feat: Add lifecycled networkpolicies options for raycluster hardening

Signed-off-by: Pat O'Connor <[email protected]>

Author: chipspeak

helm-chart/kuberay-operator/README.md

@@ -165,6 +165,8 @@ spec:
 | featureGates[0].enabled | bool | `true` |  |
 | featureGates[1].name | string | `"RayJobDeletionPolicy"` |  |
 | featureGates[1].enabled | bool | `false` |  |
+| featureGates[2].name | string | `"RayClusterNetworkPolicy"` |  |
+| featureGates[2].enabled | bool | `false` |  |
 | metrics.enabled | bool | `true` | Whether KubeRay operator should emit control plane metrics. |
 | metrics.serviceMonitor.enabled | bool | `false` | Enable a prometheus ServiceMonitor |
 | metrics.serviceMonitor.interval | string | `"30s"` | Prometheus ServiceMonitor interval |

helm-chart/kuberay-operator/templates/_helpers.tpl

@@ -205,7 +205,6 @@ rules:
   - update
 - apiGroups:
   - extensions
-  - networking.k8s.io
   resources:
   - ingresses
   verbs:
@@ -224,6 +223,19 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  - networkpolicies
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - ray.io
   resources:

helm-chart/kuberay-operator/values.yaml

@@ -88,6 +88,8 @@ featureGates:
   enabled: true
 - name: RayJobDeletionPolicy
   enabled: false
+- name: RayClusterNetworkPolicy
+  enabled: false
 
 # Configurations for KubeRay operator metrics.
 metrics:

ray-operator/config/manager/manager.yaml

@@ -80,4 +80,9 @@ spec:
           # environment variable is not set, requeue after the default value (300).
           # - name: RAYCLUSTER_DEFAULT_REQUEUE_SECONDS_ENV
           #   value: "300"
+          # Required for NetworkPolicy feature when operator is NOT deployed in 'ray-system' namespace
+          # - name: POD_NAMESPACE
+          #   valueFrom:
+          #     fieldRef:
+          #       fieldPath: metadata.namespace
       terminationGracePeriodSeconds: 10

ray-operator/config/rbac/role.yaml

@@ -90,7 +90,6 @@ rules:
   - update
 - apiGroups:
   - extensions
-  - networking.k8s.io
   resources:
   - ingresses
   verbs:
@@ -109,6 +108,19 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  - networkpolicies
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - ray.io
   resources: