From f29d80b1cf81bfe4b39d319748f586119acf97d3 Mon Sep 17 00:00:00 2001 From: Branden Cobb Date: Wed, 26 May 2021 16:05:20 +0000 Subject: [PATCH] Network policy --- CHANGELOG.md | 4 +++ chart/Chart.yaml | 8 ++--- chart/charts/.gitkeep | 0 chart/charts/bb-test-lib-0.4.0.tgz | Bin 2366 -> 0 bytes chart/charts/gluon-0.1.1.tgz | Bin 0 -> 2691 bytes chart/requirements.lock | 10 +++--- .../networkpolicies/default-deny-all.yaml | 15 +++++++++ .../helm-test-network-policy.yaml | 26 +++++++++++++++ .../bigbang/networkpolicies/istio-allow.yaml | 31 ++++++++++++++++++ .../networkpolicies/monitoring-ingress.yaml | 19 +++++++++++ .../networkpolicies/namespace-allow.yaml | 18 ++++++++++ .../networkpolicies/postgres-egress.yaml | 24 ++++++++++++++ .../tests/sonarqube-cypress-test.yaml | 4 +-- chart/values.yaml | 6 ++++ tests/test-values.yml | 3 ++ 15 files changed, 157 insertions(+), 11 deletions(-) delete mode 100644 chart/charts/.gitkeep delete mode 100644 chart/charts/bb-test-lib-0.4.0.tgz create mode 100644 chart/charts/gluon-0.1.1.tgz create mode 100644 chart/templates/bigbang/networkpolicies/default-deny-all.yaml create mode 100644 chart/templates/bigbang/networkpolicies/helm-test-network-policy.yaml create mode 100644 chart/templates/bigbang/networkpolicies/istio-allow.yaml create mode 100644 chart/templates/bigbang/networkpolicies/monitoring-ingress.yaml create mode 100644 chart/templates/bigbang/networkpolicies/namespace-allow.yaml create mode 100644 chart/templates/bigbang/networkpolicies/postgres-egress.yaml diff --git a/CHANGELOG.md b/CHANGELOG.md index 4cd7390..ec31ad8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). --- +## [9.2.6-bb.10] - 2021-05-24 +### Added +- Adding network policies. + ## [9.2.6-bb.9] - 2021-05-10 ### Changed - Moved cypress testing to the new helm test structure. diff --git a/chart/Chart.yaml b/chart/Chart.yaml index 592e434..515f121 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v1 appVersion: 8.7.1-community name: sonarqube description: SonarQube is an open sourced code quality scanning tool -version: 9.2.6-bb.9 +version: 9.2.6-bb.10 keywords: - coverage - security @@ -18,6 +18,6 @@ maintainers: - name: tsiddique email: tsiddique@live.com dependencies: - - name: bb-test-lib - version: "0.4.0" - repository: "oci://registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates" + - name: gluon + version: "0.1.1" + repository: "oci://registry.dso.mil/platform-one/big-bang/apps/library-charts/gluon" diff --git a/chart/charts/.gitkeep b/chart/charts/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/chart/charts/bb-test-lib-0.4.0.tgz b/chart/charts/bb-test-lib-0.4.0.tgz deleted file mode 100644 index 75be43576bcc47b2ea027059ec8ce1b94b9f5dcf..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2366 zcmV-E3BmRsiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PH($Z`(N1{j6Uxj~Wz?pNg^*J2`mKJ@ne%UUAoM&@PHwEQ*4X z#u96a)RB~vH0k~J1NCCd?