UNCLASSIFIED - NO CUI

Snippets Groups Projects

Currently supported Big Bang Version is 2.49

Attention Iron Bank Customers: On March 27, 2025, we are moving SBOM artifacts from the Anchore Scan job to the Build job to streamline the container hardening pipeline. If you currently download SBOMs from the Anchore Scan job, you can still get them from the Build job and from other sources, including IBFE and image attestations.

Merged Chris Harden requested to merge registry-only-sidecar-twistlock into main 1 year ago

General MR

Summary

This MR introduces a Sidecar and a set of ServiceEntries for Neuvector when istio.enabled: true and istio.hardened.enabled: true. This is in support of big-bang&160.

Relevant logs/screenshots

(Include any relevant logs/screenshots)

Linked Issue

Upgrade Notices

A Sidecar resource has been added to the Twistlock namespace that disallows egress to endpoints that are not part of the Istio service registry (a.k.a REGISTRY_ONLY). The outboundTrafficPolicy.mode in the Sidecar can be configured, however, to be something other than REGISTRY_ONLY if desired by setting istio.hardened.outboundTrafficPolicyMode. This provides a redundant layer of network security in addition to NetworkPolicies. This Sidecar is disabled by default but can be enabled by setting istio.enabled: true and istio.hardened.enabled: true.

Additionally, custom ServiceEntries can be created by populating the istio.hardened.customServiceEntries list.

Edited 1 year ago by Michael Martin

Activity

Chris Harden added kindfeature priority6 statusdoing teamService Mesh twistlock labels 1 year ago

added kindfeature priority6 statusdoing teamService Mesh twistlock labels
Chris Harden assigned to @charden 1 year ago

assigned to @charden
Chris Harden added 6 commits 1 year ago
added 6 commits

38722320...c615f196 - 5 commits from branch main

6cf67ba2 - Bumping chart

Compare with previous version
Chris Harden marked this merge request as ready 1 year ago

marked this merge request as ready
Chris Harden removed statusdoing label 1 year ago

removed statusdoing label
Chris Harden added statusreview label 1 year ago

added statusreview label
Jacob Ortiz changed the description 1 year ago

changed the description
Jacob Ortiz @ortiz.jacob · 1 year ago

Updated the issue
Tim Seagren @seagren.tim started a thread on an old version of the diff 1 year ago

Automatically resolved 1 year ago by Chris Harden
Last reply by Chris Harden 1 year ago

Tim Seagren added 1 commit 1 year ago

added 1 commit

dc70ab45 - remove istio fields from test values

Compare with previous version

bigbang bot requested review from @bkhamitov, @michaelmartin, @snaq11092, @meganwolf, @massey.robert, @ryan.j.garcia, and @enochofori777 1 year ago

requested review from @bkhamitov, @michaelmartin, @snaq11092, @meganwolf, @massey.robert, @ryan.j.garcia, and @enochofori777

Chris Harden resolved all threads 1 year ago

resolved all threads

Chris Harden added 1 commit 1 year ago

added 1 commit

44838f03 - Fix label to hardcoded twistlock

Compare with previous version

Chris Harden resolved all threads 1 year ago

resolved all threads

Chris Harden added 2 commits 1 year ago

added 2 commits

ee94f3a4 - Add capabilities to defenders
827cf629 - Bumping chart version

Compare with previous version

Chris Harden added 1 commit 1 year ago

added 1 commit

4ab456c5 - Updating sidecar.yaml to use _helper to populate label

Compare with previous version

Tim Seagren @seagren.tim · 1 year ago

@charden the MR has a few conflicts we should resolve before approving.

Chris Harden added 1 commit 1 year ago

added 1 commit

1530767d - Updating IstioHardened.md to include exportTo: example

Compare with previous version

Chris Harden added 3 commits 1 year ago

added 3 commits

1530767d...8f223d58 - 2 commits from branch main
80597a23 - Merge branch 'main' into 'registry-only-sidecar-twistlock'

Compare with previous version

Chris Harden marked this merge request as draft 1 year ago

marked this merge request as draft

Please register or sign in to reply

UNCLASSIFIED - NO CUI