From b30d8be542de315258e4ced8cc120c324b2ecc4b Mon Sep 17 00:00:00 2001 From: bhearn Date: Fri, 28 May 2021 17:41:37 +0000 Subject: [PATCH] update "chart" (https://github.com/anchore/anchore-charts) from "anchore-engine-1.12.13" (f9a34a42d694e657b5f3d493f590fc3f7a8b933e) to "anchore-engine-1.12.15" (f50573427adb8d582eaea20c968bb0391cb79c48) --- CHANGELOG.md | 11 ++- chart/Chart.yaml | 4 +- chart/Kptfile | 4 +- .../allow-egress-except-aws.yaml | 18 +++++ .../bigbang/networkpolicies/allow-in-ns.yaml | 18 +++++ .../bigbang/networkpolicies/allow-istio.yaml | 78 +++++++++++++++++++ .../networkpolicies/allow-kube-dns.yaml | 19 +++++ .../networkpolicies/allow-monitoring.yaml | 34 ++++++++ .../bigbang/networkpolicies/default-deny.yaml | 12 +++ chart/templates/enterprise_ui_deployment.yaml | 2 +- chart/values.yaml | 12 ++- docs/BBCHANGES.md | 8 +- tests/images.txt | 4 +- tests/test-values.yml | 6 ++ 14 files changed, 218 insertions(+), 12 deletions(-) create mode 100644 chart/templates/bigbang/networkpolicies/allow-egress-except-aws.yaml create mode 100644 chart/templates/bigbang/networkpolicies/allow-in-ns.yaml create mode 100644 chart/templates/bigbang/networkpolicies/allow-istio.yaml create mode 100644 chart/templates/bigbang/networkpolicies/allow-kube-dns.yaml create mode 100644 chart/templates/bigbang/networkpolicies/allow-monitoring.yaml create mode 100644 chart/templates/bigbang/networkpolicies/default-deny.yaml diff --git a/CHANGELOG.md b/CHANGELOG.md index 9b80ccc..757147f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,7 +3,16 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). --- -## [1.12.7-bb.4] +## [1.12.15-bb.0] +### Changed +- Updated docs for BB documentation standards +- Added optional network policies +- Bumped upstream chart version to 1.12.15 +- Bumped Anchore Engine image version to 0.9.4 from Registry1 +- Bumped Anchore Enterprise image version to 3.0.3 from Registry1 +- Bumped Anchore Enterprise UI image version to 3.0.3 from Registry1 + +## [1.12.13-bb.0] ### Changed - Added Helm bash testing for API using approved Iron Bank image - Bumped upstream chart version to 1.12.13 diff --git a/chart/Chart.yaml b/chart/Chart.yaml index f33ad55..6d4387d 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: anchore-engine -version: 1.12.13-bb.0 -appVersion: 0.9.3 +version: 1.12.15-bb.0 +appVersion: 0.9.4 description: Anchore container analysis and policy evaluation engine service keywords: - analysis diff --git a/chart/Kptfile b/chart/Kptfile index f248c9f..e44bd5e 100644 --- a/chart/Kptfile +++ b/chart/Kptfile @@ -5,7 +5,7 @@ metadata: upstream: type: git git: - commit: f9a34a42d694e657b5f3d493f590fc3f7a8b933e + commit: f50573427adb8d582eaea20c968bb0391cb79c48 repo: https://github.com/anchore/anchore-charts directory: /stable/anchore-engine - ref: anchore-engine-1.12.13 + ref: anchore-engine-1.12.15 diff --git a/chart/templates/bigbang/networkpolicies/allow-egress-except-aws.yaml b/chart/templates/bigbang/networkpolicies/allow-egress-except-aws.yaml new file mode 100644 index 0000000..9d4b2b8 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-egress-except-aws.yaml @@ -0,0 +1,18 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-egress-except-aws + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Egress + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + # ONLY Block requests to AWS metadata IP + except: + - 169.254.169.254/32 +{{- end }} \ No newline at end of file diff --git a/chart/templates/bigbang/networkpolicies/allow-in-ns.yaml b/chart/templates/bigbang/networkpolicies/allow-in-ns.yaml new file mode 100644 index 0000000..495131c --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-in-ns.yaml @@ -0,0 +1,18 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-in-ns + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + ingress: + - from: + - podSelector: {} + egress: + - to: + - podSelector: {} +{{- end }} \ No newline at end of file diff --git a/chart/templates/bigbang/networkpolicies/allow-istio.yaml b/chart/templates/bigbang/networkpolicies/allow-istio.yaml new file mode 100644 index 0000000..fe17541 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-istio.yaml @@ -0,0 +1,78 @@ +{{- if and .Values.networkPolicies.enabled .Values.istio.