UNCLASSIFIED - NO CUI

Skip to content

Adding sidecar, serviceEntry to whitelist egress

Chris Harden requested to merge registry-only-sidecar-tempo into main

General MR

Summary

This MR introduces a Sidecar and a set of ServiceEntries for Tempo when istio.enabled: true and istio.hardened.enabled: true. This is in support of big-bang&160.

Additionally, during testing it was discovered that the AuthorizationPolicy previously added was preventing Monitoring and Kiali from talking to Tempo, due to a conflict between .Values.sso.enabled && .Values.istio.hardened.enabled. This has been fixed.

Relevant logs/screenshots

(Include any relevant logs/screenshots)

Linked Issue

issue

Upgrade Notices

A Sidecar resource has been added to the Tempo namespace that disallows egress to endpoints that are not part of the Istio service registry (a.k.a REGISTRY_ONLY). The outboundTrafficPolicy.mode in the Sidecar can be configured, however, to be something other than REGISTRY_ONLY if desired by setting istio.hardened.outboundTrafficPolicyMode. This provides a redundant layer of network security in addition to NetworkPolicies. This Sidecar is disabled by default but can be enabled by setting istio.enabled: true and istio.hardened.enabled: true.

Additionally, custom ServiceEntries can be created by populating the istio.hardened.customServiceEntries list.

Closes #48 (closed)

Merge request reports

Loading