{?!Rdwb>wTPBA?&MSvAau9e1wedI${1*vThFsH>KiX^S zbUK~0Ua$D>bUO3jo$mR`qi(O$>!0*a&MjQ`^t5yO2s-=S#`2bHL)D|so!6Qt?!Tnb zjD0|*nG^#UpExwjCO^BRdqz4=ggR6#GezHX_#5&RLaQk-lnVZy2dD%Z)Q+Gj4xph> zj=9co0GtJis%vLlBkqtM={OHf`Jvg?w10zX#;HN=e+sWNg<6MF3|XAg>`q=`gZ+0q z{r;T&pP%=82m8N|c5~xFghM6}+=ecYN&&p71_V^23tzuFGcKd+jF^Z9@S=cwLo+8u zLnCVFzyT;-f_rlVq&!^S(iGwAS8o=*>i|$8q@mW!Xgd?YO^~NVCw?O3$Q?kjHJyhc zYP|^HT_TGU;|{>}`ff30Vd;xlPR73g^cD;ft|d*UB%tf zyYBO3*xSLNGYm_Y?*SVE`9OJ&ngl`N^2=>6AFCO=4Gf{muptd=j2hLLh4?%SWiHIy zg3GI!tZB7C<-FJZ2&FKT2~-uyUM0izA}l}wSW06YfWnw*qpnG$B}p0gtuGl$m3mU3 zAF$X9sEGZHWyqO8Z|ZH9bk&FEC=W0+e9$Ky(rK=Dk#l|_ISa1`@Ot=GnhS**MZKp> zsYXo1FPR#E-`Hy?)0B#6Q2q44^#dmSfa=7Z_Ics-$8Ggw*>AwZ$0fV5|z2_80KA$!EO{e5=+Zl?(8^K*>vu3c^Im6v6Wnq!G8{ zPo4l?Wl|Y<_0QM8e0uTo%U92i{(KC#x6Aq`_}A(7I*3^f-v)AC&nqzx;WzN2IacUU zAqt&Hqv7KZU=kFQ832YV@V9tnoEWM|{AD%12A+_bbtrDZhDT>T_;C#s3C?;A zlxzr>#=tnsAMb7yG{V-W0LXHN%eVGQ*A#)b-hYIOk@Pp?K zl}x=M$mJ?gj;+v!*@;UOVFqBII#3b!9mT&u`2HkcZGM^1 zS2L`!{LE>!OBY@-14lO#4_A+jCC^iQV-He2Jq^lJuX)Bz*^ye<3u=-<;iu>3*aIhG zYAJN%{MqDGw{@u%oK!1)DvGgQIjAvIXkJ;62}%^>K?A#@B1SkGJ%yt&44$oDr@`<> z=wLDqM4@rrFv$+B*6_``y-S#|GTkxRSU^J;h=uh$uSwJD$MpysS0S=%)~1@g zn6f!4>_J--YYmyw#;WL)7uE1;b}k24!qxSF-^AQ{?{{YL4k@aJ6b|XBySMfEA1fDq z=ZfHl{Le|RcRrv0>GsbL`Jek}oBWoht8@PEXYvtCQa~G$6Zf6|@%rv=K3np|iih=l zgytrZihU`zMMi(pgh_wGmv@rmPTa5yJrF-s&TVYs0nOM?O6Hj!z;CYmv5aSAu0kw& zCgHv=#>S|EvcI?uxKF{2(bzA}bn#u@K-`Zzb39-oVj})l#{Z?9zBB);WgkimlH)rZ zT1>Sd)==yKG&F5X{nB~x8ADSDd#U~I(Q0>+c@au%6LeT#G!xIQ4^ay1-3@-Cd-L(# zL%Zqk)>fSV+GTqtp}W{(p~PH%Z*_E+PU%Zp>2F!TkHS#Q~uxN z|4+|4XAAeg-pRrL-$&bE>ND9r@1DH>-Ci=NcK%TB7<4=Pe#v0_;(UYj+1h-S1Yghj zMxOq6R$_0@*VV%$l@a{^6||?tBB`LH2bh5N4-m;l(E-Cmg6nynyU_VA7lMfxj&927 zUkM?LP;*m>KLMZgMpEDw)uo1zzE5#!Nl~a4^wOeGJ-COW(9AjySQJ`E(msnq+n0P6 zq`rN{XCaXNegz+|5xA^--V`A&Ry({uaD3Q2B#*b|Ve|Rn&i@thUqSr7{t2|{|3Byb z`Tzg)PtQ7s`0qZN)k44RELVKEWSm3!Xf7rE`uxp5V4@{JMFcW8S#H22Xq{os4RL-+ zmokCYX8x)2gnr==pGj+j^Wm> zNONwW6|vC3@pOfZZ$NUg5lMA?wMq#!c4x6~R~>EIKe0h5i-lCUR~_4A|NYbX|Nor! zyNCSWy|l-0L5)ErG#Ck`@ZmB+0YT1qWCP=jh9erICeC9hY+L79CY8~k6XYCXE(1uZ z2@@vbr=XBi!^Q|1HA$nNipY5k0^`DXp_M5dvMY?>l9>el@0h^Pf?tCa#Z0>;$WQ@i z0*OOjzW?;zNQKU0cp=kN3i$BiJw!}ths4bI#b>#FhXh}gUwqabN$lH?`llWXe~Kue z;V92w$T(`JP4s2vv`IimPMet2K1;=7r~Pl|F?^tk$y~$hm#?%#G9~Sm&LJ#9>X+b3 kes;)MhcZI{cb)h-v_m_z|M~Wx00030|K~II!vH`405D9fX#fBK diff --git a/chart/charts/gluon-0.1.1.tgz b/chart/charts/gluon-0.1.1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..b4a4878dae126348cdee9d80977a15121ba59f9f GIT binary patch literal 2691 zcmV-}3Vih+iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PGuUbK5pDpZP2H7*A^ZN>EZPyQfZjlP0-dX4*89bTZfJWHKPR zq7Z`s4*=yjPVTqgfDehHNIh)D&gFy;76~jC*e9`zb<8s<{Kpfj47sEUzxNqhuh;9H zo}A>ry zs{zSnpP-5nE*R%fJems$e?0p27no@YP!WO5Oqv-m69k1i4)Fa2srx=++D22iIrs^rNgY_!KGz2+CrC5X-4kOft32I%_(W)r{)d+`L zW-7!Z=h*-B$+1L6IA#LDZBpt&32r{!RN20?