Draft: Adding sidecar, serviceEntry to whitelist egress
General MR
Summary
This MR adds an istio Sidecar resource to the Kyverno namespace to deny any egress traffic that is external to the istio service registry. Also adds the .Values.istio.registryOnly
value to toggle this feature on and off. This behavior is disabled by default.
Relevant logs/screenshots
(Include any relevant logs/screenshots)
Linked Issue
Upgrade Notices
A Sidecar resource has been added to the Kyverno namespace that disallows egress to endpoints that are not part of the Istio service registry (a.k.a REGISTRY_ONLY
). This provides a redundant layer of network security in addition to NetworkPolicies. This Sidecar is disabled by default by can be enabled by setting istio.registryOnly: true
.
Be sure to assign to yourself: @charden
Closes #67 (closed)