networkpolicy: allow enabling network egress
Compare changes
Files
5@@ -13,9 +13,15 @@ spec:
\ No newline at end of file
UNCLASSIFIED - NO CUI
Currently supported Big Bang Version is 2.51
.Values.networkPolicies.allowExternalRegistryEgress
Reconfigure existing (hidden) NetworkPolicy to be able to optionally enable an egress rule that allows the Kyverno Admission Controller to communicate with external networks. This is required when the container registry exists outside of the network the cluster is running in (e.g. dogfood -> registry1) and the Kyverno policy require-image-signature is enabled, as the admission controller will need to communicate with the registry to validate the container signature.
NetworkPolicy defaults:
$ helm template build chart --set networkPolicies.enabled=true | grep "allow-egress-container-registry"
# builds with no issuesEnabling egress (with no port override)
$ helm template build chart --set networkPolicies.enabled=true --set networkPolicies.externalRegistries.allowEgress=true | grep -A 30 "allow-egress-container-registry"
name: allow-egress-container-registry
namespace: default
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: build
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: build-kyverno
app.kubernetes.io/version: 3.0.0-bb.10
helm.sh/chart: kyverno-3.0.0-bb.10
app: kyverno
spec:
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 169.254.169.254/32
ports:
- protocol: TCP
port: 443
podSelector:
matchLabels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: build
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: build-kyverno
app.kubernetes.io/version: 3.0.0-bb.10
helm.sh/chart: kyverno-3.0.0-bb.10
policyTypes:
- EgressAdditional ports:
networkPolicies:
enabled: true
externalRegistries:
allowEgress: true
ports:
- port: 1234
protocol: TCP$ helm template build chart -f override.yaml | grep -A 30 "allow-egress-container-registry"
name: allow-egress-container-registry
namespace: default
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: build
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: build-kyverno
app.kubernetes.io/version: 3.0.0-bb.10
helm.sh/chart: kyverno-3.0.0-bb.10
app: kyverno
spec:
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 169.254.169.254/32
ports:
- port: 1234
protocol: TCP
podSelector:
matchLabels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: build
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: build-kyverno
app.kubernetes.io/version: 3.0.0-bb.10
helm.sh/chart: kyverno-3.0.0-bb.10
policyTypes:
- EgressUNCLASSIFIED - NO CUI