From 281a97840a69cc8ca387aa765bf3499a77b8ac1f Mon Sep 17 00:00:00 2001 From: "garcia.ryan" Date: Thu, 17 Jun 2021 09:09:29 -0600 Subject: [PATCH 1/4] feat: Syntax and egress fixes on Network Policy resources --- CHANGELOG.md | 9 +++++++++ chart/Chart.yaml | 2 +- .../{dns-allow.yaml => all-egress-allow.yaml} | 11 ++++++----- .../bigbang/networkpolicies/es-allow.yaml | 18 ++++++++++++++++++ .../bigbang/networkpolicies/istio.yaml | 1 - 5 files changed, 34 insertions(+), 7 deletions(-) rename chart/templates/bigbang/networkpolicies/{dns-allow.yaml => all-egress-allow.yaml} (58%) diff --git a/CHANGELOG.md b/CHANGELOG.md index 691c918..e312484 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,15 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), --- +## [0.1.14-bb.1] - 2021-06-17 +### Added +- Network Policy templates. + - Adding in Release.Namespace allow to Elasticsearch + - Adding egress to everything besides AWS API +### Changed +- Network Policy Template fixes. + - Syntax fix on podSelector in istio specific Network Policy. + ## [0.1.14-bb.0] - 2021-06-08 ### Added - UpgradeJob image. Allow for overrides diff --git a/chart/Chart.yaml b/chart/Chart.yaml index df2158b..8658410 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: logging -version: 0.1.14-bb.0 +version: 0.1.14-bb.1 appVersion: 7.10.0 dependencies: - name: bb-test-lib diff --git a/chart/templates/bigbang/networkpolicies/dns-allow.yaml b/chart/templates/bigbang/networkpolicies/all-egress-allow.yaml similarity index 58% rename from chart/templates/bigbang/networkpolicies/dns-allow.yaml rename to chart/templates/bigbang/networkpolicies/all-egress-allow.yaml index f0054ad..dc40731 100644 --- a/chart/templates/bigbang/networkpolicies/dns-allow.yaml +++ b/chart/templates/bigbang/networkpolicies/all-egress-allow.yaml @@ -2,15 +2,16 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: dns-egress + name: allow-all-egress namespace: {{ .Release.Namespace }} spec: egress: - to: - - namespaceSelector: {} - ports: - - port: 53 - protocol: UDP + - ipBlock: + cidr: 0.0.0.0/0 + # ONLY Block requests to AWS metadata IP + except: + - 169.254.169.254/32 podSelector: {} policyTypes: - Egress diff --git a/chart/templates/bigbang/networkpolicies/es-allow.yaml b/chart/templates/bigbang/networkpolicies/es-allow.yaml index 92afb8d..dfada9b 100644 --- a/chart/templates/bigbang/networkpolicies/es-allow.yaml +++ b/chart/templates/bigbang/networkpolicies/es-allow.yaml @@ -65,4 +65,22 @@ spec: common.k8s.elastic.co/type: elasticsearch policyTypes: - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: es-communication-in-namespace + namespace: {{ .Release.Namespace }} +spec: + ingress: + - from: + - podSelector: {} + ports: + - port: 9200 + protocol: TCP + podSelector: + matchLabels: + common.k8s.elastic.co/type: elasticsearch + policyTypes: + - Ingress {{- end }} diff --git a/chart/templates/bigbang/networkpolicies/istio.yaml b/chart/templates/bigbang/networkpolicies/istio.yaml index 734e50d..5c5c4dc 100644 --- a/chart/templates/bigbang/networkpolicies/istio.yaml +++ b/chart/templates/bigbang/networkpolicies/istio.yaml @@ -5,7 +5,6 @@ metadata: name: allow-to-istio-ingressgateway namespace: {{ .Release.Namespace }} spec: - podSelector: {} policyTypes: - Ingress ingress: -- GitLab From 7df84b0d8379ff8fdbcfab5debca0fbf826557ff Mon Sep 17 00:00:00 2001 From: "garcia.ryan" Date: Thu, 17 Jun 2021 12:36:44 -0600 Subject: [PATCH 2/4] fix: restrictive Egress to kube-dns only --- CHANGELOG.md | 1 - .../{all-egress-allow.yaml => kube-dns-egress.yaml} | 12 ++++++------ 2 files changed, 6 insertions(+), 7 deletions(-) rename