(i} z+J75frV6zVr5Lj~q3QLV!W#SUKRg{S+W(+89Gvd$|2EpPY2@N3rS!eI_^n;djD?MX zyv_}p1VKKddxW5%0mob+7mgc!=bVXX1dsDIex<3CprH{pbmRaOhYR=W3P^E0eQu5X z(!1ac1KCW4W zAytHF!z5wSXW|`(W(4k-a*Y;<(*Sw7p2e2i%?L_jO9FICLmYu6;w5sV8gnx8Zp)8~ z*sCizB>!L>HTjv#0Nla|OH%z~_lP{w1)ty}2wH5gev|UtB@_<(g^Ze>d@IjwmvA@qkh}EmJ9F+j#jtSO zU7y0Pv5K(^Fj94a5vmLu)6nQn2z;MPRV}JfO<9PK!cb zQzlTAT=7aVuauytEvtIKza&Sml=Ex8OV` z@APIfX8228s|_7i`m8bmo);*2p;19NQ8GdByb02X+wlhv%GvPrU(bGj`}nsfPk%W0 z`w@Kn*w$ZLVU>-ohFP?=&0rVJsV2x$%^*etvqOg!XqV@L$_^@w59Y#Nk~7TkN669O z^_Hk195ZJbcc_qF7dLpGja$7j<5=l|-(c&^SzNF47NtCQt4%o<_PSsdI#h^4Po&YX zY@z^$D)64cH}MCSg7>#?zzfGS_SGg6LlucXbYow@8d9?g$;Uj=ae4wju7D!J>B$1p z8!2*~537~=hU(nKk_Dx{p<368sjK$J%v{(^yW&h)gz_3XQ_O2umtw3_Qx>PTD9HlA zZuO%i_p_=-3;Da$ijssjg;>S7g)Q9B6XJVj;NWWZHJp#lR+&nkCHSj7;_11A4@41D9W!btq)oi_=DylOUNAH1_SI3u?1_Z(*EPDAIcZW3 zhh=({9Kk^?QSx1L!3Nhi=~_qgrWCI~^P`w{ANMte3e8gsGDC@CI;vq;RKy4e=ikD? z6h=R+UZ+NK?MQEVd2kK~i(JlgIrH&p&f|Y)(%>R_OMEMKv<*piH|07VGVS-)EV@O9 zLT#urRkZLNr)ceCVQWHL1Gv5HDt4@t;LVcdHR;Tj>ZA1OiS?~@+lMB1mes^fKTgf~>{cLhhvc72HguD7wm0Rz2@H5?Oo_+7yO@Fr5 z{rxWrfp<{;wYL82^x;zd*Ta*+{`-F$t;;$K>0hh-i`oFB5f&BbmP6g;V69^&$x{Qn zDj{2-?yIgKE7^Cm3bIYy`I5ryKH#^C)e&}A`gPNsz>>CIFW_#sp3P$J+x_aS^Zz?2 z|61q&PtS(^rTDLZviJYD(bkyrLe|v#0=)mt3eZZb?yCN*-`jNo+U8YRHPRQ0vdUYQ z)ts+g1nsc4s=d0ZQD3!KVYO6awTmjNT20h)an;h@?iWyuRMI=EEUMF7)#hwOcTw53 zTs~BAWR9w(;AfY2-X%#D4P=w8kEMb_Nr4GC{vIOPC^VQc>fovX{M3#KiW@w`M26ot zMjFKh0O2H&5&ZT29BBgp!-)jf^E|h8;AJKR6Y+dHA*3C$1qJcjSB<2=Hqopu6sWm` zP3i=8ed)iQ-Z!sbmvy$j@8;+=@BDAKIHLMYZc-dkx#usdIHKjcv)X8DQA0JjgQA9o zb?&gJVHHWcENa-MWTC~-x2afIik8>u_-1}!J0Gyx{=3O(z|Xf|W9{nK4U03b#gc}} zZ*A_4l8#M^GPa=on&lW?Es9jZqWlKIH%5 zud}pp&3b~IL(F9W2{qw_iTGPk$f;pdgp`^|t)Gg>xeo&4Jd}pRRNo!X zo8XrqMLyGR2~t$RnLy%@C$HYVGE$*)A0Epjkpf;negzRz+95GBe*U-EzC(f!%Fq8+ z9h2C%f2vnK75*GiK*RGag)!r(onxXeQs_vDi8Ok8>YhQ^jPa;n|a? x+99cuHf(nYi;(&SxRUQ2GS#7s(EoaGjrMKd_U&tE{|x{D|Nn#y-Ua|n0063gS|tDg literal 0 HcmV?d00001 diff --git a/chart/requirements.lock b/chart/requirements.lock index df6e03a..f7b92aa 100644 --- a/chart/requirements.lock +++ b/chart/requirements.lock @@ -1,6 +1,6 @@ dependencies: -- name: postgresql - repository: file://./deps/postgresql - version: 8.6.4 -digest: sha256:ee20a56a481163f172694703dccf40e88ca9f8a5a4b1637f8dce3361f592aed2 -generated: "2021-05-07T13:46:34.5689816-06:00" +- name: gluon + repository: oci://registry.dso.mil/platform-one/big-bang/apps/library-charts/gluon + version: 0.1.1 +digest: sha256:cf1107c00a11cde8074a39624643312fe85ee11250bb7d9380e3787bde0af0f7 +generated: "2021-05-25T13:09:48.372995-06:00" diff --git a/chart/templates/bigbang/networkpolicies/default-deny-all.yaml b/chart/templates/bigbang/networkpolicies/default-deny-all.yaml new file mode 100644 index 0000000..6ee4c27 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/default-deny-all.yaml @@ -0,0 +1,15 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny-all + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + egress: + - to: + - namespaceSelector: {} +{{- end }} \ No newline at end of file diff --git a/chart/templates/bigbang/networkpolicies/helm-test-network-policy.yaml b/chart/templates/bigbang/networkpolicies/helm-test-network-policy.yaml new file mode 100644 index 0000000..fd3d356 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/helm-test-network-policy.yaml @@ -0,0 +1,26 @@ +{{- $bbtests := .Values.bbtests | default dict -}} +{{- $cypress := $bbtests.cypress | default dict -}} +{{- $enabled := (hasKey $bbtests "enabled") -}} +{{- $artifacts := (hasKey $cypress "artifacts") -}} +{{- if and $enabled $artifacts }} +{{- if and .Values.networkPolicies.enabled .Values.bbtests.enabled .Values.bbtests.cypress.artifacts }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-helm-test-egress + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + helm-test: enabled + policyTypes: + - Egress + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + # ONLY Block requests to AWS metadata IP + except: + - 169.254.169.254/32 +{{- end }} +{{- end }} \ No newline at end of file diff --git a/chart/templates/bigbang/networkpolicies/istio-allow.yaml b/chart/templates/bigbang/networkpolicies/istio-allow.yaml new file mode 100644 index 0000000..3bbc079 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/istio-allow.yaml @@ -0,0 +1,31 @@ +{{- if and .Values.networkPolicies.enabled .Values.istio.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-istio + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + ingress: + - from: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: istio-controlplane + podSelector: + matchLabels: + {{- toYaml .Values.networkPolicies.ingressLabels | nindent 10}} + ports: + - port: {{ .Values.service.externalPort }} + protocol: TCP + egress: + - to: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: istio-controlplane + podSelector: + matchLabels: + istio: pilot +{{- end }} \ No newline at end of file diff --git a/chart/templates/bigbang/networkpolicies/monitoring-ingress.yaml b/chart/templates/bigbang/networkpolicies/monitoring-ingress.yaml new file mode 100644 index 0000000..09bb738 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/monitoring-ingress.yaml @@ -0,0 +1,19 @@ +{{- if and .Values.networkPolicies.enabled .Values.monitoring.