diff --git a/CHANGELOG.md b/CHANGELOG.md index 691c9180629840a36e459b635c41061562457840..cc75da00c41749f1b3918b2efa4135c807434a50 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,15 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), --- +## [0.1.14-bb.1] - 2021-06-17 +### Added +- Network Policy templates. + - In Namespace allow to Elasticsearch + - Wide open Egress for SSO when SSO is enabled +### Changed +- Network Policy Template fixes. + - Syntax fix on podSelector in istio specific Network Policy. + ## [0.1.14-bb.0] - 2021-06-08 ### Added - UpgradeJob image. Allow for overrides diff --git a/chart/Chart.yaml b/chart/Chart.yaml index df2158bc8c5c561132ad62fa90121a3f68329ebe..86584102f9a87934e4d7b4cc71309d122a072009 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: logging -version: 0.1.14-bb.0 +version: 0.1.14-bb.1 appVersion: 7.10.0 dependencies: - name: bb-test-lib diff --git a/chart/templates/bigbang/networkpolicies/allow-all-sso-egress.yml b/chart/templates/bigbang/networkpolicies/allow-all-sso-egress.yml new file mode 100644 index 0000000000000000000000000000000000000000..e209da3a4278c9227d24d46cf1d7a137da8db204 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-all-sso-egress.yml @@ -0,0 +1,20 @@ +{{- if and .Values.networkPolicies.enabled .Values.sso.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-all-sso-egress-elasticsearch + namespace: {{ .Release.Namespace }} +spec: + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + # ONLY Block requests to AWS metadata IP + except: + - 169.254.169.254/32 + podSelector: + matchLabels: + common.k8s.elastic.co/type: elasticsearch + policyTypes: + - Egress +{{- end }} \ No newline at end of file diff --git a/chart/templates/bigbang/networkpolicies/es-allow.yaml b/chart/templates/bigbang/networkpolicies/es-allow.yaml index 92afb8dabc2396895a1e6a15bd741ce8fe0d41a6..dfada9b5d7ede132e5abb7d10315e3100c8223d9 100644 --- a/chart/templates/bigbang/networkpolicies/es-allow.yaml +++ b/chart/templates/bigbang/networkpolicies/es-allow.yaml @@ -65,4 +65,22 @@ spec: common.k8s.elastic.co/type: elasticsearch policyTypes: - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: es-communication-in-namespace + namespace: {{ .Release.Namespace }} +spec: + ingress: + - from: + - podSelector: {} + ports: + - port: 9200 + protocol: TCP + podSelector: + matchLabels: + common.k8s.elastic.co/type: elasticsearch + policyTypes: + - Ingress {{- end }} diff --git a/chart/templates/bigbang/networkpolicies/istio.yaml b/chart/templates/bigbang/networkpolicies/istio.yaml index 734e50d968a15f9d6cb9aece4c2ff189ccb60142..5c5c4dc38c737d09f115c7a64538b01c848b3825 100644 --- a/chart/templates/bigbang/networkpolicies/istio.yaml +++ b/chart/templates/bigbang/networkpolicies/istio.yaml @@ -5,7 +5,6 @@ metadata: name: allow-to-istio-ingressgateway namespace: {{ .Release.Namespace }} spec: - podSelector: {} policyTypes: - Ingress ingress: diff --git a/chart/templates/bigbang/networkpolicies/dns-allow.yaml b/chart/templates/bigbang/networkpolicies/kube-dns-egress.yaml similarity index 92% rename from chart/templates/bigbang/networkpolicies/dns-allow.yaml rename to chart/templates/bigbang/networkpolicies/kube-dns-egress.yaml index f0054ad48b6e15ce3b1332e19b2b3cc84d63fc3a..53ae46815096880d24c712245df935aec171df46 100644 --- a/chart/templates/bigbang/networkpolicies/dns-allow.yaml +++ b/chart/templates/bigbang/networkpolicies/kube-dns-egress.yaml @@ -2,7 +2,7 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: dns-egress + name: allow-dns-egress namespace: {{ .Release.Namespace }} spec: egress: