CHANGELOG.md

@@ -2,6 +2,10 @@
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.8.4-bb.4]
+### Added
+- Kube API egress networkpolicy
+
 ## [1.8.4-bb.3]
 ### Added
 - Added network policies for istio

chart/Chart.yaml

 apiVersion: v2
 name: istio
-version: 1.8.4-bb.3
+version: 1.8.4-bb.4

chart/templates/network-policy/egress-kube-api.yaml

+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-egress-api
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      app: istiod
+  egress:
+  - to:
+    - ipBlock:
+        cidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+        {{- if eq .Values.networkPolicies.controlPlaneCidr "0.0.0.0/0" }}
+        # ONLY Block requests to cloud metadata IP
+        except:
+        - 169.254.169.254/32
+        {{- end }}
+  policyTypes:
+  - Egress
+{{- end }}

chart/values.yaml

@@ -221,3 +221,4 @@ values:
 
 networkPolicies:
   enabled: false
+  controlPlaneCidr: 0.0.0.0/0

tests/test-values.yaml

@@ -3,3 +3,4 @@ imagePullSecrets:
 
 networkPolicies:
   enabled: true
+  controlPlaneCidr: 172.16.0.0/12