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-scraping + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: monitoring + ports: + - port: {{ .Values.service.internalPort }} + protocol: TCP +{{- end }} \ No newline at end of file diff --git a/chart/templates/bigbang/networkpolicies/namespace-allow.yaml b/chart/templates/bigbang/networkpolicies/namespace-allow.yaml new file mode 100644 index 0000000..495131c --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/namespace-allow.yaml @@ -0,0 +1,18 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-in-ns + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + ingress: + - from: + - podSelector: {} + egress: + - to: + - podSelector: {} +{{- end }} \ No newline at end of file diff --git a/chart/templates/bigbang/networkpolicies/postgres-egress.yaml b/chart/templates/bigbang/networkpolicies/postgres-egress.yaml new file mode 100644 index 0000000..bb1abad --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/postgres-egress.yaml @@ -0,0 +1,24 @@ +{{- if and .Values.networkPolicies.enabled (not .Values.postgresql.enabled) }} +# For external postgres server +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-postgresql-egress + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Egress + egress: + - ports: + - protocol: TCP + port: {{ .Values.postgresql.service.port }} + to: + - ipBlock: + # This should be replaced with the IP of postgresql.postgresqlServer + #cidr: {{ .Values.postgresql.postgresqlServer }}/32 + cidr: 0.0.0.0/0 + # ONLY Block requests to AWS metadata IP + except: + - 169.254.169.254/32 +{{- end }} \ No newline at end of file diff --git a/chart/templates/tests/sonarqube-cypress-test.yaml b/chart/templates/tests/sonarqube-cypress-test.yaml index cdc9635..6ccb206 100644 --- a/chart/templates/tests/sonarqube-cypress-test.yaml +++ b/chart/templates/tests/sonarqube-cypress-test.yaml @@ -1,4 +1,4 @@ -{{- include "bb-test-lib.cypress-configmap.overrides" (list . "sonarqube-test.cypress-configmap") }} +{{- include "gluon.tests.cypress-configmap.overrides" (list . "sonarqube-test.cypress-configmap") }} {{- define "sonarqube-test.cypress-configmap" }} metadata: labels: @@ -8,7 +8,7 @@ metadata: app.kubernetes.io/part-of: sonarqube {{- end }} --- -{{- include "bb-test-lib.cypress-runner.overrides" (list . "sonarqube-test.cypress-runner") -}} +{{- include "gluon.tests.cypress-runner.overrides" (list . "sonarqube-test.cypress-runner") -}} {{- define "sonarqube-test.cypress-runner" -}} metadata: labels: diff --git a/chart/values.yaml b/chart/values.yaml index 83a686e..7bb5d87 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -371,3 +371,9 @@ istio: - sonarqube.{{ .Values.hostname }} monitoring: enabled: false + +networkPolicies: + enabled: false + ingressLabels: + app: istio-ingressgateway + istio: ingressgateway \ No newline at end of file diff --git a/tests/test-values.yml b/tests/test-values.yml index ef111d1..e5e7fa6 100644 --- a/tests/test-values.yml +++ b/tests/test-values.yml @@ -1,4 +1,5 @@ bbtests: + enabled: true cypress: artifacts: true envs: @@ -6,3 +7,5 @@ bbtests: cypress_user: "admin" cypress_password: "admin" cypress_newpassword: "new_admin_password" +networkPolicies: + enabled: true \ No newline at end of file -- GitLab