UNCLASSIFIED - NO CUI

Skip to content

Updated definition for kubeapi

Jimmy Bourquerequested to merge
2875-istiod-controlplanecidr into master

General MR

Summary

  • Updated KubeAPI network policy definition for istiod to ensure the value of controlplanecidr gets passed down properly

Relevant logs/screenshots

Original Network Policy

➜  bigbang-overrides kubectl get netpol allow-egress-from-istiod-to-kubeapi -n istio-system -o yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  annotations:
    generated.network-policies.bigbang.dev/from-definition: kubeAPI
    generated.network-policies.bigbang.dev/local-key: istiod
    generated.network-policies.bigbang.dev/remote-key: kubeAPI
    meta.helm.sh/release-name: istiod
    meta.helm.sh/release-namespace: istio-system
  creationTimestamp: "2025-09-15T16:31:36Z"
  generation: 1
  labels:
    app.kubernetes.io/managed-by: Helm
    helm.toolkit.fluxcd.io/name: istiod
    helm.toolkit.fluxcd.io/namespace: bigbang
    network-policies.bigbang.dev/direction: egress
    network-policies.bigbang.dev/source: bb-common
  name: allow-egress-from-istiod-to-kubeapi
  namespace: istio-system
  resourceVersion: "5778"
  uid: 6bc20fc9-875d-4d15-b8f9-4718ccf63055
spec:
  egress:
  - ports:
    - port: 6443
      protocol: TCP
    to:
    - ipBlock:
        cidr: 10.0.0.0/8
    - ipBlock:
        cidr: 172.16.0.0/12
    - ipBlock:
        cidr: 192.168.0.0/16
  podSelector:
    matchLabels:
      app.kubernetes.io/name: istiod
  policyTypes:
  - Egress

Fixed Network Policy

kubectl get netpol allow-egress-from-istiod-to-kubeapi -n istio-system -o yaml

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  annotations:
    generated.network-policies.bigbang.dev/from-definition: kubeAPI
    generated.network-policies.bigbang.dev/local-key: istiod
    generated.network-policies.bigbang.dev/remote-key: kubeAPI
    meta.helm.sh/release-name: istiod
    meta.helm.sh/release-namespace: istio-system
  creationTimestamp: "2025-09-15T18:37:00Z"
  generation: 1
  labels:
    app.kubernetes.io/managed-by: Helm
    helm.toolkit.fluxcd.io/name: istiod
    helm.toolkit.fluxcd.io/namespace: bigbang
    network-policies.bigbang.dev/direction: egress
    network-policies.bigbang.dev/source: bb-common
  name: allow-egress-from-istiod-to-kubeapi
  namespace: istio-system
  resourceVersion: "5798"
  uid: 697a90c4-bc93-44d6-ac8c-a05281f84a9c
spec:
  egress:
  - to:
    - ipBlock:
        cidr: 172.16.0.0/12
  podSelector:
    matchLabels:
      app.kubernetes.io/name: istiod
  policyTypes:
  - Egress

Linked Issue

issue

Upgrade Notices

N/A

Edited by Jimmy Bourque

Merge request reports

UNCLASSIFIED - NO CUI