UNCLASSIFIED - NO CUI

Added rule to allow reports-controller access to KubeAPI

Jimmy Bourquerequested to merge
3115-kyverno-kubeapi-missing-netpol into master

General MR

Summary

  • Added network policy to allow kyverno reports-controller to hit KubeAPI

Relevant logs/screenshots

Prior to network policy addition:

NAME                                                                       POD-SELECTOR                                                     AGE
allow-egress-from-kyverno-admission-controller-to-kubeapi                  app.kubernetes.io/component=admission-controller                 17m
allow-egress-from-kyverno-background-controller-to-kubeapi                 app.kubernetes.io/component=background-controller                17m
allow-egress-from-kyverno-cleanup-controller-to-kubeapi                    app.kubernetes.io/component=cleanup-controller                   17m
allow-egress-from-kyverno-migrate-resources-to-kubeapi                     batch.kubernetes.io/job-name=kyverno-kyverno-migrate-resources   17m
allow-ingress-to-kyverno-admission-controller-port-9443-from-kubeapi       app.kubernetes.io/component=admission-controller                 17m
allow-ingress-to-kyverno-tcp-port-8000-from-ns-monitoring-pod-prometheus   app.kubernetes.io/instance=kyverno-kyverno                       17m
default-egress-allow-all-in-ns                                             <none>                                                           17m
default-egress-allow-kube-dns                                              <none>                                                           17m
default-egress-deny-all                                                    <none>                                                           17m
default-ingress-allow-all-in-ns                                            <none>                                                           17m
default-ingress-deny-all                                                   <none>                                                           17m

After adding network policy:

NAME                                                                       POD-SELECTOR                                                     AGE
allow-egress-from-kyverno-admission-controller-to-kubeapi                  app.kubernetes.io/component=admission-controller                 18m
allow-egress-from-kyverno-background-controller-to-kubeapi                 app.kubernetes.io/component=background-controller                18m
allow-egress-from-kyverno-cleanup-controller-to-kubeapi                    app.kubernetes.io/component=cleanup-controller                   18m
allow-egress-from-kyverno-migrate-resources-to-kubeapi                     batch.kubernetes.io/job-name=kyverno-kyverno-migrate-resources   18m
allow-egress-from-kyverno-reports-controller-to-kubeapi                    app.kubernetes.io/component=reports-controller                   14s
allow-ingress-to-kyverno-admission-controller-port-9443-from-kubeapi       app.kubernetes.io/component=admission-controller                 18m
allow-ingress-to-kyverno-tcp-port-8000-from-ns-monitoring-pod-prometheus   app.kubernetes.io/instance=kyverno-kyverno                       18m
default-egress-allow-all-in-ns                                             <none>                                                           18m
default-egress-allow-kube-dns                                              <none>                                                           18m
default-egress-deny-all                                                    <none>                                                           18m
default-ingress-allow-all-in-ns                                            <none>                                                           18m
default-ingress-deny-all                                                   <none>                                                           18m

Linked Issue

issue

Upgrade Notices

N/A

Edited by Jimmy Bourque

Merge request reports

UNCLASSIFIED - NO CUI