Resolve "Integrate bb-common"
General MR
Summary
- Integrated bb-common for all network policies and istio related resources
Relevant logs/screenshots
Before Integration:
kubectl get netpol -n anchore
NAME POD-SELECTOR AGE
allow-egress-from-analyzers app.kubernetes.io/component=analyzer 32m
allow-egress-from-api app.kubernetes.io/component=api 32m
allow-egress-from-catalog app.kubernetes.io/component=catalog 32m
allow-egress-from-datasyncer-service app.kubernetes.io/component=datasyncer 32m
allow-egress-from-policy-engine app.kubernetes.io/component=policyengine 32m
allow-egress-from-simplequeue app.kubernetes.io/component=simplequeue 32m
allow-egress-sso-job job-name=configure-sso 32m
allow-in-ns <none> 32m
allow-istio <none> 32m
allow-kube-dns <none> 32m
allow-monitoring <none> 32m
allow-prometheus-ingress <none> 32m
allow-prometheus-ingress-anchore app.kubernetes.io/instance=anchore-enterprise,app.kubernetes.io/name=anchore-enterprise 32m
allow-prometheus-ingress-redis app.kubernetes.io/instance=anchore-enterprise,app.kubernetes.io/name=ui-redis 32m
allow-tempo-egress <none> 32m
default-deny <none> 32m
egress-test helm-test=enabled 32mkubectl get ap -n anchore
NAME ACTION AGE
allow-http-envoy-prom-policy ALLOW 32m
allow-intra-anchore-datasyncer ALLOW 32m
allow-intra-anchore-enterprise ALLOW 32m
allow-intranamespace ALLOW 32m
anchore-analyzer-policy ALLOW 32m
anchore-api-policy ALLOW 32m
anchore-catalog-policy ALLOW 32m
anchore-datasyncer-api-policy ALLOW 32m
anchore-datasyncer-policy ALLOW 32m
anchore-monitoring-policy ALLOW 32m
anchore-notifications-policy ALLOW 32m
anchore-policyengine-policy ALLOW 32m
anchore-redis-policy ALLOW 32m
anchore-simplequeue-policy ALLOW 32m
anchore-tcp-postgresql-policy ALLOW 32m
anchore-ui-policy ALLOW 32m
public-ingressgateway-ingressgateway-authz-api-policy ALLOW 32m
public-ingressgateway-ingressgateway-authz-ui-policy ALLOW 32mkubectl get se -n anchore
NAME HOSTS LOCATION RESOLUTION AGE
anchore-allow-cypress-tests ["registry.npmjs.org","download.cypress.io","cdn.cypress.io","repo1.dso.mil","auth.docker.io","registry-1.docker.io","anchore.dev.bigbang.mil"] MESH_EXTERNAL DNS 32m
anchorectl-update-service-entry ["anchorectl-releases.anchore.io"] MESH_EXTERNAL 32m
data-anchore-service-entry ["data.anchore-enterprise.com"] MESH_EXTERNAL 32m
toolbox-data-service-entry ["toolbox-data.anchore.io"] MESH_EXTERNAL 32mkubectl get pa -n anchore
NAME MODE AGE
default-anchore STRICT 32mAfter Integration:
kubectl get netpol -n anchore
NAME POD-SELECTOR AGE
allow-egress-from-analyzer-to-registry-subnets app.kubernetes.io/component=analyzer 11m
allow-egress-from-any-pod-to-ns-tempo-pod-tempo-tcp-port-9411 <none> 11m
allow-egress-from-api-to-notification-services app.kubernetes.io/component=api 11m
allow-egress-from-catalog-to-registry-subnets app.kubernetes.io/component=catalog 11m
allow-egress-from-datasyncer-to-anchore-data-service app.kubernetes.io/component=datasyncer 11m
allow-egress-from-notifications-to-notification-services app.kubernetes.io/component=notifications 11m
allow-egress-from-ui-to-ldap-subnets app.kubernetes.io/component=ui 11m
allow-ingress-to-analyzer-tcp-port-8084-from-ns-monitoring-pod-prometheus app.kubernetes.io/component=analyzer 11m
allow-ingress-to-anchore-api-8228-from-ns-istio-gateway-pod-public-ingressgateway app.kubernetes.io/component=api 11m
allow-ingress-to-anchore-ui-3000-from-ns-istio-gateway-pod-public-ingressgateway app.kubernetes.io/component=ui 11m
allow-ingress-to-api-tcp-port-8228-from-ns-monitoring-pod-prometheus app.kubernetes.io/component=api 11m
allow-ingress-to-catalog-tcp-port-8082-from-ns-monitoring-pod-prometheus app.kubernetes.io/component=catalog 11m
allow-ingress-to-notifications-tcp-port-8668-from-ns-monitoring-pod-prometheus app.kubernetes.io/component=notifications 11m
allow-ingress-to-policy-tcp-port-8087-from-ns-monitoring-pod-prometheus app.kubernetes.io/component=policyengine 11m
allow-ingress-to-reports-tcp-port-8558-from-ns-monitoring-pod-prometheus app.kubernetes.io/component=reports 11m
