NetworkPolicy disallows traffic between OLM and CatalogSource

If your cluster administrator has implemented a NetworkPolicy that restricts communication between namespaces, you must create another NetworkPolicy to allow the required communication between OLM and CatalogSource.

Resolving the problem

1. Determine the project or namespace in which OLM is installed. By default, this is openshift-operator-lifecycle-manager.

2. Apply a label to the OLM namespace so that it can be correctly referenced by the NetworkPolicy.

   oc label namespace openshift-operator-lifecycle-manager networkPolicyTarget=cp4mcm
   

3. Obtain the project or namespace in which the IBM Cloud Pak for Multicloud Management installation CR was installed.

   oc get installation.orchestrator.management.ibm.com -A
   

4. Create the NetworkPolicy in the project or namespace in which the IBM Cloud Pak for Multicloud Management installation CR was installed.

   apiVersion: networking.k8s.io/v1
   kind: NetworkPolicy
   metadata:
     name: allow-olm-cp4m-communication
     namespace: cp4mcm
     spec:
       egress:
       - to:
         - namespaceSelector:
             matchLabels:
               networkPolicyTarget: cp4mcm
       ingress:
       - from:
         - namespaceSelector:
             matchLabels:
               networkPolicyTarget: cp4mcm
       podSelector: {}
       policyTypes:
       - Egress
       - Ingress
   

   Notes:

   • The matchLabels value depends on the label applied in step 2.
   • The namespace value is obtained in step 3.