CHANGELOG.md

@@ -2,6 +2,14 @@
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.8.4-bb.5]
+### Fixed
+- Kube API egress allowed for all pods, not just istiod
+
+## [1.8.4-bb.4]
+### Added
+- Kube API egress networkpolicy
+
 ## [1.8.4-bb.3]
 ### Added
 - Added network policies for istio

chart/Chart.yaml

 apiVersion: v2
 name: istio
-version: 1.8.4-bb.3
+version: 1.8.4-bb.5

chart/templates/network-policy/egress-kube-api.yaml

+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: egress-kube-api
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  egress:
+  - to:
+    - ipBlock:
+        cidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+        {{- if eq .Values.networkPolicies.controlPlaneCidr "0.0.0.0/0" }}
+        # ONLY Block requests to cloud metadata IP
+        except:
+        - 169.254.169.254/32
+        {{- end }}
+  policyTypes:
+  - Egress
+{{- end }}

chart/values.yaml

@@ -150,7 +150,7 @@ extraIngressGateways: []
 #        minReplicas: 1
 #        maxReplicas: 3
 #      serviceAnnotations:
-#        service.beta.kubernetes.io/aws-load-balancer-internal: "true
+#        service.beta.kubernetes.io/aws-load-balancer-internal: "true"
 #       metrics:
 #         - type: Resource
 #           resource:
@@ -221,3 +221,4 @@ values:
 
 networkPolicies:
   enabled: false
+  controlPlaneCidr: 0.0.0.0/0

tests/test-values.yaml

@@ -3,3 +3,4 @@ imagePullSecrets:
 
 networkPolicies:
   enabled: true
+  controlPlaneCidr: 172.16.0.0/12