Completed bb-common Integration
General MR
Summary
- Updated gluon from 0.9.7 to 1.0.1
- Updated bb-common to 0.9.1 to 0.14.2
- Removed static resources and replaced with bb-common generated resources
Relevant logs/screenshots
Before Upgrade (Network Policies were already done):
kubectl get ap -n mimir
NAME ACTION AGE
mimir-allow-alloy-authz-policy ALLOW 23m
mimir-allow-grafana-authz-policy ALLOW 23m
mimir-allow-minio-authz-policy ALLOW 23m
mimir-allow-minio-operator-authz-policy ALLOW 23m
mimir-allow-namespace-authz-policy ALLOW 23m
mimir-allow-prometheus-authz-policy ALLOW 23mkubectl get se -n mimir
NAME HOSTS LOCATION RESOLUTION AGE
cypress-service-entries-mimir ["registry.npmjs.org","download.cypress.io","cdn.cypress.io","repo1.dso.mil","grafana.dev.bigbang.mil","optimizationguide-pa.googleapis.com","clientservices.googleapis.com","accounts.google.com","redirector.gvt1.com","content-autofill.googleapis.com","safebrowsing.googleapis.com"] MESH_EXTERNAL DNS 23mkubectl get pa -n mimir
NAME MODE AGE
default-mimir-mimir STRICT 24mAfter Upgrade:
kubectl get netpol -n mimir
NAME POD-SELECTOR AGE
allow-egress-from-mimir-to-kubeapi app.kubernetes.io/name=mimir 36m
allow-egress-from-mimir-to-ns-monitoring-pod-grafana-tcp-port-3000 app.kubernetes.io/name=mimir 36m
allow-egress-from-minio-to-kubeapi app.kubernetes.io/name=minio 36m
allow-egress-from-rollout-operator-to-kubeapi app.kubernetes.io/name=rollout-operator 36m
allow-egress-from-rollout-operator-to-ns-monitoring-pod-grafana-tcp-port-3000 app.kubernetes.io/name=rollout-operator 36m
allow-ingress-to-mimir-tcp-port-15020-from-ns-monitoring-pod-prometheus app.kubernetes.io/name=mimir 36m
allow-ingress-to-mimir-tcp-ports-8080-9095-from-ns-monitoring-pod-grafana app.kubernetes.io/name=mimir 36m
allow-ingress-to-mimir-tcp-ports-8080-9095-from-ns-monitoring-pod-prometheus app.kubernetes.io/name=mimir 36m
allow-ingress-to-minio-tcp-port-15020-from-ns-monitoring-pod-prometheus app.kubernetes.io/name=minio 36m
allow-ingress-to-minio-tcp-port-9000-from-ns-minio-operator-pod-minio-operator app.kubernetes.io/name=minio 36m
allow-ingress-to-minio-tcp-port-9000-from-ns-monitoring-pod-prometheus app.kubernetes.io/name=minio 36m
allow-ingress-to-rollout-operator-tcp-port-15020-from-ns-monitoring-pod-prometheus app.kubernetes.io/name=rollout-operator 36m
allow-ingress-to-rollout-operator-tcp-ports-8080-9095-from-ns-monitoring-pod-grafana app.kubernetes.io/name=rollout-operator 36m
allow-ingress-to-rollout-operator-tcp-ports-8080-9095-from-ns-monitoring-pod-prometheus app.kubernetes.io/name=rollout-operator 36m
default-egress-allow-all-in-ns <none> 36m
default-egress-allow-istiod <none> 36m
default-egress-allow-kube-dns <none> 36m
default-egress-deny-all <none> 36m
default-ingress-allow-all-in-ns <none> 36m
default-ingress-allow-prometheus-to-istio-sidecar <none> 36m
default-ingress-deny-all <none> 36mkubectl get ap -n mimir
NAME ACTION AGE
allow-ingress-to-mimir-tcp-port-15020-from-ns-monitoring-with-identity-monitoring-monitoring-kube-prometheus ALLOW 101s
allow-ingress-to-mimir-tcp-ports-8080-9095-from-ns-monitoring-with-identity-monitoring-grafana ALLOW 101s
allow-ingress-to-mimir-tcp-ports-8080-9095-from-ns-monitoring-with-identity-monitoring-monitoring-kube-prometheus ALLOW 101s
allow-ingress-to-minio-tcp-port-15020-from-ns-monitoring-with-identity-minio-operator ALLOW 101s
allow-ingress-to-minio-tcp-port-9000-from-ns-minio-operator-with-identity-minio-operator ALLOW 101s
