Daniel Dides requested to merge dd/enable-network-egress into main Nov 01, 2023

Create `.Values.networkPolicies.allowExternalRegistryEgress`

Summary

Reconfigure existing (hidden) NetworkPolicy to be able to optionally enable an egress rule that allows the Kyverno Admission Controller to communicate with external networks. This is required when the container registry exists outside of the network the cluster is running in (e.g. dogfood -> registry1) and the Kyverno policy require-image-signature is enabled, as the admission controller will need to communicate with the registry to validate the container signature.

NetworkPolicy defaults:

$ helm template build chart --set networkPolicies.enabled=true | grep "allow-egress-container-registry"
# builds with no issues

Enabling egress (with no port override)

$ helm template build chart --set networkPolicies.enabled=true --set networkPolicies.externalRegistries.allowEgress=true | grep -A 30 "allow-egress-container-registry"
  name: allow-egress-container-registry
  namespace: default
  labels:
    app.kubernetes.io/component: admission-controller
    app.kubernetes.io/instance: build
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/part-of: build-kyverno
    app.kubernetes.io/version: 3.0.0-bb.10
    helm.sh/chart: kyverno-3.0.0-bb.10
    app: kyverno
spec:
  egress:
    - to:
      - ipBlock:
          cidr: 0.0.0.0/0
          except:
          - 169.254.169.254/32
      ports:
        - protocol: TCP
          port: 443
  podSelector: 
    matchLabels:
        app.kubernetes.io/component: admission-controller
        app.kubernetes.io/instance: build
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/part-of: build-kyverno
        app.kubernetes.io/version: 3.0.0-bb.10
        helm.sh/chart: kyverno-3.0.0-bb.10
  policyTypes:
    - Egress

Additional ports:

networkPolicies:
  enabled: true
  externalRegistries:
    allowEgress: true
    ports: 
    - port: 1234
      protocol: TCP

$ helm template build chart -f override.yaml | grep -A 30 "allow-egress-container-registry"
  name: allow-egress-container-registry
  namespace: default
  labels:
    app.kubernetes.io/component: admission-controller
    app.kubernetes.io/instance: build
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/part-of: build-kyverno
    app.kubernetes.io/version: 3.0.0-bb.10
    helm.sh/chart: kyverno-3.0.0-bb.10
    app: kyverno
spec:
  egress:
    - to:
      - ipBlock:
          cidr: 0.0.0.0/0
          except:
          - 169.254.169.254/32
      ports:
      - port: 1234
        protocol: TCP
  podSelector: 
    matchLabels:
        app.kubernetes.io/component: admission-controller
        app.kubernetes.io/instance: build
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/part-of: build-kyverno
        app.kubernetes.io/version: 3.0.0-bb.10
        helm.sh/chart: kyverno-3.0.0-bb.10
  policyTypes:
    - Egress

Edited Nov 01, 2023 by Daniel Dides

Admin message

networkpolicy: allow enabling network egress

Create .Values.networkPolicies.allowExternalRegistryEgress

Summary

Merge request reports

Create `.Values.networkPolicies.allowExternalRegistryEgress`