Integrated bb-common
General MR
Summary
- Added bb-common 0.12.3 as a helm dependency
- Replaced all static network policies and istio-related resources with bb-common generated resources
Relevant logs/screenshots
Before integration
Note: The value for
istio.hardened.enabledneeds to manually be set totruein order for its auth policies to show up as expected (This was addressed as part of its bb-common integration)
kubectl get netpol -n kyverno-reporter
NAME POD-SELECTOR AGE
egress-dns app.kubernetes.io/part-of=policy-reporter 3m40s
egress-istiod app.kubernetes.io/part-of=policy-reporter 3m40s
egress-kube-api app.kubernetes.io/part-of=policy-reporter 3m40s
ingress-egress-default-deny app.kubernetes.io/part-of=policy-reporter 3m40s
ingress-egress-ns <none> 3m40s
ingress-prometheus-metrics <none> 3m40s
istio-ingress <none> 3m40skubectl get ap -n kyverno-reporter
NAME ACTION AGE
allow-all-in-namespace ALLOW 3m44s
allow-kyverno-reporter ALLOW 3m44s
allow-prometheus-to-policy-reporter ALLOW 3m44s
allow-ui-to-policy-reporter-port ALLOW 3m44s
public-ingressgateway-ingressgateway-authz-policy ALLOW 3m44skubectl get se -n kyverno-reporter
NAME HOSTS LOCATION RESOLUTION AGE
cypress-service-entries-kyvernoreporter ["registry.npmjs.org","download.cypress.io","cdn.cypress.io","repo1.dso.mil","prometheus.dev.bigbang.mil"] MESH_EXTERNAL DNS 3m47skubectl get pa -n kyverno-reporter
NAME MODE AGE
kyverno-reporter-kyverno-reporter-default STRICT 3m53skubectl get vs -n kyverno-reporter
NAME GATEWAYS HOSTS AGE
policy-reporter-ui ["istio-gateway/public-ingressgateway"] ["policyreporter.dev.bigbang.mil"] 3m57sAfter Integration
kubectl get netpol -n kyverno-reporter
NAME POD-SELECTOR AGE
allow-egress-from-kyverno-reporter-to-kubeapi app.kubernetes.io/instance=kyverno-reporter-kyverno-reporter 29s
allow-ingress-to-policy-reporter-tcp-port-8080-from-ns-monitoring-pod-prometheus app.kubernetes.io/name=policy-reporter 29s
allow-ingress-to-policy-reporter-ui-8080-from-ns-istio-gateway-pod-public-ingressgateway app.kubernetes.io/name=policy-reporter-ui 29s
default-egress-allow-all-in-ns <none> 29s
default-egress-allow-istiod <none> 29s
default-egress-allow-kube-dns <none> 29s
default-egress-deny-all <none> 29s
default-ingress-allow-all-in-ns <none> 29s
default-ingress-allow-prometheus-to-istio-sidecar <none> 29s
default-ingress-deny-all <none> 29skubectl get ap -n kyverno-reporter
NAME ACTION AGE
allow-ingress-to-policy-reporter-tcp-port-8080-from-ns-monitoring-with-identity-monitoring-monitoring-kube-prometheus ALLOW 34s
default-authz-allow-all-in-ns ALLOW 34s
default-authz-allow-nothing 34s
policy-reporter-ui-public-ingressgateway-authz-policy ALLOW 34skubectl get se -n kyverno-reporter
NAME HOSTS LOCATION RESOLUTION AGE
bb-tests-external ["repo1.dso.mil","prometheus.dev.bigbang.mil","grafana.dev.bigbang.mil"] MESH_EXTERNAL DNS 38s
cypress-service-entries-kyvernoreporter ["registry.npmjs.org","download.cypress.io","cdn.cypress.io","repo1.dso.mil","prometheus.dev.bigbang.mil"] MESH_EXTERNAL DNS 11m
policy-reporter-ui-internal ["policyreporter.dev.bigbang.mil"] MESH_EXTERNAL DNS 38skubectl get pa -n kyverno-reporter
NAME MODE AGE
default-peer-auth STRICT 44skubectl get vs -n kyverno-reporter
NAME GATEWAYS HOSTS AGE
policy-reporter-ui ["istio-gateway/public-ingressgateway"] ["policyreporter.dev.bigbang.mil"] 11mValidated UI comes up as expected:
Validated Prometheus target:
Validated Grafana dashboards:
Linked Issue
Upgrade Notices
Kyverno Reporter is now leveraging our bb-common integration for network policies and all istio-related resources. Please refer to this blog post for additional information on the integration.
Umbrella Branch
kyverno-reporter-bb-common