UNCLASSIFIED - NO CUI

Skip to content

Add Dynamic Network Policy Support to all Packages

Description:

Currently, many Ingress and Egress package network policies use hardcoded namespaceSelector matchLabels. These fixed labels do not support the migration to Istio Operator-less enabled deployments.

To address this, a named template, istioNamespaceSelector, has been added to the Big Bang Chart helper.tpl. This template dynamically defines matchLabels based on whether istioCore (Operator-less) or Istio (Operator) is enabled.

This issue will track the implementation of templating in package network policies, allowing dynamic matchLabel values to be passed from the Big Bang umbrella chart, and serve for teams to validate package transition to Istio Operator-less enabled BB deployments.

netpol_diagram

Mission Team Packages with Hardcoded Network Policies:

Security and Compliance

  • Anchore
    • anchore-enterprise/chart/templates/bigbang/networkpolicies/allow-istio.yaml
  • Twistlock
    • twistlock/chart/templates/networkpolicies/ingress-istio-ingressgateway.yml
    • twistlock/chart/templates/networkpolicies/istiod-egress.yml
  • Cluster Auditor
    • cluster-auditor/chart/templates/bigbang/network-policies/egress-istiod.yaml

Observablity

  • Eck Operator
    • eck-operator/chart/templates/bigbang/networkpolicies/egress-istio-d.yaml
  • Elasticsearch-Kibana
    • elasticsearch-kibana/chart/templates/bigbang/networkpolicies/allow-istiod-egress.yaml
    • elasticsearch-kibana/chart/templates/bigbang/networkpolicies/istio.yaml
  • Metrics Server
    • metrics-server/chart/templates/bigbang/networkpolicies/egress-istiod.yaml
    • metrics-server/chart/templates/bigbang/networkpolicies/istio-allow.yaml
  • Fluentbit
    • fluentbit/chart/templates/bigbang/networkpolicies/allow-istio.yaml
  • Jaeger
    • jaeger/chart/templates/bigbang/networkpolicies/egress-istiod.yaml
    • jaeger/chart/templates/bigbang/networkpolicies/ingress-istio-ingressgateway.yml

Storage and Collaboration

  • Minio
    • minio/chart/templates/bigbang/networkpolicies/istio-allow.yaml
    • minio/chart/templates/bigbang/networkpolicies/istio.yaml
  • Velero
    • velero/chart/templates/bigbang/networkpolicies/allow-istio.yaml
  • Vault
    • vault/chart/templates/bigbang/networkpolicies/allow-istio.yaml
  • Mattermost
    • mattermost/chart/templates/bigbang/networkpolicies/allow-istio-egress.yaml
    • mattermost/chart/templates/bigbang/networkpolicies/allow-istio-ingress.yaml
  • Mattermost Operator
    • mattermost-operator/chart/templates/bigbang/networkpolicies/egress-istiod.yaml
  • Confluence
    • confluence/chart/templates/bigbang/networkpolicies/allow-istiod-egress.yaml
    • confluence/chart/templates/bigbang/networkpolicies/ingress-istio.yaml
  • Jira
    • jira/chart/templates/bigbang/networkpolicies/allow-istiod-egress.yaml
    • jira/chart/templates/bigbang/networkpolicies/ingress-istio.yaml

Development and Ops

  • Gitlab
    • gitlab/chart/templates/bigbang/networkpolicies/egress-istiod.yaml
    • gitlab/chart/templates/bigbang/networkpolicies/ingress-istio-pages.yaml
    • gitlab/chart/templates/bigbang/networkpolicies/ingress-istio-registry.yaml
    • gitlab/chart/templates/bigbang/networkpolicies/ingress-istio-sidekiq.yaml
    • gitlab/chart/templates/bigbang/networkpolicies/ingress-istio-webservice.yaml
  • GitLab Runner
    • gitlab-runner/chart/templates/bigbang/networkpolicies/egress-istiod.yaml
  • Harbor
    • harbor/chart/templates/bigbang/networkpolicies/istio.yaml
  • Nexus
    • nexus/chart/templates/bigbang/networkpolicies/istio.yaml
  • Holocron
    • holocron/chart/templates/bigbang/networkpolicies/ingress-egress-istio.yaml
  • Fortify
    • fortify/chart/templates/bigbang/networkpolicies/istio.yaml
  • Sonarqube
    • sonarqube/chart/templates/bigbang/networkpolicies/egress-istiod.yaml
    • sonarqube/chart/templates/bigbang/networkpolicies/istio-allow.yaml
  • ArgoCD
    • argocd/chart/templates/bigbang/networkpolicies/allow-istio.yaml

Tools and Automation

  • Wrapper
    • wrapper/chart/templates/network/networkpolicy-gateway.yaml
    • wrapper/chart/templates/network/networkpolicy-istio-sidecar.yaml
  • Renovate
    • renovate/chart/templates/bigbang/networkpolicies/allow-istiod-egress.yaml

Pipelines and Infrastrucure

  • ?

