Wyatt Fry requested to merge 87-egress-whitelist-confluence into main Apr 11, 2024

General MR

Summary

The Istio Whitelist external domains change for Confluence.

Relevant logs/screenshots

Per epic instructions, including a link to the draft MR on the umbrella repo so its pipelines tested big bang with the changes in this branch:

big-bang/bigbang!4247 (closed)

Linked Issue

issue

Upgrade Notices

A Sidecar resource has been added to the confluence namespace that disallows egress to endpoints that are not part of the Istio service registry (a.k.a REGISTRY_ONLY). The outboundTrafficPolicy.mode in the Sidecar can be configured, however, to be something other than REGISTRY_ONLY if desired by setting istio.hardened.outboundTrafficPolicyMode. This provides a redundant layer of network security in addition to NetworkPolicies. This Sidecar is disabled by default but can be enabled by setting istio.enabled: true and istio.hardened.enabled: true.

Additional custom ServiceEntries can be created by populating the istio.hardened.customServiceEntries list.

Closes #87 (closed)

Edited May 02, 2024 by Samuel Sarnowski

Admin message

Resolve "Egress Whitelist - Confluence"

General MR

Summary

Relevant logs/screenshots

Linked Issue

Upgrade Notices

Merge request reports