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-istio + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + ingress: + - from: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: istio-controlplane + podSelector: + matchLabels: + {{- toYaml .Values.networkPolicies.ingressLabels | nindent 10}} + ports: + - port: {{ .Values.anchoreApi.service.port }} # anchore engine api (default: 8228) + protocol: TCP + - port: {{ .Values.anchoreCatalog.service.port }} # anchore catalog api (default: 8082) + protocol: TCP + - port: {{ .Values.anchorePolicyEngine.service.port }} # anchore policy engine api (default: 8087) + protocol: TCP + - port: {{ .Values.anchoreSimpleQueue.service.port }} # anchore simplequeue api (default: 8083) + protocol: TCP + {{- if not (hasKey .Values.postgresql "enabled") }} + - port: 5432 # in-cluster postgresql anchore db + protocol: TCP + {{- end }} + {{- if hasKey .Values.postgresql "enabled" }} + {{- if (not .Values.postgresql.enabled) }} + - port: "{{$v := .Values.postgresql.externalEndpoint | split ":"}}{{$v._1}}" # in-cluster postgresql anchore db (default: 5432) + protocol: TCP + {{- end }} + {{- end }} + {{- if .Values.anchoreEnterpriseGlobal.enabled }} + - port: {{ .Values.anchoreEnterpriseFeeds.service.port }} # anchore enterprise feeds api (default: 8448) + protocol: TCP + - port: {{ .Values.anchoreEnterpriseRbac.service.apiPort }} # anchore enterprise rbac manager api (default: 8229) + protocol: TCP + - port: {{ .Values.anchoreEnterpriseReports.service.port }} # anchore enterprise reports api (default: 8558) + protocol: TCP + - port: {{ .Values.anchoreEnterpriseNotifications.service.port }} # anchore enterprise notifications api (default: 8668) + protocol: TCP + - port: 3000 # anchore enterprise UI (default: 3000; note: Big Bang has configured Istio to use port 80) + protocol: TCP + {{- if not (hasKey (index .Values "anchore-ui-redis") "enabled") }} + - port: 6379 # in-cluster redis anchore enterprise UI dependency + protocol: TCP + {{- end }} + {{- if hasKey (index .Values "anchore-ui-redis") "enabled" }} + {{- if (not (index .Values "anchore-ui-redis" "enabled")) }} + - port: "{{$v := (index .Values "anchore-ui-redis" "externalEndpoint") | split ":"}}{{$v._3}}" # in-cluster redis anchore enterprise UI dependency (default: 6379) + protocol: TCP + {{- end }} + {{- end }} + {{- if not (and (hasKey (index .Values "anchore-feeds-db") "enabled")) }} + - port: 5432 # in-cluster postgresql anchore enterprise feeds db + {{- end }} + {{- if and (hasKey (index .Values "anchore-feeds-db") "enabled") }} + {{- if (not (index .Values "anchore-feeds-db" "enabled")) }} + - port: "{{$v := (index .Values "anchore-feeds-db" "externalEndpoint") | split ":"}}{{$v._1}}" # in-cluster postgresql anchore enterprise feeds db (default: 5432) + protocol: TCP + {{- end }} + {{- end }} + {{- end }} + egress: + - to: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: istio-controlplane + podSelector: + matchLabels: + istio: pilot +{{- end }} \ No newline at end of file diff --git a/chart/templates/bigbang/networkpolicies/allow-kube-dns.yaml b/chart/templates/bigbang/networkpolicies/allow-kube-dns.yaml new file mode 100644 index 0000000..dc1db2a --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-kube-dns.yaml @@ -0,0 +1,19 @@ +# Allow DNS. Due to inconsistencies in how distros label dns pods, +# we just allow all port 53. We could provide better if we enforce/ +# standardize the kube-system labels or the coredns/kubedns labels +{{- if .Values.networkPolicies.enabled }} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: allow-kube-dns + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} # all pods + policyTypes: + - Egress + egress: + - to: + - namespaceSelector: {} # all namespaces + ports: + - port: 53 # dns port +{{- end }} \ No newline at end of file diff --git a/chart/templates/bigbang/networkpolicies/allow-monitoring.yaml b/chart/templates/bigbang/networkpolicies/allow-monitoring.yaml new file mode 100644 index 0000000..8eed2e8 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-monitoring.yaml @@ -0,0 +1,34 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-monitoring + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: monitoring + podSelector: + matchLabels: + app: prometheus + ports: + - port: {{ .Values.anchoreApi.service.port }} # anchore engine api (default: 8228) + protocol: TCP + - port: {{ .Values.anchoreCatalog.service.port }} # anchore catalog api (default: 8082) + protocol: TCP + - port: {{ .Values.anchorePolicyEngine.service.port }} # anchore policy engine api (default: 8087) + protocol: TCP + - port: {{ .Values.anchoreSimpleQueue.service.port }} # anchore simplequeue api (default: 8083) + protocol: TCP + {{- if .Values.anchoreEnterpriseGlobal.enabled }} + - port: {{ .Values.anchoreEnterpriseFeeds.service.port }} # anchore enterprise feeds api (default: 8448) + protocol: TCP + - port: {{ .Values.anchoreEnterpriseRbac.service.apiPort }} # anchore enterprise rbac manager api (default: 8229) + protocol: