[Spike] Determine Repeatable Pattern for Network Policies
Currently ingress network policies on packages are using labels from Ingress which is being passed down from the umbrella template. However, the label used to validate the source namespace is hard coded and will not function with the new istio implementation.
Ideally, we would like to find a way where it works for both implementations so that can be deployed to the umbrella chart ahead of the new istio immplementation. Additionally, we will need to go through a good amount of packages to examine how their network policies are set up to ensure this method will work across the board.
This specifically applies to the ingress net policies from the istio gateways, however, there are also likely egress from those packages to istio as well that will need to be reviewed.
Packages that should be inspected:
- Keycloak
- Kiali
- ArgoCD
- Grafana
- Monitoring
- Gitlab
- Gitlab-Runner
- Nexus
- SonarQube
- Mattermost
- Kyverno
- Tempo
- Jaeger
I think checking the above packages would give us enough confidence to come up with a simple unified approach. Once we have the pattern established we can get with Mission Team leads to make them aware of the pattern and have them create issues for all of their packages so we can get the changes in relatively quickly.
Packages containing Network Policies with hardcoded Istio Operator labels
Package network policy paths: /chart/templates/bigbang/networkpolicies/*.yaml
| Package | Config Name | Type | Hardcode Item |
|---|---|---|---|
| ArgoCD | allow-istio.yaml | Ingress/Egress | nsSelector label |
| Gitlab | egress-istiod.yaml | Egress | nsSelector & podSelector |
| Gitlab | ingress-istio-pages.yaml | Ingress | nsSelector label |
| Gitlab | ingress-istio-registry.yaml | Ingress | nsSelector label |
| Gitlab | ingress-istio-sidekiq.yaml | Ingress | nsSelector label |
| Gitlab | ingress-istio-webservice.yaml | Ingress | nsSelector label |
| Gitlab-Runner | egress-istiod.yamL | Ingress | nsSelector label |
| Grafana | egress-istio-d.yaml | Egress | nsSelector label |
| Grafana | ingress-istio.yaml | Ingress | nsSelector label |
| Jaeger | egress-istiod.yaml | Egress | nsSelector & podSelector |
| Jaeger | ingress-istio-ingressgateway.yml | Ingress | nsSelector label |
| Kiali | egress-istiod.yml | Egress | nsSelector label |
| Kiali | ingress-istio-ingressgateway.yml | Ingress | nsSelector label |
| Keycloak | egress-istiod.yaml | Egress | nsSelector/podSelector |
| Keycloak | ingress-istio.yaml | Ingress | nsSelector/podSelector |
| Kyverno Reporter | NA | NA | NA |
| Mattermost | allow-istio-egress.yaml | Egress | nsSelector label |
| Mattermost | allow-istio-ingress.yaml | Ingress | nsSelector label |
| Monitoring | egress-istio-d.yaml | Egress | nsSelector label |
| Monitoring | ingress-istio.yaml | Ingress | nsSelector label |
| Nexus | istio.yaml | Ingress/Egress | nsSelector label |
| Sonarqube | egress-istiod.yaml | Egress | nsSelector label |
| Sonarqube | istio-allow.yaml | Ingress/Egress | nsSelector label |
| Tempo | egress-istio-d.yaml | Egress | nsSelector label |