UNCLASSIFIED - NO CUI

Skip to content
Snippets Groups Projects

networkpolicy: allow enabling network egress

Merged networkpolicy: allow enabling network egress
dd/enable-network-egress into main
Merged Daniel Dides requested to merge dd/enable-network-egress into main

Create .Values.networkPolicies.allowExternalRegistryEgress

Summary

Reconfigure existing (hidden) NetworkPolicy to be able to optionally enable an egress rule that allows the Kyverno Admission Controller to communicate with external networks. This is required when the container registry exists outside of the network the cluster is running in (e.g. dogfood -> registry1) and the Kyverno policy require-image-signature is enabled, as the admission controller will need to communicate with the registry to validate the container signature.

NetworkPolicy defaults:

$ helm template build chart --set networkPolicies.enabled=true | grep "allow-egress-container-registry"
# builds with no issues

Enabling egress (with no port override)

$ helm template build chart --set networkPolicies.enabled=true --set networkPolicies.externalRegistries.allowEgress=true | grep -A 30 "allow-egress-container-registry"
  name: allow-egress-container-registry
  namespace: default
  labels:
    app.kubernetes.io/component: admission-controller
    app.kubernetes.io/instance: build
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/part-of: build-kyverno
    app.kubernetes.io/version: 3.0.0-bb.10
    helm.sh/chart: kyverno-3.0.0-bb.10
    app: kyverno
spec:
  egress:
    - to:
      - ipBlock:
          cidr: 0.0.0.0/0
          except:
          - 169.254.169.254/32
      ports:
        - protocol: TCP
          port: 443
  podSelector: 
    matchLabels:
        app.kubernetes.io/component: admission-controller
        app.kubernetes.io/instance: build
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/part-of: build-kyverno
        app.kubernetes.io/version: 3.0.0-bb.10
        helm.sh/chart: kyverno-3.0.0-bb.10
  policyTypes:
    - Egress

Additional ports:

networkPolicies:
  enabled: true
  externalRegistries:
    allowEgress: true
    ports: 
    - port: 1234
      protocol: TCP
$ helm template build chart -f override.yaml | grep -A 30 "allow-egress-container-registry"
  name: allow-egress-container-registry
  namespace: default
  labels:
    app.kubernetes.io/component: admission-controller
    app.kubernetes.io/instance: build
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/part-of: build-kyverno
    app.kubernetes.io/version: 3.0.0-bb.10
    helm.sh/chart: kyverno-3.0.0-bb.10
    app: kyverno
spec:
  egress:
    - to:
      - ipBlock:
          cidr: 0.0.0.0/0
          except:
          - 169.254.169.254/32
      ports:
      - port: 1234
        protocol: TCP
  podSelector: 
    matchLabels:
        app.kubernetes.io/component: admission-controller
        app.kubernetes.io/instance: build
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/part-of: build-kyverno
        app.kubernetes.io/version: 3.0.0-bb.10
        helm.sh/chart: kyverno-3.0.0-bb.10
  policyTypes:
    - Egress
Edited by Daniel Dides

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
Please register or sign in to reply

UNCLASSIFIED - NO CUI