UNCLASSIFIED - NO CUI

Skip to content

Resolve "Egress Whitelist: Kiali"

Tim Seagren requested to merge 80-istio-sidecar into main

General MR

Summary

This MR adds an istio Sidecar resource to the Kiali namespace to deny any egress traffic that is external to the istio service registry. Also adds the .Values.istio.registryOnly value to toggle this feature on and off. This behavior is disabled by default.

Relevant logs/screenshots

(Include any relevant logs/screenshots)

Linked Issue

issue

Upgrade Notices

A Sidecar resource has been added to the Kiali namespace that disallows egress to endpoints that are not part of the Istio service registry (a.k.a REGISTRY_ONLY). This provides a redundant layer of network security in addition to NetworkPolicies. This Sidecar is disabled by default by can be enabled by setting istio.registryOnly: true.

Be sure to assign to yourself: @seagren.tim

Closes #80 (closed)

Edited by Tim Seagren

Merge request reports

Loading