause

The two leaf test failures are caused by transient NodePool controller reconciliation stalls on the AKS management cluster, not by the PR's code changes:

1. TestNodePoolReplaceUpgrade (HostedCluster0): After updating the NodePool's release image to trigger a replace-style upgrade, the test waited 10 minutes for UpdatingVersion=True but the condition never transitioned. The NodePool stayed at resource version 63906 throughout the entire wait. All other conditions (Ready=True, ReconciliationActive=True, ValidReleaseImage=True, AllMachinesReady=True, AllNodesHealthy=True) were healthy. Notably, TestNodePoolInPlaceUpgrade and TestRollingUpgrade — which exercise nearly identical upgrade paths on the same HostedCluster — both passed successfully.

2. TestAdditionalTrustBundlePropagation (HostedCluster2): The test successfully added a trust bundle and observed the NodePool update cycle complete. However, after removing the trust bundle, the test waited 5 minutes for UpdatingConfig=True but the condition never transitioned. A client rate limiter Wait returned an error: context deadline exceeded error indicates the test's API client was being throttled, suggesting high API load on the management cluster at the time. Additionally, AllNodesHealthy=False showed a machine stuck at NodeProvisioning: Waiting for a node with matching ProviderID to exist, indicating a slow Azure VM provisioning cycle was adding resource contention.

The PR changes (network_policies.go) modify the HostedCluster reconciler's NetworkPolicy creation/deletion logic based on the LabelHCPRoutes flag. This code path is exercised during HostedCluster reconciliation and has zero interaction with the NodePool controller's UpdatingVersion or UpdatingConfig condition management. The HostedCluster-level tests all passed, confirming the NetworkPolicy changes work correctly.

Recommendations

1. Retest the PR — These failures are flaky and unrelated to the code changes. Run /test e2e-aks to get a clean result.
2. No code changes needed in PR CNTRLPLANE-2916: restore conditional deletion of openshift-ingress NetworkPolicy #8754 — The NetworkPolicy changes are orthogonal to NodePool update transitions.
3. Upstream flaky test tracking — TestNodePoolReplaceUpgrade and TestAdditionalTrustBundlePropagation appear susceptible to management cluster resource pressure on AKS. The 10-minute and 5-minute timeouts may be insufficient under heavy concurrent test load (this job runs 12+ HostedClusters simultaneously).

Evidence

Evidence	Detail
PR changed files	network_policies.go, network_policies_test.go — no NodePool controller changes
Failure 1	TestNodePoolReplaceUpgrade: NodePool stuck at RV 63906 for 10m, UpdatingVersion never became True
Failure 2	TestAdditionalTrustBundlePropagation: Client rate limiter timeout, UpdatingConfig never became True, machine stuck at NodeProvisioning
Same-cluster pass	TestNodePoolInPlaceUpgrade (856s PASS), TestRollingUpgrade (1293s PASS) on same HostedCluster0
Other suites pass	TestCreateCluster, TestUpgradeControlPlane, TestHAEtcdChaos, TestAutoscaling, TestAzureScheduler, TestPullSecretUnavailable — all PASS
Overall results	387 tests, 46 skipped, 2 leaf failures (8 total with parent propagation)
HostedCluster health	Both HostedClusters were fully healthy: ClusterVersionAvailable=True, DataPlaneConnectionAvailable=True, ControlPlaneConnectionAvailable=True
Rate limiting signal	client rate limiter Wait returned an error: context deadline exceeded — management cluster API throttling during test
Scheduling pressure	Extensive FailedScheduling events: 0/9 nodes available: 3 didn't match pod anti-affinity, 6 Too many pods

---