Resolve "Egress Whitelist - Gitlab Runner"
General MR
Summary
This MR introduces a Sidecar and a set of ServiceEntries for Gitlab Runner when istio.enabled: true and istio.hardened.enabled: true. This is in support of big-bang&160.
Relevant logs/screenshots
Bigbang testing MR: big-bang/bigbang!4218 (closed)
Linked Issue
Upgrade Notices
A Sidecar resource has been added to the gitlab-runner namespace that disallows egress to endpoints that are not part of the Istio service registry (a.k.a REGISTRY_ONLY). The outboundTrafficPolicy.mode in the Sidecar can be configured, however, to be something other than REGISTRY_ONLY if desired by setting istio.hardened.outboundTrafficPolicyMode. This provides a redundant layer of network security in addition to NetworkPolicies. This Sidecar is disabled by default but can be enabled by setting istio.enabled: true and istio.hardened.enabled: true.
Additional custom ServiceEntries can be created by populating the istio.hardened.customServiceEntries list.
Merge request reports
Activity
added gitlabRunner kindfeature priority6 statusdoing teamDevelopment & Ops labels
assigned to @sarnowski-unicorn
added teamService Mesh label and removed teamDevelopment & Ops label
added 9 commits
-
532714bd...9b1b2a73 - 8 commits from branch
main - 67eaab8b - Merge branch 'main' into '98-gitlab-runner-sidecar'
-
532714bd...9b1b2a73 - 8 commits from branch
added statusreview label and removed statusdoing label
changed milestone to %2.27.0
requested review from @jtwidt, @cschaefer, @colin.mcguigan.ctr, @matt.vasquez, @nbazzeghin, and @daniel.stocum
added 5 commits
-
67eaab8b...90508934 - 4 commits from branch
main - 5220035d - Merge branch 'main' into '98-gitlab-runner-sidecar'
-
67eaab8b...90508934 - 4 commits from branch
mentioned in commit 9d736f18
mentioned in merge request big-bang/bigbang!4259 (merged)