Adding sidecar, serviceEntry to whitelist egress

General MR

Summary

This MR introduces a Sidecar and a set of ServiceEntries for Neuvector when istio.enabled: true and istio.hardened.enabled: true. This is in support of big-bang&160.

Relevant logs/screenshots

(Include any relevant logs/screenshots)

Linked Issue

issue

Upgrade Notices

A Sidecar resource has been added to the Tempo namespace that disallows egress to endpoints that are not part of the Istio service registry (a.k.a REGISTRY_ONLY). The outboundTrafficPolicy.mode in the Sidecar can be configured, however, to be something other than REGISTRY_ONLY if desired by setting istio.hardened.outboundTrafficPolicyMode. This provides a redundant layer of network security in addition to NetworkPolicies. This Sidecar is disabled by default but can be enabled by setting istio.enabled: true and istio.hardened.enabled: true.

Additionally, custom ServiceEntries can be created by populating the istio.hardened.customServiceEntries list.

added kindfeature priority6 statusdoing teamService Mesh labels

requested review from @seagren.tim

assigned to @charden

marked this merge request as ready

added statusreview label and removed statusdoing label

requested review from @snaq11092, @enochofori777, @ryan.j.garcia, @bkhamitov, @meganwolf, and @massey.robert

resolved all threads

resolved all threads

added 10 commits

• 1db5f06d...01b89eec - 8 commits from branch main
• 7f7f8d67 - Resolving merge conflicts
• 0dd53916 - Updating sidecar.yaml to use _helper to populate label

Compare with previous version

resolved all threads

approved this merge request

added 1 commit

• 5695ca5d - Updating IstioHardened.md to include exportTo: example

Compare with previous version

reset approvals from @seagren.tim by pushing to the branch

removed teamService Mesh label

added teamSecurity & Compliance label

So as far as I can tell, Neuvector comes bundled with its CVE database, rather than Neuvector reaching out to CVE feeds. If that's the case, this is is G2G. But would like to hear from someone on the Security & Compliance team. @snaq11092 @massey.robert @bkhamitov @enochofori777 , thoughts?

marked this merge request as draft

added statusdoing label and removed statusreview label