UNCLASSIFIED - NO CUI

anchoreEnterprise update to 3.21.1-bb.1

BB_AUTO_MR_TOKENrequested to merge
update-anchoreEnterprise-tag-3.21.1-bb.1 into master

Package Merge Request

Package Changes

https://repo1.dso.mil/big-bang/product/packages/anchore-enterprise/-/blob/3.21.1-bb.1/CHANGELOG.md

Package MR

big-bang/product/packages/anchore-enterprise!407 (merged)

For Issue

Closes big-bang/product/packages/anchore-enterprise#258 (closed)

Upgrade Notices

Anchore Enterprise is now leveraging our bb-common integration for network policies and all istio-related resources. Please refer to this blog post for additional information on the integration.

As part of the integration two new package level definitions have been created with their defaults shown below:

      anchore-data-service:
        to:
          - ipBlock:
              cidr: 0.0.0.0/0
        ports:
          - port: 443
            protocol: TCP

      ldap-subnets:
        to:
          - ipBlock:
              cidr: 192.168.0.0/16
          - ipBlock:
              cidr: 172.16.0.0/12
          - ipBlock:
              cidr: 10.0.0.0/8
        ports:
          - port: 636
            protocol: TCP

      notification-services:
        to:
          - ipBlock:
              cidr: 0.0.0.0/0

      redis-subnets:
        to:
          - ipBlock:
              cidr: 192.168.0.0/16
          - ipBlock:
              cidr: 172.16.0.0/12
          - ipBlock:
              cidr: 10.0.0.0/8
        ports:
          - port: 6379
            protocol: TCP

      registry-subnets:
        to:
          - ipBlock:
              cidr: 0.0.0.0/0

The anchore-data-service definition is used to reach out to Anchore Enterprises default feed service and is enabled by default. The ldap-subnets definition is also enabled by default and is only required if LDAP integration is being leveraged by Anchore Enterprise. If this functionality is not in use it can be disabled as shown below:

networkPolicies:
  egress:
    from:
      ui:
        podSelector:
          matchLabels:
            app.kubernetes.io/component: ui
        to:
          definition:
            ldap-subnets: false

The notification-services and registry-subnets can be further locked down if the CIDRs of those services are known, but are open by default only from the services that require that communication by default.

The redis-subnets definition is enabled automatically only if Anchore Enterprise is configured to use an external Redis service.

It is also using the database-subnets definition which is defined globally in Big Bang and passed down to the anchoreEnterprise package. You're encouraged to override the CIDRs defined there to match your infrastructure. Any changes made at that global level will propagate down into the anchoreEnterprise package and any other packages that leverage external databases.

Edited by Jimmy Bourque

Merge request reports

UNCLASSIFIED - NO CUI