SKIP UPGRADE Migrate to bb-common
General MR
Summary
- Integrated package with bb-common and reviewed network policy requirements in depth
- Added helm unittests for templates we add on top of package
Relevant logs/screenshots
Original Network Policies
NAME POD-SELECTOR AGE
allow-apiserver-egress app=istiod 4h57m
allow-monitoring-ingress app=istiod 4h57m
allow-webhook-ingress app=istiod 4h57m
allow-xds-ca-services-ingress app=istiod 4h57m
default-deny <none> 4h57m
egress-to-sso app=istiod 4h57mapiVersion: v1
items:
- apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
annotations:
meta.helm.sh/release-name: istiod
meta.helm.sh/release-namespace: istio-system
creationTimestamp: "2025-08-06T11:32:50Z"
generation: 1
labels:
app.kubernetes.io/managed-by: Helm
helm.toolkit.fluxcd.io/name: istiod
helm.toolkit.fluxcd.io/namespace: bigbang
name: allow-apiserver-egress
namespace: istio-system
resourceVersion: "4491"
uid: 72265ba5-8f31-4bb6-8495-1cbdbf4b5b98
spec:
egress:
- to:
- ipBlock:
cidr: 172.16.0.0/12
podSelector:
matchLabels:
app: istiod
policyTypes:
- Egress
- apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
annotations:
meta.helm.sh/release-name: istiod
meta.helm.sh/release-namespace: istio-system
creationTimestamp: "2025-08-06T11:32:50Z"
generation: 1
labels:
app.kubernetes.io/managed-by: Helm
helm.toolkit.fluxcd.io/name: istiod
helm.toolkit.fluxcd.io/namespace: bigbang
name: allow-monitoring-ingress
namespace: istio-system
resourceVersion: "4492"
uid: adc4d3ae-633e-4578-b8c8-b78e5724b1bd
spec:
ingress:
- from:
- ipBlock:
cidr: 0.0.0.0/0
ports:
- port: 15014
protocol: TCP
podSelector:
matchLabels:
app: istiod
policyTypes:
- Ingress
- apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
annotations:
meta.helm.sh/release-name: istiod
meta.helm.sh/release-namespace: istio-system
creationTimestamp: "2025-08-06T11:32:50Z"
generation: 1
labels:
app.kubernetes.io/managed-by: Helm
helm.toolkit.fluxcd.io/name: istiod
helm.toolkit.fluxcd.io/namespace: bigbang
name: allow-webhook-ingress
namespace: istio-system
resourceVersion: "4489"
uid: 9acd338d-1024-4525-a5ed-56e2074c1020
spec:
ingress:
- from:
- ipBlock:
cidr: 0.0.0.0/0
ports:
- port: 443
protocol: TCP
- port: 15017
protocol: TCP
podSelector:
matchLabels:
app: istiod
policyTypes:
- Ingress
- apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
annotations:
meta.helm.sh/release-name: istiod
meta.helm.sh/release-namespace: istio-system
creationTimestamp: "2025-08-06T11:32:50Z"
generation: 1
labels:
app.kubernetes.io/managed-by: Helm
helm.toolkit.fluxcd.io/name: istiod
helm.toolkit.fluxcd.io/namespace: bigbang
name: allow-xds-ca-services-ingress
namespace: istio-system
resourceVersion: "4488"
uid: 2e6c0a14-4657-4dc3-81c5-6f0e433a48ae
spec:
ingress:
- from:
- ipBlock:
cidr: 0.0.0.0/0
ports:
- port: 15010
protocol: TCP
- port: 15012
protocol: TCP
podSelector:
matchLabels:
app: istiod
policyTypes:
- Ingress
- apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
annotations:
meta.helm.sh/release-name: istiod
meta.helm.sh/release-namespace: istio-system
creationTimestamp: "2025-08-06T11:32:50Z"
generation: 1
labels:
app.kubernetes.io/managed-by: Helm
helm.toolkit.fluxcd.io/name: istiod
helm.toolkit.fluxcd.io/namespace: bigbang
name: default-deny
namespace: istio-system
resourceVersion: "4487"
uid: 4e1341eb-2474-491c-bc88-ad0d041f79ab
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
- apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
annotations:
meta.helm.sh/release-name: istiod
meta.helm.sh/release-namespace: istio-system
creationTimestamp: "2025-08-06T11:32:50Z"
generation: 1
labels:
app.kubernetes.io/managed-by: Helm
helm.toolkit.fluxcd.io/name: istiod
helm.toolkit.fluxcd.io/namespace: bigbang
name: egress-to-sso
namespace: istio-system
resourceVersion: "4490"
uid: 67cd3948-b94b-475f-8c60-7c4965dd1154
spec:
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 169.254.169.254/32
podSelector:
matchLabels:
app: istiod
policyTypes:
- Egress
kind: List
metadata:
resourceVersion: ""Updated Network Policies
NAME POD-SELECTOR AGE
allow-egress-from-istiod-to-kubeapi app.kubernetes.io/name=istiod 166m