chart/templates/bigbang/networkpolicies/{all-egress-allow.yaml => kube-dns-egress.yaml} (58%) diff --git a/CHANGELOG.md b/CHANGELOG.md index e312484..52fb560 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,7 +8,6 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), ### Added - Network Policy templates. - Adding in Release.Namespace allow to Elasticsearch - - Adding egress to everything besides AWS API ### Changed - Network Policy Template fixes. - Syntax fix on podSelector in istio specific Network Policy. diff --git a/chart/templates/bigbang/networkpolicies/all-egress-allow.yaml b/chart/templates/bigbang/networkpolicies/kube-dns-egress.yaml similarity index 58% rename from chart/templates/bigbang/networkpolicies/all-egress-allow.yaml rename to chart/templates/bigbang/networkpolicies/kube-dns-egress.yaml index dc40731..9439893 100644 --- a/chart/templates/bigbang/networkpolicies/all-egress-allow.yaml +++ b/chart/templates/bigbang/networkpolicies/kube-dns-egress.yaml @@ -2,16 +2,16 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: allow-all-egress + name: allow-dns-egress namespace: {{ .Release.Namespace }} spec: egress: - to: - - ipBlock: - cidr: 0.0.0.0/0 - # ONLY Block requests to AWS metadata IP - except: - - 169.254.169.254/32 + - namespaceSelector: {} + ports: + - port: 53 + protocol: UDP + podSelector: {} policyTypes: - Egress -- GitLab From c3dbf5c7ab64bc44c1c790147ef86209c957b687 Mon Sep 17 00:00:00 2001 From: "garcia.ryan" Date: Fri, 18 Jun 2021 11:47:17 -0600 Subject: [PATCH 3/4] Adding wide open egress for SSO policy --- .../networkpolicies/allow-all-sso-egress.yml | 20 +++++++++++++++++++ .../networkpolicies/kube-dns-egress.yaml | 1 - 2 files changed, 20 insertions(+), 1 deletion(-) create mode 100644 chart/templates/bigbang/networkpolicies/allow-all-sso-egress.yml diff --git a/chart/templates/bigbang/networkpolicies/allow-all-sso-egress.yml b/chart/templates/bigbang/networkpolicies/allow-all-sso-egress.yml new file mode 100644 index 0000000..e209da3 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-all-sso-egress.yml @@ -0,0 +1,20 @@ +{{- if and .Values.networkPolicies.enabled .Values.sso.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-all-sso-egress-elasticsearch + namespace: {{ .Release.Namespace }} +spec: + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + # ONLY Block requests to AWS metadata IP + except: + - 169.254.169.254/32 + podSelector: + matchLabels: + common.k8s.elastic.co/type: elasticsearch + policyTypes: + - Egress +{{- end }} \ No newline at end of file diff --git a/chart/templates/bigbang/networkpolicies/kube-dns-egress.yaml b/chart/templates/bigbang/networkpolicies/kube-dns-egress.yaml index 9439893..53ae468 100644 --- a/chart/templates/bigbang/networkpolicies/kube-dns-egress.yaml +++ b/chart/templates/bigbang/networkpolicies/kube-dns-egress.yaml @@ -11,7 +11,6 @@ spec: ports: - port: 53 protocol: UDP - podSelector: {} policyTypes: - Egress -- GitLab From 9f9264ba3c368317a609e85a23d10cf310795218 Mon Sep 17 00:00:00 2001 From: "garcia.ryan" Date: Fri, 18 Jun 2021 11:48:08 -0600 Subject: [PATCH 4/4] Adding wide open egress for SSO policy & CHANGELOG --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 52fb560..cc75da0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,7 +7,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), ## [0.1.14-bb.1] - 2021-06-17 ### Added - Network Policy templates. - - Adding in Release.Namespace allow to Elasticsearch + - In Namespace allow to Elasticsearch + - Wide open Egress for SSO when SSO is enabled ### Changed - Network Policy Template fixes. - Syntax fix on podSelector in istio specific Network Policy. -- GitLab