From 588bc66f9a40a8e617e3f6ad10d1fd1dbdd0bcbe Mon Sep 17 00:00:00 2001
From: Rashmi Gottipati <rgottipa@redhat.com>
Date: Wed, 4 Feb 2026 20:36:17 -0500
Subject: [PATCH 1/4]   Update NetworkPolicy egress to follow API server best
 practices

Signed-off-by: Rashmi Gottipati <rgottipa@redhat.com>
---
 .../chart/templates/0000_50_olm_01-networkpolicies.yaml  | 9 ---------
 deploy/chart/values.yaml                                 | 5 +----
 2 files changed, 1 insertion(+), 13 deletions(-)

diff --git a/deploy/chart/templates/0000_50_olm_01-networkpolicies.yaml b/deploy/chart/templates/0000_50_olm_01-networkpolicies.yaml
index 6ee410a64a..102bd68fd7 100644
--- a/deploy/chart/templates/0000_50_olm_01-networkpolicies.yaml
+++ b/deploy/chart/templates/0000_50_olm_01-networkpolicies.yaml
@@ -22,7 +22,6 @@ spec:
     - {{ .Values.networkPolicy.metrics | toYaml | nindent 6 | trimSuffix "\n" }}
   egress:
     - {{ .Values.networkPolicy.kubeAPIServer | toYaml | nindent 6 | trimSuffix "\n" }}
-    - {{ .Values.networkPolicy.dns | toYaml | nindent 6 | trimSuffix "\n" }}
   policyTypes:
     - Ingress
     - Egress
@@ -40,10 +39,6 @@ spec:
     - {{ .Values.networkPolicy.metrics | toYaml | nindent 6 | trimSuffix "\n" }}
   egress:
     - {{ .Values.networkPolicy.kubeAPIServer | toYaml | nindent 6 | trimSuffix "\n" }}
-    - {{ .Values.networkPolicy.dns | toYaml | nindent 6 | trimSuffix "\n" }}
-    - ports:
-      - protocol: TCP
-        port: {{ .Values.catalogGrpcPodPort }}
   policyTypes:
     - Ingress
     - Egress
@@ -63,10 +58,6 @@ spec:
         port: {{ .Values.package.service.internalPort }}
   egress:
     - {{ .Values.networkPolicy.kubeAPIServer | toYaml | nindent 6 | trimSuffix "\n" }}
-    - {{ .Values.networkPolicy.dns | toYaml | nindent 6 | trimSuffix "\n" }}
-    - ports:
-      - protocol: TCP
-        port: {{ .Values.catalogGrpcPodPort }}
   policyTypes:
   - Ingress
   - Egress
diff --git a/deploy/chart/values.yaml b/deploy/chart/values.yaml
index 394159bb4b..5d5098edc0 100644
--- a/deploy/chart/values.yaml
+++ b/deploy/chart/values.yaml
@@ -110,10 +110,7 @@ networkPolicy:
         port: 53
       - protocol: UDP
         port: 53
-  kubeAPIServer:
-    ports:
-      - protocol: TCP
-        port: 6443
+  kubeAPIServer: {}
   metrics:
     ports:
       - protocol: TCP

From 7b48ece6d7872889cbdd7175c2a696a6dd5ae1dd Mon Sep 17 00:00:00 2001
From: Rashmi Gottipati <rgottipa@redhat.com>
Date: Fri, 13 Feb 2026 11:08:15 -0500
Subject: [PATCH 2/4] update NetworkPolicy helpers to use wildcare egress for
 kube-apiserver

Signed-off-by: Rashmi Gottipati <rgottipa@redhat.com>
---
 pkg/controller/registry/reconciler/helpers.go | 18 ++----------------
 1 file changed, 2 insertions(+), 16 deletions(-)

diff --git a/pkg/controller/registry/reconciler/helpers.go b/pkg/controller/registry/reconciler/helpers.go
index 8302cd5df6..14fa7fcdb9 100644
--- a/pkg/controller/registry/reconciler/helpers.go
+++ b/pkg/controller/registry/reconciler/helpers.go
@@ -49,14 +49,7 @@ func DesiredGRPCServerNetworkPolicy(catalogSource *v1alpha1.CatalogSource, match
 	// Allow egress to kube-apiserver from configmap backed catalog sources
 	if catalogSource.Spec.SourceType == v1alpha1.SourceTypeConfigmap || catalogSource.Spec.SourceType == v1alpha1.SourceTypeInternal {
 		np.Spec.Egress = []networkingv1.NetworkPolicyEgressRule{
-			{
-				Ports: []networkingv1.NetworkPolicyPort{
-					{
-						Protocol: ptr.To(corev1.ProtocolTCP),
-						Port:     ptr.To(intstr.FromInt32(6443)),
-					},
-				},
-			},
+			{},
 		}
 	}
 
