Integrated bb-common
General MR
Summary
- Added bb-common 0.12.0 as a helm dependency
- Replaced all network policies with bb-common generated network policies
Relevant logs/screenshots
Prior to Upgrade:
kubectl get netpol -n kyverno
NAME POD-SELECTOR AGE
allow-egress-api <none> 8m10s
allow-metric-scraping app.kubernetes.io/instance=kyverno-kyverno,app.kubernetes.io/managed-by=Helm,app.kubernetes.io/part-of=kyverno-kyverno,app.kubernetes.io/version=3.6.1,helm.sh/chart=upstream-3.6.1 8m10s
allow-webhooks-from-api app.kubernetes.io/component=admission-controller,app.kubernetes.io/instance=kyverno-kyverno,app.kubernetes.io/managed-by=Helm,app.kubernetes.io/part-of=kyverno-kyverno,app.kubernetes.io/version=3.6.1,helm.sh/chart=upstream-3.6.1 8m10s
default-deny-ingress <none> 8m10s
egress-default-deny <none> 8m10s
egress-kube-dns <none> 8m10s
ingress-egress-allow-ns <none> 8m10sPost Upgrade:
kubectl get netpol -n kyverno
NAME POD-SELECTOR AGE
allow-egress-from-kyverno-admission-controller-to-kubeapi app.kubernetes.io/component=admission-controller 7m56s
allow-egress-from-kyverno-migrate-resources-to-kubeapi batch.kubernetes.io/job-name=kyverno-kyverno-migrate-resources 7m56s
allow-ingress-to-kyverno-admission-controller-port-9443-from-kubeapi app.kubernetes.io/component=admission-controller 7m56s
allow-ingress-to-kyverno-tcp-port-8000-from-ns-monitoring-pod-prometheus app.kubernetes.io/instance=kyverno-kyverno 7m56s
default-egress-allow-all-in-ns <none> 7m56s
default-egress-allow-kube-dns <none> 7m56s
default-egress-deny-all <none> 7m56s
default-ingress-allow-all-in-ns <none> 7m56s
default-ingress-deny-all <none> 7m56s
Validated secret sync per dev maintenance documentation:
kubectl get secrets kyverno-bbtest-secret -n kyverno-bbtest
NAME TYPE DATA AGE
kyverno-bbtest-secret Opaque 2 10sPerformed same validation as above on fresh installation of Kyverno as well.
Validated registry egress network policy
Verified the following configuration deploys the network policy as expected:
kyverno:
values:
networkPolicies:
externalRegistries:
allowEgress: truekubectl get netpol allow-egress-from-kyverno-admission-controller-to-private-registry -n kyverno -o yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
annotations:
generated.network-policies.bigbang.dev/from-definition: private-registry
generated.network-policies.bigbang.dev/local-key: kyverno-admission-controller
generated.network-policies.bigbang.dev/remote-key: private-registry
meta.helm.sh/release-name: kyverno-kyverno
meta.helm.sh/release-namespace: kyverno
creationTimestamp: "2025-12-30T12:10:36Z"
generation: 1
labels:
app.kubernetes.io/managed-by: Helm
helm.toolkit.fluxcd.io/name: kyverno
helm.toolkit.fluxcd.io/namespace: bigbang
network-policies.bigbang.dev/direction: egress
network-policies.bigbang.dev/source: bb-common
name: allow-egress-from-kyverno-admission-controller-to-private-registry
namespace: kyverno
resourceVersion: "16691"
uid: e426ba85-798f-433f-b326-9127dd92ce3e
spec:
egress:
- ports:
- port: 443
protocol: TCP
to:
- ipBlock:
cidr: 15.205.173.153/32
podSelector:
matchLabels:
app.kubernetes.io/component: admission-controller
policyTypes:
- EgressAlso verified the ports section still works and does not add duplicate ports using the following settings:
kyverno:
values:
networkPolicies:
externalRegistries:
allowEgress: true
ports:
- port: 443
- port: 80
protocol: TCPkubectl get netpol allow-egress-from-kyverno-admission-controller-to-private-registry -n kyverno -o yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
annotations:
generated.network-policies.bigbang.dev/from-definition: private-registry
generated.network-policies.bigbang.dev/local-key: kyverno-admission-controller
generated.network-policies.bigbang.dev/remote-key: private-registry
meta.helm.sh/release-name: kyverno-kyverno
meta.helm.sh/release-namespace: kyverno
creationTimestamp: "2025-12-30T12:10:36Z"
generation: 2
labels:
app.kubernetes.io/managed-by: Helm
helm.toolkit.fluxcd.io/name: kyverno
helm.toolkit.fluxcd.io/namespace: bigbang
network-policies.bigbang.dev/direction: egress
network-policies.bigbang.dev/source: bb-common
name: allow-egress-from-kyverno-admission-controller-to-private-registry
namespace: kyverno
resourceVersion: "22060"
uid: e426ba85-798f-433f-b326-9127dd92ce3e
spec:
egress:
- ports:
- port: 443
protocol: TCP
- port: 80
protocol: TCP
to:
- ipBlock:
cidr: 15.205.173.153/32
podSelector:
matchLabels:
app.kubernetes.io/component: admission-controller
policyTypes:
- EgressLinked Issue
Upgrade Notices
Kyverno is now leveraging our bb-common integration for network policies. Please refer to this blog post for additional information on the integration.
Please note that two definitions have been created as part of this integration to allow these policies to be more tailored to a given environment:
ingress:
definitions:
kubeAPI:
from:
- ipBlock:
cidr: 192.168.0.0/16
- ipBlock:
cidr: 172.16.0.0/12
- ipBlock:
cidr: 10.0.0.0/8The kubeAPI ingress definition will automatically use the controlPlaneCidr and vpcCidr specified in the global network policy settings. However, it can also be overridden within the package as shown above if needed. In the above example, all private IP ranges are being allowed.
The private-registry egress definition has also been created and defaults to the IP address of Iron Bank using TCP port 443. If another registry is in use the CIDR and ports may need to be updated.
egress:
definitions:
private-registry:
to:
- ipBlock:
cidr: "15.205.173.153/32"
ports:
- port: 443
protocol: TCPPlease note that this network policy is not enabled by default and is currently controlled by the following settings in the package:
externalRegistries:
allowEgress: false
ports: []The above section will be deprecated in the next major version of Big Bang (4.0) and instead the network policy will automatically be enabled if the require-image-signature Kyverno policy is enabled as this communication is needed as part of that process. If you are currently leveraging the ports section no action is needed as this will continue to function as expected, however, it is recommended to switch over to using the new definition.
This rule can also be toggled on or off manually as shown below:
from:
kyverno-admission-controller:
podSelector:
matchLabels:
app.kubernetes.io/component: admission-controller
to:
definition:
private-registry: true # Set to false to disableUmbrella Branch
bb-common-kyverno