Draft: Resolve "Egress Whitelist - Jira"
General MR
Summary
As part of big-bang&160, we will want to enable users to configure setting REGISTRY_ONLY
traffic policy on a per-package basis, in addition to allowing for it to be set globally in the meshConfig (see #1886). Creating Sidecars in each package will also allow us to focus on individual packages as we define what whitelists will need to be created per application.
Relevant logs/screenshots
(Include any relevant logs/screenshots)
Linked Issue
Upgrade Notices
A Sidecar resource has been added to the jira
namespace that disallows egress to endpoints that are not part of the Istio service registry (a.k.a REGISTRY_ONLY
). The outboundTrafficPolicy.mode in the Sidecar can be configured, however, to be something other than REGISTRY_ONLY
if desired by setting istio.hardened.outboundTrafficPolicyMode
. This provides a redundant layer of network security in addition to NetworkPolicies. This Sidecar is disabled by default but can be enabled by setting istio.enabled: true
and istio.hardened.enabled: true
.
Additional custom ServiceEntries can be created by populating the istio.hardened.customServiceEntries
list.
Closes #70