Implementation Guide

Setup Network Policies for Dynamic Values

  1. Within the package, identify any Ingress/Egress policies under <working-package>/chart/templates/bigbang/networkpolicies/ that have hardcoded namespaceSelector matchLabels.
  2. For Egress policies replace hardcoded namespaceSelector matchLabels app.kubernetes.io/name: istio-controlplane with the following:
{{- if .Values.networkPolicies.istioNamespaceSelector }}
app.kubernetes.io/name: {{ .Values.networkPolicies.istioNamespaceSelector.egress }}
{{- else }}
app.kubernetes.io/name: "istio-controlplane"
{{- end }}

Screenshot_2025-02-25_at_9.17.40_AM

  1. For Ingress policies replace hardcoded namespaceSelector matchLabels app.kubernetes.io/name: istio-controlplane values with the following:
{{- if .Values.networkPolicies.istioNamespaceSelector }}
app.kubernetes.io/name: {{ .Values.networkPolicies.istioNamespaceSelector.ingress }}
{{- else }}
app.kubernetes.io/name: "istio-controlplane"
{{- end }}

Screenshot_2025-02-25_at_9.20.14_AM

Testing and Validation

Add Templating in local Big Bang chart

In order to test changes in a dev cluster you will need to add templating to your local big bang chart files bigbang/chart/templates/<package-name> values.yaml, and namespace.yaml.

  1. Modify values.yaml in the bigbang/chart/templates/<package-name> directory
  • Locate the .networkPolicies key and add the following entry:
networkPolicies:
  istioNamespaceSelector:
  {{ include "istioNamespaceSelector" . | nindent 4 }}

  • Locate istio.enabled boolean and change it from {{ .Values.istio.enabled }} to {{ include "istioEnabled" . }}

  • Search for occurrences istio-system/{{ default "public in the values.yaml. For each matched line, make the following changes.

    • istio-system to {{ include "istioGatewayNamespace" . }}
    • public to (include "istioPublicGateway" . )

Screenshot_2025-03-14_at_11.54.26_AM

  1. Modify namespace.yaml in the bigbang/chart/templates/<package-name> directory.
  • replace .Values.istio.enabled or (include "istioEnabled" .) with (eq (include "istioEnabled" .) "true")

Screenshot_2025-03-14_at_9.23.05_AM Screenshot_2025-03-26_at_9.33.17_AM

  1. All these changes will need to be added to the BB MR after the package MR gets approved and merged. If you like you can create a temporary branch for easy reference.

Test Changes in BB Dev Cluster with Istio Operator enabled

  1. Create a k3d dev cluster with flux installed
  2. Deploy Big bang with the working package enabled. Ensure that Istio, IstioOperator and networkPolicies are also enabled in your overrides.
  3. Test the package as you normally would.
  4. Validate that the modified network policies have the correct namespaceSelector matchLabels. Label should be istio-controlplane for both egress and ingress:
kubectl describe networkpolicy -n <package-namespace> <name-of-modified-policy> | grep istio-controlplane

Test Changes in BB Dev Cluster with Istio Operator-less (istioCore) enabled

  1. Create a k3d dev cluster with flux installed
  2. Deploy Big Bang with the working package enabled, and the following override settings:
######### Istio Operator-less (istioCore) Overrides #############
networkPolicies:
  enabled: true
istio:
  enabled: false
istioOperator:
  enabled: false
istioCore:
  enabled: true
istioGateway:
  enabled: true
  1. Test the package as you normally would.
  2. Validate that the modified network policies have the correct namespaceSelector matchLabels. Label should be istio-core for ingress and istio-gateway for egress policies:
kubectl describe networkpolicy -n <package-namespace> <name-of-modified-policy> | grep "istio-gateway\|istio-core"

Add Required Templating in Big Bang Merge request

Once the package merge request has been merged and approved, add the following entries to the Big Bang merge request. These are the same changes you made to your local Big Bang chart from the "Add Templating in local Big Bang chart" section:

  1. Modify values.yaml in the bigbang/chart/templates/<package-name> directory
  • Locate the .networkPolicies key and add the following entry:
networkPolicies:
  istioNamespaceSelector:
  {{ include "istioNamespaceSelector" . | nindent 4 }}

  • Locate istio.enabled boolean and change it from {{ .Values.istio.enabled }} to {{ include "istioEnabled" . }}

  • Search for occurrences istio-system/{{ default "public in the values.yaml. For each matched line, make the following changes.

    • istio-system to {{ include "istioGatewayNamespace" . }}
    • public to (include "istioPublicGateway" . )

Screenshot_2025-03-14_at_11.54.26_AM

  1. Modify namespace.yaml in the bigbang/chart/templates/<package-name> directory.
  • replace .Values.istio.enabled or (include "istioEnabled" .) with (eq (include "istioEnabled" .) "true")

Screenshot_2025-03-14_at_9.23.05_AM Screenshot_2025-03-26_at_9.33.17_AM

  1. Prior to submitting the Big Bang MR for review, It's recommended that you test the updates made to the BB MR branch in a k3d dev cluster. At the very least test the BB deployment of the package with Istio Operator enabled.
Edited by Luis Gomez

UNCLASSIFIED - NO CUI