Resolve "Egress Whitelist - Grafana"
General MR
Summary
As part of big-bang&160, we will want to enable users to configure setting REGISTRY_ONLY traffic policy on a per-package basis, in addition to allowing for it to be set globally in the meshConfig (see #1886).
Relevant logs/screenshots
(Include any relevant logs/screenshots)
Linked Issue
Upgrade Notices
N/A
Closes #24 (closed)
Merge request reports
Activity
added kindfeature priority6 statusdoing teamObservability labels
assigned to @steven.donald
overrides file to test with
networkPolicies: # -- Toggle all package NetworkPolicies, can disable specific packages with `package.values.networkPolicies.enabled` enabled: false kyvernoPolicies: # -- Toggle deployment of Kyverno policies enabled: true values: excludeContainers: - netshoot grafana: enabled: false git: tag: null branch: "24-egress-whitelist-grafana" values: podAnnotations: sidecar.istio.io/logLevel: debug # podLabels: # app: grafana istio: enabled: true hardened: enabled: true # customServiceEntries: [] customServiceEntries: - name: "google-com-test" enabled: true spec: hosts: - google.com - www.google.com location: MESH_EXTERNAL ports: - number: 443 protocol: TLS name: https resolution: DNSand can use this if you want a utility pod to run curl from or can shell into grafana pod
kubectl apply -f - <<EOF apiVersion: v1 kind: Pod metadata: labels: app: test-whitelist name: test-whitelist namespace: monitoring spec: containers: - name: netshoot image: nicolaka/netshoot args: - sleep - "100000000" EOF EOFremoved statusdoing label
added statusreview label
requested review from @ryan.j.garcia, @ryan.thompson.44, @staskiewicz.blane, @alieberman, @dhilgaertner2, @jimmyungerman, @piotr.machaj, and @daniel.dides
mentioned in commit 89f02dd4
mentioned in merge request big-bang/bigbang!3893 (closed)
-
also dependent on big-bang/bigbang!3902 (merged) for bigbang side