UNCLASSIFIED - NO CUI

Integrate bb-common with fluentbit

Dax McDonaldrequested to merge
dax/netpol into main

General MR

Summary

Integrate bb-common with fluentbit

Umbrella Branch

integrate-fluentbit-bb-common

Relevant logs/screenshots

Before our changes

k get networkpolicies.networking.k8s.io  -o wide
NAME                               POD-SELECTOR                        AGE
allow-api-egress-fluentbit         app.kubernetes.io/name=fluent-bit   5m47s
allow-dns-lookups                  app.kubernetes.io/name=fluent-bit   5m47s
allow-fluentbit-sidecar-scraping   app.kubernetes.io/name=fluent-bit   5m47s
allow-helm-test-egress-fluentbit   helm-test=enabled                   5m47s
allow-intra-namespace              app.kubernetes.io/name=fluent-bit   5m47s
allow-loki-egress-fluentbit        app.kubernetes.io/name=fluent-bit   5m47s
allow-prometheus                   app.kubernetes.io/name=fluent-bit   5m47s
allow-tempo-egress-fluentbit       <none>                              5m47s
allow-to-istiod                    app.kubernetes.io/name=fluent-bit   5m47s

After our changes

NAME                                                                          POD-SELECTOR                        AGE
allow-egress-from-fluent-bit-to-kubeapi                                       app.kubernetes.io/name=fluent-bit   39s
allow-egress-from-fluent-bit-to-ns-logging-pod-elasticsearch-tcp-port-9200    app.kubernetes.io/name=fluent-bit   39s
allow-egress-from-fluent-bit-to-ns-logging-pod-logging-loki-tcp-port-3100     app.kubernetes.io/name=fluent-bit   39s
allow-egress-from-fluent-bit-to-ns-tempo-pod-tempo-tcp-port-9411              app.kubernetes.io/name=fluent-bit   39s
allow-ingress-to-fluent-bit-tcp-port-2020-from-ns-monitoring-pod-prometheus   app.kubernetes.io/name=fluent-bit   39s
default-egress-allow-all-in-ns                                                <none>                              39s
default-egress-allow-istiod                                                   <none>                              39s
default-egress-allow-kube-dns                                                 <none>                              39s
default-egress-deny-all                                                       <none>                              39s
default-ingress-allow-all-in-ns                                               <none>                              39s
default-ingress-allow-prometheus-to-istio-sidecar                             <none>                              39s
default-ingress-deny-all                                                      <none>                              39s

CleanShot_2026-01-13_at_10.19.22_2x CleanShot_2026-01-13_at_10.21.30_2x CleanShot_2026-01-13_at_16.24.43_2x CleanShot_2026-01-13_at_16.25.18_2x

Linked Issue

#194 (closed)

Upgrade Notices

Fluent Bit is now leveraging our bb-common integration for network policies and Istio-related resources. Please refer to this blog post for additional information on the integration. During this process, network policy definitions have been normalized and some keys are now in kebab-case (e.g. external-elastic, external-loki, external-fluentd), so any existing overrides using older names must be updated. Loki egress is now explicitly managed through the bb-common NetworkPolicy DSL (and enabled by default for in- cluster Loki), and AuthorizationPolicy generation (when Istio hardened is enabled) is tied to service account-qualified rules; if you rely on custom ingress/egress, ensure those rules include the correct namespace/service account identity to avoid unintended denies.

Edited by Blair Bowden

Merge request reports

UNCLASSIFIED - NO CUI