allow-egress-from-istiod-to-sso app.kubernetes.io/name=istiod 166m
allow-ingress-to-istiod-tcp-port-15014-from-ns-kiali-pod-kiali app.kubernetes.io/name=istiod 166m
allow-ingress-to-istiod-tcp-port-15014-from-ns-monitoring-pod-prometheus app.kubernetes.io/name=istiod 166m
allow-ingress-to-istiod-tcp-ports-15010-15012-from-any-ns-any-pod app.kubernetes.io/name=istiod 166m
allow-ingress-to-istiod-tcp-ports-443-15017-from-anywhere app.kubernetes.io/name=istiod 166m
default-egress-allow-kube-dns <none> 166m
default-egress-deny-all <none> 166m
default-ingress-deny-all <none> 166mapiVersion: v1
items:
- apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
annotations:
generated.network-policies.bigbang.dev/from-definition: kubeAPI
generated.network-policies.bigbang.dev/local-key: istiod
generated.network-policies.bigbang.dev/remote-key: kubeAPI
meta.helm.sh/release-name: istiod
meta.helm.sh/release-namespace: istio-system
creationTimestamp: "2025-08-13T19:10:26Z"
generation: 1
labels:
app.kubernetes.io/managed-by: Helm
helm.toolkit.fluxcd.io/name: istiod
helm.toolkit.fluxcd.io/namespace: bigbang
network-policies.bigbang.dev/direction: egress
network-policies.bigbang.dev/source: bb-common
name: allow-egress-from-istiod-to-kubeapi
namespace: istio-system
resourceVersion: "14353"
uid: c1f45cbc-6a70-43f0-9267-8a850228ce9f
spec:
egress:
- ports:
- port: 6443
protocol: TCP
to:
- ipBlock:
cidr: 10.0.0.0/8
- ipBlock:
cidr: 172.16.0.0/12
- ipBlock:
cidr: 192.168.0.0/16
podSelector:
matchLabels:
app.kubernetes.io/name: istiod
policyTypes:
- Egress
- apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
annotations:
generated.network-policies.bigbang.dev/from-definition: sso
generated.network-policies.bigbang.dev/local-key: istiod
generated.network-policies.bigbang.dev/remote-key: sso
meta.helm.sh/release-name: istiod
meta.helm.sh/release-namespace: istio-system
creationTimestamp: "2025-08-13T19:10:26Z"
generation: 1
labels:
app.kubernetes.io/managed-by: Helm
helm.toolkit.fluxcd.io/name: istiod
helm.toolkit.fluxcd.io/namespace: bigbang
network-policies.bigbang.dev/direction: egress
network-policies.bigbang.dev/source: bb-common
name: allow-egress-from-istiod-to-sso
namespace: istio-system
resourceVersion: "14355"
uid: 1323ab3a-2f47-4664-be13-1984e68b073c
spec:
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
podSelector:
matchLabels:
app.kubernetes.io/name: istiod
policyTypes:
- Egress
- apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
annotations:
generated.network-policies.bigbang.dev/local-key: istiod:15014
generated.network-policies.bigbang.dev/remote-key: kiali/kiali
meta.helm.sh/release-name: istiod
meta.helm.sh/release-namespace: istio-system
creationTimestamp: "2025-08-13T19:10:26Z"
generation: 1
labels:
app.kubernetes.io/managed-by: Helm
helm.toolkit.fluxcd.io/name: istiod
helm.toolkit.fluxcd.io/namespace: bigbang
network-policies.bigbang.dev/direction: ingress
network-policies.bigbang.dev/source: bb-common
name: allow-ingress-to-istiod-tcp-port-15014-from-ns-kiali-pod-kiali
namespace: istio-system
resourceVersion: "14359"
uid: 306ea80d-4529-48db-856b-4cadb59a374c
spec:
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kiali
podSelector:
matchLabels:
app.kubernetes.io/name: kiali
ports:
- port: 15014
protocol: TCP
podSelector:
matchLabels:
app.kubernetes.io/name: istiod
policyTypes:
- Ingress
- apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
annotations:
generated.network-policies.bigbang.dev/local-key: istiod:15014
generated.network-policies.bigbang.dev/remote-key: monitoring/prometheus
meta.helm.sh/release-name: istiod
meta.helm.sh/release-namespace: istio-system
creationTimestamp: "2025-08-13T19:10:26Z"
generation: 1
labels:
app.kubernetes.io/managed-by: Helm
helm.toolkit.fluxcd.io/name: istiod
helm.toolkit.fluxcd.io/namespace: bigbang
network-policies.bigbang.dev/direction: ingress
network-policies.bigbang.dev/source: bb-common
name: allow-ingress-to-istiod-tcp-port-15014-from-ns-monitoring-pod-prometheus
namespace: istio-system
resourceVersion: "14360"
uid: 31e361e7-700d-416f-bbf2-9dc553913184
spec:
