UNCLASSIFIED - NO CUI

Skip to content

Resolve "Integrate bb-common"

Zach Callahanrequested to merge
56-integrate-bb-common into main

General MR

Summary

This MR migrates istio-gateway to use the bb-common network policy implementation. As part of this migration, NetworkPolicy configuration for the gateways now happens at the Big Bang umbrella level, so see that branch or the explanation below for the details of how that's done.

Umbrella Branch

istio-gateway-56-bb-common

Relevant logs/screenshots

After installing Big Bang from the aforementioned Big Bang branch:

helm upgrade --install bigbang ./chart \
    --debug \
    --namespace bigbang \
    --create-namespace \
    --values ignore/ib_creds.yaml \
    --values tests/test-values.yaml \
    --values chart/ingress-certs.yaml \
    --values docs/assets/configs/example/dev-sso-values.yaml \
    --values <(cat << YAML
istioGateway:
  git:
    tag: null
    branch: 56-integrate-bb-common
YAML
)
❯ helm get values -n bigbang public-ingressgateway -a | yq .networkPolicies
egress:
  definitions:
    sso:
      to:
        - ipBlock:
            cidr: 0.0.0.0/0
  from:
    public-ingressgateway:
      to:
        k8s:
          '*': true
enabled: true
ingress:
  definitions:
    load-balancer-subnets:
      from:
        - ipBlock:
            cidr: 192.168.0.0/16
        - ipBlock:
            cidr: 172.16.0.0/12
        - ipBlock:
            cidr: 10.0.0.0/8
  to:
    public-ingressgateway:[8080,8443]:
      from:
        definition:
          load-balancer-subnets: true
prependReleaseName: true
❯ helm get values -n bigbang passthrough-ingressgateway -a | yq .networkPolicies
egress:
  definitions:
    sso:
      to:
        - ipBlock:
            cidr: 0.0.0.0/0
  from:
    passthrough-ingressgateway:
      to:
        k8s:
          '*': true
enabled: true
ingress:
  definitions:
    load-balancer-subnets:
      from:
        - ipBlock:
            cidr: 192.168.0.0/16
        - ipBlock:
            cidr: 172.16.0.0/12
        - ipBlock:
            cidr: 10.0.0.0/8
  to:
    passthrough-ingressgateway:[8080,8443]:
      from:
        definition:
          load-balancer-subnets: true
prependReleaseName: true

Linked Issue

#56 (closed)

Upgrade Notices

Preview of upcoming bb-common implementation

This release of istio-gateway incorporates the new bb-common network policy implementation. For customers using Big Bang's default gateway configuration, this will require no changes. For customers deploying their own gateways or modifying port configurations of the default gateways, see the note below.

This new functionality allows big bang package maintainers and customers alike to more easily define the network policies that are applied to their packages. This implementation has been added to istio-gateway as a sort of "trial run." There may be changes to how this implementation works in the future, so consider it in an "alpha" state as far as stability guarantees go. Still, we encourage you to read the docs, become familiar with the pattern, and provide us feedback.

Automatic NetworkPolicy generation

For gateways that are configured as part of Big Bang's istioGateway values, whether by default or by the user, the gateway configuration is introspected to generate baseline network policy configurations that should function widely in most use cases. This means that all gateways are configured to allow connections from any known private subnet range (10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16) and are configured to allow outbound connections to any k8s workload.

This baseline configuration is set up as a default value for the gateway's HelmRelease, meaning the user's values configuration is always able to override it. If you want to override the CIDRs to scope to your actual load balancer subnets/IPs or limit the connectivity a particular gateway has with the rest of the cluster, see below.

Modifying the global load-balancer-subnets ingress definition

Let's assume you have two subnets in your environment where your layer-4 load balancers are deployed. We'll call these lb-subnet-a and lb-subnet-b with CIDRs 10.100.101.0/24 and 10.100.102.0/24 respectively. Apply the following values to set these as your load-balancer-subnets globally:

# top-level `networkPolicies` in big bang values; NOT `istioGateway.values.<gateway-name>.networkPolicies`
networkPolicies:
  ingress:
    definitions:
      load-balancer-subnets:
        from:
          - ipBlock:
              cidr: 10.100.101.0/24 # lb-subnet-a's CIDR range
          - ipBlock:
              cidr: 10.100.102.0/24 # lb-subnet-b's CIDR range

This will lock down your gateways so they can only receive traffic from these subnets instead of all private IP ranges.

Modifying the load-balancer-subnets ingress definition on a per-gateway basis

Let's assume you have some regular gateways that you want to receive the global load-balancer-subnets definition, but you also have just a single gateway we'll call special that you want to only be accessible from some other subnets, special-subnet-x and special-subnet-y with CIDRs 10.200.201.0/24 and 10.200.202.0/24 respectively. You can override this definition for the single special gateway with the following:

istioGateway:
  values:
    gateways:
      special:
        networkPolicies:
          ingress:
            definitions:
              load-balancer-subnets:
                from:
                  - ipBlock:
                      cidr: 10.200.201.0/24 # special-subnet-x's CIDR range
                  - ipBlock:
                      cidr: 10.200.202.0/24 # special-subnet-y's CIDR range

Disabling the generated ingress policy entirely

If you want to manage an individual gateway's ingress policy entirely on your own, you can disable the generated ingress policy that uses the load-balancer-subnets definition like so:

istioGateway:
  values:
    gateways:
      <gateway-name>:
        gateway:
          servers:
            - hosts:
                - "*.my.domain"
              port:
                name: http
                number: 80
                protocol: HTTP
              tls:
                httpsRedirect: true
            - hosts:
                - "*.my.domain"
              port:
                name: https
                number: 443
                protocol: HTTPS
              tls:
                credentialName: myspecial-cert
                mode: SIMPLE
        networkPolicies:
          ingress:
            to:
              # This key is generated based on the gateway's name (<gateway-name>-ingressgateway)
              # and server port configuration. Adjust accordingly if your gateway's name or ports
              # are different. The ports will be a JSON array of all the ports the gateway
              # listens on in the order they are defined.
              <gateway-name>-ingressgateway:[80,443]:
                from:
                  definition:
                    # Setting this to false disables the generated ingress policy
                    load-balancer-subnets: false

Modifying the gateway's egress policy

By default, all gateways are configured to allow outbound connections to any k8s workload. If you want to restrict this connectivity, you can modify the egress policy like so:

istioGateway:
  values:
    gateways:
      <gateway-name>:
        networkPolicies:
          egress:
            from:
              <gateway-name>-ingressgateway:
                to:
                  k8s:
                    # Setting this to `false` removes the default egress policy
                    # allowing egress to all k8s workloads
                    "*": false

Additional support options

If you have any questions or need help with this new functionality, please reach out to the Big Bang team via our community slack or open an issue in the Big Bang repo.

Edited by Zach Callahan

Merge request reports

UNCLASSIFIED - NO CUI