@@ -90,14 +83,7 @@ func DesiredUnpackBundlesNetworkPolicy(catalogSource client.Object) *networkingv
 			},
 			PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress, networkingv1.PolicyTypeEgress},
 			Egress: []networkingv1.NetworkPolicyEgressRule{
-				{
-					Ports: []networkingv1.NetworkPolicyPort{
-						{
-							Protocol: ptr.To(corev1.ProtocolTCP),
-							Port:     ptr.To(intstr.FromInt32(6443)),
-						},
-					},
-				},
+				{},
 			},
 		},
 	}

From ddf79a5ec9397bac44258b90ddf7bd13f9267499 Mon Sep 17 00:00:00 2001
From: Rashmi Gottipati <rgottipa@redhat.com>
Date: Mon, 16 Feb 2026 15:22:05 -0500
Subject: [PATCH 3/4] Add DNS egress rules with ports 53 and 5353 to
 NetworkPolicies

Signed-off-by: Rashmi Gottipati <rgottipa@redhat.com>
---
 .../0000_50_olm_01-networkpolicies.yaml       |  3 ++
 deploy/chart/values.yaml                      |  4 ++
 pkg/controller/registry/reconciler/helpers.go | 46 ++++++++++++++++++-
 3 files changed, 52 insertions(+), 1 deletion(-)

diff --git a/deploy/chart/templates/0000_50_olm_01-networkpolicies.yaml b/deploy/chart/templates/0000_50_olm_01-networkpolicies.yaml
index 102bd68fd7..d52f72632a 100644
--- a/deploy/chart/templates/0000_50_olm_01-networkpolicies.yaml
+++ b/deploy/chart/templates/0000_50_olm_01-networkpolicies.yaml
@@ -22,6 +22,7 @@ spec:
     - {{ .Values.networkPolicy.metrics | toYaml | nindent 6 | trimSuffix "\n" }}
   egress:
     - {{ .Values.networkPolicy.kubeAPIServer | toYaml | nindent 6 | trimSuffix "\n" }}
+    - {{ .Values.networkPolicy.dns | toYaml | nindent 6 | trimSuffix "\n" }}
   policyTypes:
     - Ingress
     - Egress
@@ -39,6 +40,7 @@ spec:
     - {{ .Values.networkPolicy.metrics | toYaml | nindent 6 | trimSuffix "\n" }}
   egress:
     - {{ .Values.networkPolicy.kubeAPIServer | toYaml | nindent 6 | trimSuffix "\n" }}
+    - {{ .Values.networkPolicy.dns | toYaml | nindent 6 | trimSuffix "\n" }}
   policyTypes:
     - Ingress
     - Egress
@@ -58,6 +60,7 @@ spec:
         port: {{ .Values.package.service.internalPort }}
   egress:
     - {{ .Values.networkPolicy.kubeAPIServer | toYaml | nindent 6 | trimSuffix "\n" }}
+    - {{ .Values.networkPolicy.dns | toYaml | nindent 6 | trimSuffix "\n" }}
   policyTypes:
   - Ingress
   - Egress
diff --git a/deploy/chart/values.yaml b/deploy/chart/values.yaml
index 5d5098edc0..652b417dd3 100644
--- a/deploy/chart/values.yaml
+++ b/deploy/chart/values.yaml
@@ -110,6 +110,10 @@ networkPolicy:
         port: 53
       - protocol: UDP
         port: 53
+      - protocol: TCP
+        port: 5353
+      - protocol: UDP
+        port: 5353
   kubeAPIServer: {}
   metrics:
     ports:
diff --git a/pkg/controller/registry/reconciler/helpers.go b/pkg/controller/registry/reconciler/helpers.go
index 14fa7fcdb9..eca6a2459d 100644
--- a/pkg/controller/registry/reconciler/helpers.go
+++ b/pkg/controller/registry/reconciler/helpers.go
@@ -46,10 +46,32 @@ func DesiredGRPCServerNetworkPolicy(catalogSource *v1alpha1.CatalogSource, match
 		},
 	}
 