TCP + {{- end }} +{{- end }} \ No newline at end of file diff --git a/chart/templates/bigbang/networkpolicies/default-deny.yaml b/chart/templates/bigbang/networkpolicies/default-deny.yaml new file mode 100644 index 0000000..a6a043e --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/default-deny.yaml @@ -0,0 +1,12 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress +{{- end }} \ No newline at end of file diff --git a/chart/templates/enterprise_ui_deployment.yaml b/chart/templates/enterprise_ui_deployment.yaml index d46ab6d..f6b45dd 100644 --- a/chart/templates/enterprise_ui_deployment.yaml +++ b/chart/templates/enterprise_ui_deployment.yaml @@ -80,7 +80,7 @@ spec: env: {{- if and (index .Values "anchoreEnterpriseUi" "existingSecret") (not (index .Values "anchore-ui-redis" "externalEndpoint")) }} - name: ANCHORE_REDIS_URI - value: redis://:{{ index .Values "anchore-ui-redis" "password" }}@{{ template "redis.fullname" . }}-master:6379 + value: redis://nouser:{{ index .Values "anchore-ui-redis" "password" }}@{{ template "redis.fullname" . }}-master:6379 {{- end }} {{ if .Values.anchoreGlobal.dbConfig.ssl }} - name: PGSSLROOTCERT diff --git a/chart/values.yaml b/chart/values.yaml index bd8eda6..7e610d6 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -26,6 +26,12 @@ istio: hosts: - "anchore-api.{{ .Values.hostname }}" +networkPolicies: + enabled: false + ingressLabels: + app: istio-ingressgateway + istio: ingressgateway + # Enable Prometheus Monitoring monitoring: enabled: false @@ -160,7 +166,7 @@ ingress: # Global configuration shared by all anchore-engine services. anchoreGlobal: # Image used for all anchore engine deployments (excluding enterprise components). - image: registry1.dso.mil/ironbank/anchore/engine/engine:0.9.3 + image: registry1.dso.mil/ironbank/anchore/engine/engine:0.9.4 imagePullPolicy: IfNotPresent # Set image pull secret name if using an anchore-engine image from a private registry @@ -704,7 +710,7 @@ anchoreEnterpriseGlobal: # Create this secret with the following command - kubectl create secret generic anchore-enterprise-license --from-file=license.yaml= licenseSecretName: anchore-enterprise-license - image: registry1.dso.mil/ironbank/anchore/enterprise/enterprise:3.0.2 + image: registry1.dso.mil/ironbank/anchore/enterprise/enterprise:3.0.3 imagePullPolicy: IfNotPresent # Name of the kubernetes secret containing your dockerhub creds with access to the anchore enterprise images. # Create this secret with the following command - kubectl create secret docker-registry anchore-dockerhub-creds --docker-server=docker.io --docker-username= --docker-password= --docker-email= @@ -953,7 +959,7 @@ anchoreEnterpriseNotifications: anchoreEnterpriseUi: # If enabled is set to false, set anchore-ui-redis.enabled to false to ensure that helm doesn't stand up a unneccessary redis instance. enabled: true - image: registry1.dso.mil/ironbank/anchore/enterpriseui/enterpriseui:3.0.2 + image: registry1.dso.mil/ironbank/anchore/enterpriseui/enterpriseui:3.0.3 imagePullPolicy: IfNotPresent imagePullSecretName: private-registry diff --git a/docs/BBCHANGES.md b/docs/BBCHANGES.md index 7f2c004..61d229d 100644 --- a/docs/BBCHANGES.md +++ b/docs/BBCHANGES.md @@ -8,7 +8,7 @@ This provides a log of these changes to make updates from upstream faster. ## Big Bang Modifications -Added at the top of the values file are changes to support Istio, automated license creation, monitoring, and SSO. +Added at the top of the values file are changes to support Istio, optional network policies, automated license creation, monitoring, and SSO. ```yaml # Big Bang Values @@ -37,6 +37,12 @@ istio: hosts: - "anchore-api.{{ .Values.hostname }}" +networkPolicies: + enabled: false + ingressLabels: + app: istio-ingressgateway + istio: ingressgateway + # Enable Prometheus Monitoring monitoring: enabled: false diff --git a/tests/images.txt b/tests/images.txt index ac96fca..686a9f3 100644 --- a/tests/images.txt +++ b/tests/images.txt @@ -1,2 +1,2 @@ -registry1.dso.mil/ironbank/anchore/enterprise/enterprise:3.0.2 -registry1.dso.mil/ironbank/anchore/enterpriseui/enterpriseui:3.0.1 +registry1.dso.mil/ironbank/anchore/enterprise/enterprise:3.0.3 +registry1.dso.mil/ironbank/anchore/enterpriseui/enterpriseui:3.0.3 diff --git a/tests/test-values.yml b/tests/test-values.yml index 33f2d27..ef17dcd 100644 --- a/tests/test-values.yml +++ b/tests/test-values.yml @@ -1,6 +1,12 @@ istio: enabled: true +networkPolicies: + enabled: true +# ingressLabels: +# app: istio-ingressgateway +# istio: ingressgateway + bbtests: scripts: image: registry1.dso.mil/ironbank/anchore/cli/cli:0.9.1 -- GitLab