CHANGELOG.md

@@ -2,6 +2,10 @@
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.8.4-bb.3]
+### Added
+- Added network policies for istio
+
 ## [1.8.4-bb.2]
 ### Fixed
 - fixed bug with indentation when providing resources to istio ingressgateways
@@ -20,4 +24,3 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 ### Changed
 - Jaeger+Kiali VirtualServices pointing directly to the UIs will be skipped when "sso.enabled: true"
 - Jaeger+Kiali VirtualServices pull in their configs from the "ingress" designation so VirtualServices can be customized.
-

CODEOWNERS

-* @nick_tetrate @joshwolf @runyontr
\ No newline at end of file
+* @barrywoodtetrate @joshwolf @kavitha @kenna81 @michaelmcleroy @micah.nagel @runyontr @ryan.j.garcia

chart/Chart.yaml

 apiVersion: v2
 name: istio
-version: 1.8.4-bb.2
+version: 1.8.4-bb.3

chart/templates/network-policy/egress-default-deny.yaml

+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: egress-default-deny
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  podSelector: {}
+  policyTypes:
+    - Egress
+  egress: []
+{{- end }}

chart/templates/network-policy/egress-dns.yaml

+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: egress-kube-dns
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  egress:
+    - to:
+      - namespaceSelector: {} # all namespaces
+      ports:
+        - port: 53
+          protocol: UDP
+  podSelector: {} # all pods in Release namespace
+  policyTypes:
+    - Egress
+{{- end }}

chart/templates/network-policy/egress-gateway-external.yaml

+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  # Note: This is not used currently since we don't have an egress gateway
+  name: egress-gateway-traffic-to-external
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  egress:
+    - to:
+      - ipBlock:
+          cidr: 0.0.0.0/0
+          except:
+          - 169.254.169.254/32
+  podSelector:
+    matchLabels:
+      istio: egressgateway
+  policyTypes:
+    - Egress
+{{- end }}

chart/templates/network-policy/egress-virtual-services.yaml

+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: egress-virtual-services
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  # Since we don't know what apps may have VS and what ports they are on, allow to all namespaces, any ports
+  egress:
+    - to:
+      - namespaceSelector: {}
+  podSelector:
+    matchLabels:
+      istio: ingressgateway
+  policyTypes:
+    - Egress
+{{- end }}

chart/templates/network-policy/ingress-default-deny.yaml

+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: ingress-default-deny
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+  ingress: []
+{{- end }}

chart/templates/network-policy/ingress-egress-inside-ns.yaml

+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: ingress-egress-inside-ns
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - podSelector: {}
+  egress:
+    - to:
+        - podSelector: {}
+{{- end }}

chart/templates/network-policy/ingress-gateway-external.yaml

+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: ingress-external-traffic-to-gateway
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  ingress:
+    - from:
+      - ipBlock:
+          cidr: 0.0.0.0/0
+  podSelector:
+    matchLabels:
+      istio: ingressgateway
+  policyTypes:
+    - Ingress
+{{- end }}

chart/templates/network-policy/ingress-istio-enabled-ns.yaml

+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: ingress-istio-injected-ns
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  ingress:
+    - from:
+      - namespaceSelector:
+          matchLabels:
+            istio-injection: enabled
+      ports:
+        - port: 15012
+          protocol: TCP
+  podSelector:
+    matchLabels:
+      app: istiod
+  policyTypes:
+    - Ingress
+    - Egress
+{{- end }}

chart/templates/network-policy/ingress-istio-enabled-pod.yaml

+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: ingress-istio-injected-pods
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  ingress:
+    - from:
+      - namespaceSelector: {}
+        podSelector:
+          matchLabels:
+            istio-sidecar.istio.io/inject: "true"
+      ports:
+        - port: 15012
+          protocol: TCP
+  podSelector:
+    matchLabels:
+      app: istiod
+  policyTypes:
+    - Ingress
+    - Egress
+{{- end }}

chart/templates/network-policy/ingress-monitoring-istiod.yaml

+{{- if and .Values.networkPolicies.enabled .Values.monitoring.enabled}}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: ingress-metric-scraping
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  ingress:
+    - from:
+      - namespaceSelector:
+          matchLabels:
+            app.kubernetes.io/name: monitoring
+        podSelector:
+          matchLabels:
+            app: prometheus
+      ports:
+        - port: 15014
+          protocol: TCP
+  podSelector:
+    matchLabels:
+      app: istiod
+  policyTypes:
+    - Ingress
+{{- end }}

chart/templates/network-policy/ingress-webhook.yaml

+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: ingress-webhook
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      app: istiod
+  ingress:
+    - from:
+      - ipBlock:
+          cidr: 0.0.0.0/0
+      ports:
+      - port: 15017
+        protocol: TCP
+      - port: 8080
+        protocol: TCP
+  policyTypes:
+    - Ingress
+{{- end }}

chart/values.yaml

@@ -6,12 +6,6 @@ hub: registry1.dso.mil/ironbank/opensource/istio-1.8
 # The tag to use for the image
 tag: 1.8.4
 
-tracing:
-  enabled: true
-  address: jaeger-collector.jaeger.svc
-  port:  9411
-  sampling: 10
-
 # The domain to use for the default gateway
 domain: bigbang.dev
 
@@ -21,7 +15,7 @@ openshift: false
 monitoring:
   enabled: true
 
-imagePullSecrets: [ ]
+imagePullSecrets: []
 
 gateway:
   # Sets the default hosts to match for HTTPS using the tls mode below
@@ -35,8 +29,7 @@ tls:
   credentialName: wildcard-cert
   mode: SIMPLE
 
-extraServers:
-  []
+extraServers: []
 # Example below of complete values capable of being set
 # NOTE: hosts[] is capable of dynamic templating from the .Values context
 #  - port:
@@ -92,12 +85,12 @@ ingressGateway:
         name: cpu
         targetAverageUtilization: 60
   resources: {}
-#    limits:
-#      cpu: 1.5
-#      memory: 3Gi
-#    requests:
-#      cpu: 500m
-#      memory: 1Gi
+  #    limits:
+  #      cpu: 1.5
+  #      memory: 3Gi
+  #    requests:
+  #      cpu: 500m
+  #      memory: 1Gi
   # Only "LoadBalancer" and "NodePort" are allowed
   type: LoadBalancer
 
@@ -149,8 +142,7 @@ ingressGateway:
   #  k8s toleration https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
   tolerations: []
 
-extraIngressGateways:
- []
+extraIngressGateways: []
 # Complete example of an additional ingressgateway defined below
 #  - name: private-ingressgateway
 #    k8s:
@@ -227,3 +219,5 @@ meshConfig: {}
 values:
   global: {}
 
+networkPolicies:
+  enabled: false

tests/test-values.yaml

 imagePullSecrets:
-  - private-registry-mil
+  - private-registry
+
+networkPolicies:
+  enabled: true