-	// Allow egress to kube-apiserver from configmap backed catalog sources
+	// Allow egress to kube-apiserver and DNS from configmap backed catalog sources
 	if catalogSource.Spec.SourceType == v1alpha1.SourceTypeConfigmap || catalogSource.Spec.SourceType == v1alpha1.SourceTypeInternal {
 		np.Spec.Egress = []networkingv1.NetworkPolicyEgressRule{
+			// Wildcard allow all IPs/Ports for kube-apiserver
 			{},
+			// Wildcard allow all IPs with DNS ports
+			{
+				Ports: []networkingv1.NetworkPolicyPort{
+					{
+						Protocol: ptr.To(corev1.ProtocolTCP),
+						Port:     ptr.To(intstr.FromInt32(53)),
+					},
+					{
+						Protocol: ptr.To(corev1.ProtocolUDP),
+						Port:     ptr.To(intstr.FromInt32(53)),
+					},
+					{
+						Protocol: ptr.To(corev1.ProtocolTCP),
+						Port:     ptr.To(intstr.FromInt32(5353)),
+					},
+					{
+						Protocol: ptr.To(corev1.ProtocolUDP),
+						Port:     ptr.To(intstr.FromInt32(5353)),
+					},
+				},
+			},
 		}
 	}
 
@@ -83,7 +105,29 @@ func DesiredUnpackBundlesNetworkPolicy(catalogSource client.Object) *networkingv
 			},
 			PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress, networkingv1.PolicyTypeEgress},
 			Egress: []networkingv1.NetworkPolicyEgressRule{
+				// Wildcard allow all IPs/Ports for kube-apiserver
 				{},
+				// Wildcard allow all IPs with DNS ports
+				{
+					Ports: []networkingv1.NetworkPolicyPort{
+						{
+							Protocol: ptr.To(corev1.ProtocolTCP),
+							Port:     ptr.To(intstr.FromInt32(53)),
+						},
+						{
+							Protocol: ptr.To(corev1.ProtocolUDP),
+							Port:     ptr.To(intstr.FromInt32(53)),
+						},
+						{
+							Protocol: ptr.To(corev1.ProtocolTCP),
+							Port:     ptr.To(intstr.FromInt32(5353)),
+						},
+						{
+							Protocol: ptr.To(corev1.ProtocolUDP),
+							Port:     ptr.To(intstr.FromInt32(5353)),
+						},
+					},
+				},
 			},
 		},
 	}

From d07e38f9ef0ebad9d0bfe0a56d1f7032f5b16ec5 Mon Sep 17 00:00:00 2001
From: Rashmi Gottipati <rgottipa@redhat.com>
Date: Mon, 16 Feb 2026 17:05:46 -0500
Subject: [PATCH 4/4] add catalog GRPC port rules back

Signed-off-by: Rashmi Gottipati <rgottipa@redhat.com>
---
 deploy/chart/templates/0000_50_olm_01-networkpolicies.yaml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/deploy/chart/templates/0000_50_olm_01-networkpolicies.yaml b/deploy/chart/templates/0000_50_olm_01-networkpolicies.yaml
index d52f72632a..6ee410a64a 100644
--- a/deploy/chart/templates/0000_50_olm_01-networkpolicies.yaml
+++ b/deploy/chart/templates/0000_50_olm_01-networkpolicies.yaml
@@ -41,6 +41,9 @@ spec:
   egress:
     - {{ .Values.networkPolicy.kubeAPIServer | toYaml | nindent 6 | trimSuffix "\n" }}
     - {{ .Values.networkPolicy.dns | toYaml | nindent 6 | trimSuffix "\n" }}
+    - ports:
+      - protocol: TCP
+        port: {{ .Values.catalogGrpcPodPort }}
   policyTypes:
     - Ingress
     - Egress
@@ -61,6 +64,9 @@ spec:
   egress:
     - {{ .Values.networkPolicy.kubeAPIServer | toYaml | nindent 6 | trimSuffix "\n" }}
     - {{ .Values.networkPolicy.dns | toYaml | nindent 6 | trimSuffix "\n" }}
+    - ports:
+      - protocol: TCP
+        port: {{ .Values.catalogGrpcPodPort }}
   policyTypes:
   - Ingress
   - Egress