Adding sidecar, serviceEntry to whitelist egress
General MR
Summary
This MR introduces a Sidecar and a set of ServiceEntries for Neuvector when istio.enabled: true
and istio.hardened.enabled: true
. This is in support of big-bang&160.
Relevant logs/screenshots
(Include any relevant logs/screenshots)
Linked Issue
For issue
Upgrade Notices
A Sidecar resource has been added to the Twistlock namespace that disallows egress to endpoints that are not part of the Istio service registry (a.k.a REGISTRY_ONLY
). The outboundTrafficPolicy.mode in the Sidecar can be configured, however, to be something other than REGISTRY_ONLY
if desired by setting istio.hardened.outboundTrafficPolicyMode
. This provides a redundant layer of network security in addition to NetworkPolicies. This Sidecar is disabled by default but can be enabled by setting istio.enabled: true
and istio.hardened.enabled: true
.
Additionally, custom ServiceEntries can be created by populating the istio.hardened.customServiceEntries
list.
Merge request reports
Activity
added kindfeature priority6 statusdoing teamService Mesh twistlock labels
assigned to @charden
added 6 commits
-
38722320...c615f196 - 5 commits from branch
main
- 6cf67ba2 - Bumping chart
-
38722320...c615f196 - 5 commits from branch
removed statusdoing label
added statusreview label
- Automatically resolved by Chris Harden
requested review from @bkhamitov, @michaelmartin, @snaq11092, @meganwolf, @massey.robert, @ryan.j.garcia, and @enochofori777
added 2 commits
added 1 commit
- 4ab456c5 - Updating sidecar.yaml to use _helper to populate label
@charden the MR has a few conflicts we should resolve before approving.
added 1 commit
- 1530767d - Updating IstioHardened.md to include exportTo: example
added 3 commits
-
1530767d...8f223d58 - 2 commits from branch
main
- 80597a23 - Merge branch 'main' into 'registry-only-sidecar-twistlock'
-
1530767d...8f223d58 - 2 commits from branch