Gatekeeper issueshttps://repo1.dso.mil/big-bang/product/packages/policy/-/issues2024-03-28T09:04:01Zhttps://repo1.dso.mil/big-bang/product/packages/policy/-/issues/215Bigbang Bot: Update repo SBOM file2024-03-28T09:04:01Zbigbang botBigbang Bot: Update repo SBOM fileSBOM file needs to be updatedSBOM file needs to be updatedhttps://repo1.dso.mil/big-bang/product/packages/policy/-/issues/214Update K8sPSPSELinuxV2 to fix empty seLinuxOptions causing improper triggers2024-03-26T15:40:01ZRobert MasseyUpdate K8sPSPSELinuxV2 to fix empty seLinuxOptions causing improper triggersEmpty SELinux blocks are causing the K8sPSPSELinuxV2 policy to get activated and blocking installations.
```
seLinuxOptions: {}
```
causing
```
istio-operator 35m Warning FailedCreate ...Empty SELinux blocks are causing the K8sPSPSELinuxV2 policy to get activated and blocking installations.
```
seLinuxOptions: {}
```
causing
```
istio-operator 35m Warning FailedCreate job/istiod-hook (combined from similar events): Error creating: admission webhook "validation.gatekeeper.sh" denied the request: [selinux-policy] SELinux options is not allowed, pod: istiod-hook-k64bn. Allowed options: [{}]
```
Relates to https://repo1.dso.mil/big-bang/product/packages/policy/-/issues/202Robert MasseyRobert Masseyhttps://repo1.dso.mil/big-bang/product/packages/policy/-/issues/209Add Development Maintenance Document2024-03-13T16:25:13ZMegan WolfAdd Development Maintenance DocumentNeed to write a development maintenance doc - a decent base template/example would be [Kyverno](https://repo1.dso.mil/big-bang/product/packages/kyverno/-/blob/main/docs/DEVELOPMENT_MAINTENANCE.md?ref_type=heads)Need to write a development maintenance doc - a decent base template/example would be [Kyverno](https://repo1.dso.mil/big-bang/product/packages/kyverno/-/blob/main/docs/DEVELOPMENT_MAINTENANCE.md?ref_type=heads)Bulat KhamitovBulat Khamitovhttps://repo1.dso.mil/big-bang/product/packages/policy/-/issues/208Renovate: Upgrade OPA Gatekeeper Package Dependencies2024-03-19T00:05:01Zbigbang botRenovate: Upgrade OPA Gatekeeper Package Dependencies- [ ] Sync upstream helm chart version with updated dependencies.
## Edited/Blocked
These updates have been manually edited so Renovate will no longer make changes. To discard all commits and start over, click on a checkbox.
- [ ] <!...- [ ] Sync upstream helm chart version with updated dependencies.
## Edited/Blocked
These updates have been manually edited so Renovate will no longer make changes. To discard all commits and start over, click on a checkbox.
- [ ] <!-- rebase-branch=renovate/ironbank -->[SKIP UPDATE CHECK Update Ironbank](!206) (`ironbank/opensource/openpolicyagent/gatekeeper`, `registry1.dso.mil/ironbank/opensource/kubernetes/kubectl`, `registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper`)Enoch OforiEnoch Oforihttps://repo1.dso.mil/big-bang/product/packages/policy/-/issues/206Egress Whitelist - Gatekeeper2024-03-11T15:07:39ZStephen GalambEgress Whitelist - Gatekeeper# Summary
As part of big-bang&160, we will want to enable users to configure setting `REGISTRY_ONLY` traffic policy on a per-package basis, in addition to allowing for it to be set globally in the meshConfig (see #1886). Creating Sideca...# Summary
As part of big-bang&160, we will want to enable users to configure setting `REGISTRY_ONLY` traffic policy on a per-package basis, in addition to allowing for it to be set globally in the meshConfig (see #1886). Creating Sidecars in each package will also allow us to focus on individual packages as we define what whitelists will need to be created per application.
This issue will handle this for Gatekeeper
## Conditions
For the Sidecar template to be created, the following conditions should be met:
- Istio injection is a feature of the package
- && Istio is enabled for the package
- && The `REGISTRY_ONLY` setting for the package is enabled (can be configured globally or directly in package values)
## Sample Sidecar resource
The following Sidecar resource is applied to every workload in the `apps` namespace, and limits traffic to only resources that are known within the istio service mesh, which by default includes all internal Kubernetes service domains.
```
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: curl
namespace: apps
spec:
outboundTrafficPolicy:
mode: REGISTRY_ONLY
```
## Acceptance Criteria
- [ ] Security and Compliance package has the Sidecar above added as an optional Big Bang template
- [ ] The Sidecar only created when the conditions listed above are true
- [ ] We validate that mesh-external endpoints are not resolvable when these resources exist
## Other notes
For some packages, it may not make sense to have a Sidecar resource. Each application/package should be evaluated to determine if it needs a Sidecar resource or not.https://repo1.dso.mil/big-bang/product/packages/policy/-/issues/199OSCAL Package Validation2024-03-14T09:03:58ZAlvin MartinezOSCAL Package Validation- Develop Lula validations for the Gatekeeper package. This includes adding a healthcheck validation and configuration validation per control where applicable. Realize that some controls may not be satisfied as of this time or with the d...- Develop Lula validations for the Gatekeeper package. This includes adding a healthcheck validation and configuration validation per control where applicable. Realize that some controls may not be satisfied as of this time or with the default configuration.
- Run the validation locally and establish a baseline assessment-results document to use as a threshold for pipeline validation fail/pass.