UNCLASSIFIED - NO CUI

Skip to content

Resolve "Egress Whitelist - Jira"

Steven Donald requested to merge 70-egress-whitelist-jira into main

General MR

Summary

As part of big-bang&160, we will want to enable users to configure setting REGISTRY_ONLY traffic policy on a per-package basis, in addition to allowing for it to be set globally in the meshConfig (see #1886). Creating Sidecars in each package will also allow us to focus on individual packages as we define what whitelists will need to be created per application.

Relevant logs/screenshots

Bigbang testing MR: big-bang/bigbang!4309 (closed)

Network policies block egress to google, so they were removed for this testing.

With sidecar, but without service entry present:

curl --head https://www.google.com
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.google.com:443

istio-proxy logs:

[2024-05-08T17:18:59.888Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 142.251.46.196:443 10.42.0.6:44118 - -

With sidecar and google ServiceEntry:

curl --head https://www.google.com
HTTP/2 200
...

istio-proxy logs:

[2024-05-08T17:03:22.798Z] "- - -" 0 - - - "-" 888 5845 149 - "-" "-" "-" "-" "142.251.46.196:443" outbound|443||www.google.com 10.42.0.6:42492 142.251.46.196:443 10.42.0.6:42484 www.google.com -

Linked Issue

#70 (closed)

Upgrade Notices

A Sidecar resource has been added to the jira namespace that disallows egress to endpoints that are not part of the Istio service registry (a.k.a REGISTRY_ONLY). The outboundTrafficPolicy.mode in the Sidecar can be configured, however, to be something other than REGISTRY_ONLY if desired by setting istio.hardened.outboundTrafficPolicyMode. This provides a redundant layer of network security in addition to NetworkPolicies. This Sidecar is disabled by default but can be enabled by setting istio.enabled: true and istio.hardened.enabled: true.

Additional custom ServiceEntries can be created by populating the istio.hardened.customServiceEntries list.

Closes #70 (closed) (In this case this is correct as there will be no corresponding BB MR)

Edited by Samuel Sarnowski

Merge request reports

Loading