UNCLASSIFIED - NO CUI

Integrate bb-common DSL for network policies and update related configurations

Dax McDonaldrequested to merge
309-integrate-bb-common into main

General MR

Summary

This MR integrates bb-common into the Gatekeeper package

Relevant logs/screenshots

before

NAME                      POD-SELECTOR                                                                                                                                                                   AGE
allow-egress-api          <none>                                                                                                                                                                         3m56s
allow-metric-scraping     app=gatekeeper                                                                                                                                                                 3m56s
allow-webhooks-from-api   app=gatekeeper,chart=gatekeeper,control-plane=controller-manager,gatekeeper.sh/operation=webhook,gatekeeper.sh/system=yes,heritage=Helm,release=gatekeeper-system-gatekeeper   3m56s
default-deny-ingress      <none>                                                                                                                                                                         3m56s
egress-default-deny       <none>                                                                                                                                                                         3m56s
egress-kube-dns           <none>                                                                                                                                                                         3m56s
ingress-egress-allow-ns   <none>                                                                                                                                                                         3m56s

after

NAME                                                      POD-SELECTOR                        AGE
allow-egress-from-crd-cleanup-to-kubeapi                  job-name=gatekeeper-crd-cleanup     137m
allow-egress-from-gatekeeper-to-kubeapi                   app.kubernetes.io/name=gatekeeper   137m
allow-ingress-to-gatekeeper-tcp-port-8443-from-anywhere   app.kubernetes.io/name=gatekeeper   10m
default-egress-allow-all-in-ns                            <none>                              137m
default-egress-allow-istiod                               <none>                              137m
default-egress-allow-kube-dns                             <none>                              137m
default-egress-deny-all                                   <none>                              137m
default-ingress-allow-all-in-ns                           <none>                              137m
default-ingress-allow-prometheus-to-istio-sidecar         <none>                              137m
default-ingress-deny-all                                  <none>                              137m

Linked Issue

#309 (closed)

Upgrade Notices

Gatekeeper now leverages the bb-common network policy DSL. This replaces the legacy netpol templates and standardizes default ingress/egress policies at the namespace level. A new egress rule was added for the crd-cleanup job to preserve Kubernetes API access during post-upgrade cleanup. Also webhook access was reduced in scope under the kubeAPI definition. This is limited to port 8443 and only to set ip blocks like 192.168.0.0/16, 172.16.0.0/12 & 10.0.0.0/8. These should be set to your controlPlaneCIDR

Umbrella Branch

309-gatekeeper-bb-common

Edited by Dax McDonald

Merge request reports

UNCLASSIFIED - NO CUI