allow-ingress-to-minio-tcp-port-9000-from-ns-monitoring-with-identity-monitoring-monitoring-kube-prometheus ALLOW 101s
allow-ingress-to-rollout-operator-tcp-port-15020-from-ns-monitoring-with-identity-monitoring-monitoring-kube-prometheus ALLOW 101s
allow-ingress-to-rollout-operator-tcp-ports-8080-9095-from-ns-monitoring-with-identity-monitoring-grafana ALLOW 101s
allow-ingress-to-rollout-operator-tcp-ports-8080-9095-from-ns-monitoring-with-identity-monitoring-monitoring-kube-prometheus ALLOW 101s
default-authz-allow-all-in-ns ALLOW 101s
default-authz-allow-nothing 101skubectl get se -n mimir
NAME HOSTS LOCATION RESOLUTION AGE
bb-tests-external ["repo1.dso.mil"] MESH_EXTERNAL DNS 109skubectl get pa -n mimir
NAME MODE AGE
default-peer-auth STRICT 116s
Validated Storage-Related Netpols and Authpols with Minio Disabled:
kubectl get netpol -n mimir (minio-related network policies gone and egress using storage-subnets umbrella policy enabled)
NAME POD-SELECTOR AGE
allow-egress-from-mimir-to-kubeapi app.kubernetes.io/name=mimir 42m
allow-egress-from-mimir-to-ns-monitoring-pod-grafana-tcp-port-3000 app.kubernetes.io/name=mimir 42m
allow-egress-from-mimir-to-storage-subnets app.kubernetes.io/name=mimir 38s
allow-egress-from-rollout-operator-to-kubeapi app.kubernetes.io/name=rollout-operator 42m
allow-egress-from-rollout-operator-to-ns-monitoring-pod-grafana-tcp-port-3000 app.kubernetes.io/name=rollout-operator 42m
allow-ingress-to-mimir-tcp-port-15020-from-ns-monitoring-pod-prometheus app.kubernetes.io/name=mimir 42m
allow-ingress-to-mimir-tcp-ports-8080-9095-from-ns-monitoring-pod-grafana app.kubernetes.io/name=mimir 42m
allow-ingress-to-mimir-tcp-ports-8080-9095-from-ns-monitoring-pod-prometheus app.kubernetes.io/name=mimir 42m
allow-ingress-to-rollout-operator-tcp-port-15020-from-ns-monitoring-pod-prometheus app.kubernetes.io/name=rollout-operator 42m
allow-ingress-to-rollout-operator-tcp-ports-8080-9095-from-ns-monitoring-pod-grafana app.kubernetes.io/name=rollout-operator 42m
allow-ingress-to-rollout-operator-tcp-ports-8080-9095-from-ns-monitoring-pod-prometheus app.kubernetes.io/name=rollout-operator 42m
default-egress-allow-all-in-ns <none> 42m
default-egress-allow-istiod <none> 42m
default-egress-allow-kube-dns <none> 42m
default-egress-deny-all <none> 42m
default-ingress-allow-all-in-ns <none> 42m
default-ingress-allow-prometheus-to-istio-sidecar <none> 42m
default-ingress-deny-all <none> 42mkubectl get ap -n mimir (No minio-related authpols present)
NAME ACTION AGE
allow-ingress-to-mimir-tcp-port-15020-from-ns-monitoring-with-identity-monitoring-monitoring-kube-prometheus ALLOW 7m15s
allow-ingress-to-mimir-tcp-ports-8080-9095-from-ns-monitoring-with-identity-monitoring-grafana ALLOW 7m15s
allow-ingress-to-mimir-tcp-ports-8080-9095-from-ns-monitoring-with-identity-monitoring-monitoring-kube-prometheus ALLOW 7m15s
allow-ingress-to-rollout-operator-tcp-port-15020-from-ns-monitoring-with-identity-monitoring-monitoring-kube-prometheus ALLOW 7m15s
allow-ingress-to-rollout-operator-tcp-ports-8080-9095-from-ns-monitoring-with-identity-monitoring-grafana ALLOW 7m15s
allow-ingress-to-rollout-operator-tcp-ports-8080-9095-from-ns-monitoring-with-identity-monitoring-monitoring-kube-prometheus ALLOW 7m15s
default-authz-allow-all-in-ns ALLOW 7m15s
default-authz-allow-nothing Linked Issue
Upgrade Notices
Mimir is now leveraging our bb-common integration for all network policies and istio-related resources. Please refer to this blog post for additional information on the integration.
Umbrella Branch
mimir-bb-common
Edited by Jimmy Bourque