UNCLASSIFIED - NO CUI

Skip to content

Adding sidecar, serviceEntry to whitelist egress

Chris Harden requested to merge registry-only-sidecar-kyverno-reporter-II into main

General MR

Summary

A Sidecar resource has been added to the Kyverno-reporter namespace that disallows egress to endpoints that are not part of the Istio service registry (a.k.a REGISTRY_ONLY). The outboundTrafficPolicy.mode in the Sidecar can be configured, however, to be something other than REGISTRY_ONLY if desired by setting istio.hardened.outboundTrafficPolicyMode. This provides a redundant layer of network security in addition to NetworkPolicies. This Sidecar is disabled by default but can be enabled by setting istio.enabled: true and istio.hardened.enabled: true.

Additionally, custom ServiceEntries can be created by populating the istio.hardened.customServiceEntries list.

Test

Verify application logs for errors.

Add utility package to namespace and verify egress to https://google.com

Note: There's a networkPolicy named ingress-egress-ns that prevents traffic outside of the namespace that needs to be deleted to perform the tests

#utility yaml
kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: test-whitelist
  name: test-whitelist
  namespace: kyverno-reporter
spec:
  containers:
  - name: netshoot
    image: nicolaka/netshoot
    args:
    - sleep
    - "100000000"
EOF

override.yaml

kyvernoReporter:
  enabled: true
  git:
    tag: null
    branch: "registry-only-sidecar-kyverno-reporter"
  values:
    podAnnotations:
      sidecar.istio.io/logLevel: debug
    podLabels:
      app: kyverno-reporter
    istio:
      enabled: true
      hardened:
        enabled: true
        customServiceEntries: []
        customServiceEntries:
          - name: "google-com-test"
            enabled: true
            spec:
              hosts:
                - 'www.google.com'
              location: MESH_EXTERNAL
              ports:
                - number: 443
                  protocol: TLS
                  name: https
              resolution: DNS

Verify access to https://google.com

Relevant logs/screenshots

(Include any relevant logs/screenshots)

Linked Issue

issue

Upgrade Notices

A Sidecar resource has been added to the Kiali namespace that disallows egress to endpoints that are not part of the Istio service registry (a.k.a REGISTRY_ONLY). The outboundTrafficPolicy.mode in the Sidecar can be configured, however, to be something other than REGISTRY_ONLY if desired by setting istio.hardened.outboundTrafficPolicyMode. This provides a redundant layer of network security in addition to NetworkPolicies. This Sidecar is disabled by default but can be enabled by setting istio.enabled: true and istio.hardened.enabled: true.

Additionally, custom ServiceEntries can be created by populating the istio.hardened.customServiceEntries list.

Be sure to assign to yourself: @charden

Closes #37 (closed)

Edited by Tim Seagren

Merge request reports

UNCLASSIFIED - NO CUI