allow-ingress-to-simplequeue-tcp-port-8083-from-ns-monitoring-pod-prometheus app.kubernetes.io/component=simplequeue 11m
allow-ingress-to-ui-redis-tcp-port-9121-from-ns-monitoring-pod-prometheus app.kubernetes.io/name=ui-redis 11m
default-egress-allow-all-in-ns <none> 11m
default-egress-allow-istiod <none> 11m
default-egress-allow-kube-dns <none> 11m
default-egress-deny-all <none> 11m
default-ingress-allow-all-in-ns <none> 11m
default-ingress-allow-prometheus-to-istio-sidecar <none> 11m
default-ingress-deny-all <none> 11mkubectl get ap -n anchore
NAME ACTION AGE
allow-ingress-to-analyzer-tcp-port-8084-from-ns-monitoring-with-identity-monitoring-monitoring-kube-prometheus ALLOW 11m
allow-ingress-to-api-tcp-port-8228-from-ns-monitoring-with-identity-monitoring-monitoring-kube-prometheus ALLOW 11m
allow-ingress-to-catalog-tcp-port-8082-from-ns-monitoring-with-identity-monitoring-monitoring-kube-prometheus ALLOW 11m
allow-ingress-to-notifications-tcp-port-8668-from-ns-monitoring-with-identity-monitoring-monitoring-kube-prometheus ALLOW 11m
allow-ingress-to-policy-tcp-port-8087-from-ns-monitoring-with-identity-monitoring-monitoring-kube-prometheus ALLOW 11m
allow-ingress-to-reports-tcp-port-8558-from-ns-monitoring-with-identity-monitoring-monitoring-kube-prometheus ALLOW 11m
allow-ingress-to-simplequeue-tcp-port-8083-from-ns-monitoring-with-identity-monitoring-monitoring-kube-prometheus ALLOW 11m
allow-ingress-to-ui-redis-tcp-port-9121-from-ns-monitoring-with-identity-monitoring-monitoring-kube-prometheus ALLOW 11m
anchore-api-public-ingressgateway-authz-policy ALLOW 11m
anchore-ui-public-ingressgateway-authz-policy ALLOW 11m
default-authz-allow-all-in-ns ALLOW 11m
default-authz-allow-nothing 11mkubectl get se -n anchore
NAME HOSTS LOCATION RESOLUTION AGE
anchore-api-internal ["anchore-api.dev.bigbang.mil"] MESH_EXTERNAL DNS 11m
anchore-data-service-external ["data.anchore-enterprise.com"] MESH_EXTERNAL DNS 11m
anchore-ui-internal ["anchore.dev.bigbang.mil"] MESH_EXTERNAL DNS 11m
bb-tests-external ["repo1.dso.mil","auth.docker.io","registry-1.docker.io"] MESH_EXTERNAL DNS 11mkubectl get pa -n anchore
NAME MODE AGE
default-peer-auth STRICT 11mVerified Service Monitors:
Verified Analysis Connectivity (Used Gitlab within cluster):
Verified SSO Authentication:
Linked Issue
Upgrade Notices
Anchore Enterprise is now leveraging our bb-common integration for network policies and all istio-related resources. Please refer to this blog post for additional information on the integration.
As part of the integration two new package level definitions have been created with their defaults shown below:
anchore-data-service:
to:
- ipBlock:
cidr: 0.0.0.0/0
ports:
- port: 443
protocol: TCP
ldap-subnets:
to:
- ipBlock:
cidr: 192.168.0.0/16
- ipBlock:
cidr: 172.16.0.0/12
- ipBlock:
cidr: 10.0.0.0/8
ports:
- port: 636
protocol: TCP
notification-services:
to:
- ipBlock:
cidr: 0.0.0.0/0
redis-subnets:
to:
- ipBlock:
cidr: 192.168.0.0/16
- ipBlock:
cidr: 172.16.0.0/12
- ipBlock:
cidr: 10.0.0.0/8
ports:
- port: 6379
protocol: TCP
registry-subnets:
to:
- ipBlock:
cidr: 0.0.0.0/0The anchore-data-service definition is used to reach out to Anchore Enterprise's default feed service and is enabled by default. The ldap-subnets definition is also enabled by default and is only required if LDAP integration is being leveraged by Anchore Enterprise. If this functionality is not in use it can be disabled as shown below:
networkPolicies:
egress:
from:
ui:
podSelector:
matchLabels:
app.kubernetes.io/component: ui
to:
definition:
ldap-subnets: falseThe notification-services and registry-subnets can be further locked down if the CIDR's of those services are known, but are open by default only from the services that require that communication by default.
The redis-subnets definition is enabled automatically only if Anchore Enterprise is configured to use an external Redis service.
It also using the globally defined database-subnets definition which is defined in the umbrella. This is automatically enabled when an external postgreSQL database is in use.
Umbrella Branch
anchore-bb-common
Edited by Jimmy Bourque