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: monitoring
podSelector:
matchLabels:
app.kubernetes.io/name: prometheus
ports:
- port: 15014
protocol: TCP
podSelector:
matchLabels:
app.kubernetes.io/name: istiod
policyTypes:
- Ingress
- apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
annotations:
generated.network-policies.bigbang.dev/local-key: istiod:[15010,15012]
generated.network-policies.bigbang.dev/remote-key: '*'
meta.helm.sh/release-name: istiod
meta.helm.sh/release-namespace: istio-system
creationTimestamp: "2025-08-13T19:10:26Z"
generation: 1
labels:
app.kubernetes.io/managed-by: Helm
helm.toolkit.fluxcd.io/name: istiod
helm.toolkit.fluxcd.io/namespace: bigbang
network-policies.bigbang.dev/direction: ingress
network-policies.bigbang.dev/source: bb-common
name: allow-ingress-to-istiod-tcp-ports-15010-15012-from-any-ns-any-pod
namespace: istio-system
resourceVersion: "14362"
uid: 84a395e3-402c-4beb-9725-8725ef58cece
spec:
ingress:
- from:
- namespaceSelector: {}
podSelector: {}
ports:
- port: 15010
protocol: TCP
- port: 15012
protocol: TCP
podSelector:
matchLabels:
app.kubernetes.io/name: istiod
policyTypes:
- Ingress
- apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
annotations:
generated.network-policies.bigbang.dev/local-key: istiod:[443,15017]
generated.network-policies.bigbang.dev/remote-key: 0.0.0.0/0
meta.helm.sh/release-name: istiod
meta.helm.sh/release-namespace: istio-system
creationTimestamp: "2025-08-13T19:10:26Z"
generation: 1
labels:
app.kubernetes.io/managed-by: Helm
helm.toolkit.fluxcd.io/name: istiod
helm.toolkit.fluxcd.io/namespace: bigbang
network-policies.bigbang.dev/direction: ingress
network-policies.bigbang.dev/source: bb-common
name: allow-ingress-to-istiod-tcp-ports-443-15017-from-anywhere
namespace: istio-system
resourceVersion: "14364"
uid: fc6a2325-29da-429b-9c7f-cc8bf46a729e
spec:
ingress:
- from:
- ipBlock:
cidr: 0.0.0.0/0
ports:
- port: 443
protocol: TCP
- port: 15017
protocol: TCP
podSelector:
matchLabels:
app.kubernetes.io/name: istiod
policyTypes:
- Ingress
- apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
annotations:
meta.helm.sh/release-name: istiod
meta.helm.sh/release-namespace: istio-system
creationTimestamp: "2025-08-13T19:10:26Z"
generation: 1
labels:
app.kubernetes.io/managed-by: Helm
helm.toolkit.fluxcd.io/name: istiod
helm.toolkit.fluxcd.io/namespace: bigbang
network-policies.bigbang.dev/direction: egress
network-policies.bigbang.dev/source: bb-common
name: default-egress-allow-kube-dns
namespace: istio-system
resourceVersion: "14358"
uid: 119e11fe-84c0-4ec4-84fe-ef6ba756f72c
spec:
egress:
- ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
k8s-app: kube-dns
podSelector: {}
policyTypes:
- Egress
- apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
annotations:
meta.helm.sh/release-name: istiod
meta.helm.sh/release-namespace: istio-system
creationTimestamp: "2025-08-13T19:10:26Z"
generation: 1
labels:
app.kubernetes.io/managed-by: Helm
helm.toolkit.fluxcd.io/name: istiod
helm.toolkit.fluxcd.io/namespace: bigbang
network-policies.bigbang.dev/direction: egress
network-policies.bigbang.dev/source: bb-common
name: default-egress-deny-all
namespace: istio-system
resourceVersion: "14356"
uid: 679fb591-ea26-46ef-ad49-a0f7429ab0fe
spec:
podSelector: {}
policyTypes:
- Egress
- apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
annotations:
meta.helm.sh/release-name: istiod
meta.helm.sh/release-namespace: istio-system
creationTimestamp: "2025-08-13T19:10:26Z"
generation: 1
labels:
app.kubernetes.io/managed-by: Helm
helm.toolkit.fluxcd.io/name: istiod
helm.toolkit.fluxcd.io/namespace: bigbang
network-policies.bigbang.dev/direction: ingress
network-policies.bigbang.dev/source: bb-common
name: default-ingress-deny-all
namespace: istio-system
resourceVersion: "14365"
uid: 750375db-5563-4f2d-ba55-263844545f31
spec:
podSelector: {}
policyTypes:
- Ingress
kind: List
metadata:
resourceVersion: ""Umbrella Branch
Please use the istiod-bb-common branch from the Big Bang repo to test as the network policy used for SSO is defined there.
Linked Issue
Upgrade Notices
N/A
Related to #44 (closed)
Edited by Jimmy Bourque