Add REGISTRY_ONLY Sidecar template
Summary
We will want to enable users to configure setting REGISTRY_ONLY
traffic policy on a per-package basis, in addition to allowing for it to be set globally in the meshConfig (see #1886). Creating Sidecars in each package will also allow us to focus on individual packages as we define what whitelists will need to be created per application.
This issue will handle this for Alloy
Conditions
For the Sidecar template to be created, the following conditions should be met:
- Istio injection is a feature of the package
- && Istio is enabled for the package
- && The
REGISTRY_ONLY
setting for the package is enabled (can be configured globally or directly in package values)
Sample Sidecar resource
The following Sidecar resource is applied to every workload in the apps
namespace, and limits traffic to only resources that are known within the istio service mesh, which by default includes all internal Kubernetes service domains.
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: curl
namespace: apps
spec:
outboundTrafficPolicy:
mode: REGISTRY_ONLY
Acceptance Criteria
-
Observability package has the Sidecar above added as an optional Big Bang template -
The Sidecar only created when the conditions listed above are true -
We validate that mesh-external endpoints are not resolvable when these resources exist
Other notes
For some packages, it may not make sense to have a Sidecar resource. Each application/package should be evaluated to determine if it needs a Sidecar resource or not.