UNCLASSIFIED - NO CUI

Skip to content

Resolve "Egress Whitelist - Anchore"

Tim Seagren requested to merge 126-anchore-sidecar into main

General MR

Summary

This MR introduces a Sidecar and a set of ServiceEntries for Anchore when istio.enabled: true and istio.hardened.enabled: true. This is in support of big-bang&160.

Bigbang testing MR: big-bang/bigbang!4206 (closed)

Relevant logs/screenshots

Able to successfully sync feeds and analyze an image with istio.hardened.enabled=true.

image image

Confirmed P1 SSO works as well.

Linked Issue

#126 (closed)

Upgrade Notices

A Sidecar resource has been added to the Anchore namespace that disallows egress to endpoints that are not part of the Istio service registry (a.k.a REGISTRY_ONLY). The outboundTrafficPolicy.mode in the Sidecar can be configured, however, to be something other than REGISTRY_ONLY if desired by setting istio.hardened.outboundTrafficPolicyMode. This provides a redundant layer of network security in addition to NetworkPolicies. This Sidecar is disabled by default but can be enabled by setting istio.enabled: true and istio.hardened.enabled: true.

Additional custom ServiceEntries can be created by populating the istio.hardened.customServiceEntries list, to allow connection to an external database, for example.

Edited by Samuel Sarnowski

Merge request reports