UNCLASSIFIED - NO CUI

Skip to content

Resolve "Add missing `NetworkPolicy` for kube api access"

Zach Callahanrequested to merge
28-add-missing-kube-egress-netpol into main

General MR

Summary

This MR adds a NetworkPolicy that enabled Kubernetes API access either automatically via a helm lookup or declaratively by specifying controlPlaneCIDRs.

I also went ahead and updated the values to only include overrides of upstream values and formatted the renovate.json to match the format renovate expects.

Testing

Deploying with Big Bang with this overlay:

networkPolicies:
  enabled: true

istio:
  enabled: false

istioOperator:
  enabled: false

istioCRDs:
  enabled: true

istiod:
  enabled: true

istioGateway:
  enabled: true

results in no NetworkPolicy explicitly allowing Kube API access:

❯ kubectl get netpol -n istio-system
NAME                            POD-SELECTOR   AGE
allow-monitoring-ingress        app=istiod     15m
allow-webhook-ingress           app=istiod     15m
allow-xds-ca-services-ingress   app=istiod     15m
default-deny                    <none>         15m

Deploying from this branch, however:

...
istiod:
  enabled: true
  git:
    tag: null
    branch: 28-add-missing-kube-egress-netpol
...

results in a NetworkPolicy being created

❯ kubectl get netpol -n istio-system
NAME                            POD-SELECTOR   AGE
allow-monitoring-ingress        app=istiod     18m
allow-webhook-ingress           app=istiod     18m
allow-xds-ca-services-ingress   app=istiod     18m
default-deny                    <none>         18m
allow-apiserver-egress          app=istiod     22s

that is scoped to the correct ipBlock and port:

❯ kubectl get netpol -n istio-system allow-apiserver-egress -o yaml | yq .spec
egress:
  - ports:
      - port: 6443
        protocol: TCP
    to:
      - ipBlock:
          cidr: 172.20.0.2/32
podSelector:
  matchLabels:
    app: istiod
policyTypes:
  - Egress

If instead of letting a lookup determine your Kube API endpoint, you'd like to specify your CIDRs yourself:

...
istiod:
  enabled: true
  git:
    tag: null
    branch: 28-add-missing-kube-egress-netpol
  values:
    networkPolicies:
      controlPlaneCIDRs:
      - 0.0.0.0/0
      - 172.16.0.0/12
...

that works too:

❯ kubectl get netpol -n istio-system allow-apiserver-egress -o yaml | yq .spec
egress:
  - to:
      - ipBlock:
          cidr: 0.0.0.0/0
          except:
            - 169.254.169.254/32
      - ipBlock:
          cidr: 172.16.0.0/12
podSelector:
  matchLabels:
    app: istiod
policyTypes:
  - Egress

whisper I know they overlap, I just needed to demo the IMDS exception.

Linked Issue

#28 (closed)

Upgrade Notices

N/A

Edited by Zach Callahan

Merge request reports

UNCLASSIFIED - NO CUI