UNCLASSIFIED - NO CUI

kyverno update to 3.6.1-bb.1

BB_AUTO_MR_TOKENrequested to merge
update-kyverno-tag-3.6.1-bb.1 into master

Package Merge Request

Package Changes

https://repo1.dso.mil/big-bang/product/packages/kyverno/-/blob/3.6.1-bb.1/CHANGELOG.md

Package MR

big-bang/product/packages/kyverno!244 (merged)

For Issue

Closes (big-bang/product/packages/kyverno#169 (closed))

Upgrade Notices

Kyverno is now leveraging our bb-common integration for network policies. Please refer to this blog post for additional information on the integration.

Please note that two definitions have been created as part of this integration to allow these policies to be more tailored to a given environment:

kyverno:
  values:
    networkPolicies:
      ingress:
        definitions:
          kubeAPI:
            from:
              - ipBlock:
                  cidr: 172.16.0.0/12

The kubeAPI ingress definition will automatically allow all private IP ranges, but can be overridden within the package as shown above if needed to further restrict access. Previously, this network policy was allowing all IP addresses into the kyverno namespace.

Note

The ingress definition for kubeAPI is separate from the egress definition that exists

The private-registry egress definition has also been created and defaults to the IP address of Iron Bank using TCP port 443. If another registry is in use the CIDR and ports may need to be updated.

kyverno:
  values:
    networkPolicies:
      egress:
        definitions:
          private-registry:
            to:
              - ipBlock:
                  cidr: "15.205.173.153/32"
            ports:
              - port: 443
                protocol: TCP

Please note that this network policy is not enabled by default and is currently controlled by the following settings in the package:

neworkPolicies:
  externalRegistries:
    allowEgress: false
    ports: []

The above section will be deprecated in the next major version of Big Bang (4.0) and instead the network policy will automatically be enabled if the require-image-signature Kyverno policy is enabled as this communication is needed as part of that process. If you are currently leveraging the ports section no action is needed as this will continue to function as expected, however, it is recommended to switch over to using the new definition.

This rule can also be toggled on or off manually as shown below:

kyverno:
  values:
    networkPolicies:
      egress:
        from:
          kyverno-admission-controller:
            podSelector:
              matchLabels:
                app.kubernetes.io/component: admission-controller
            to:
              definition:
                private-registry: true # Set to false to disable
Edited by Jimmy Bourque

Merge request reports

UNCLASSIFIED - NO CUI