diff --git a/CHANGELOG.md b/CHANGELOG.md index c0d9ccfdea03cc4a8992bfa894761c06bad6452c..e2ce8ad0f499a2779e603c48f5b114206b5941e0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), --- +## [1.12.16-bb.2] +### Changed +- Separated network policies for required egress +- Updated Redis dependency to 14.1.0-bb.1 + ## [1.12.16-bb.1] ### Fixed - allow-istio network policy fixed to remove duplicate ports diff --git a/chart/Chart.lock b/chart/Chart.lock index e7dfcb40965ae5a5cfae76e0c897df24a25e3204..dbec6930c91a8334192dd627a1d88394a17b252c 100644 --- a/chart/Chart.lock +++ b/chart/Chart.lock @@ -7,9 +7,9 @@ dependencies: version: 1.0.1 - name: redis repository: file://./deps/redis - version: 14.1.0-bb.0 + version: 14.1.0-bb.1 - name: bb-test-lib repository: oci://registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates version: 0.5.2 -digest: sha256:4b0f80a6ef5cabb741367909dc3f5c970844b55aeead2f7ce5fee46d515416b4 -generated: "2021-06-12T15:47:28.997659-04:00" +digest: sha256:e417dbb27341361457c2abee500efe4ec58f0bd669480b1da2dbdaf0f6e61503 +generated: "2021-06-28T11:30:17.802593-04:00" diff --git a/chart/Chart.yaml b/chart/Chart.yaml index ed879deb06dafa8612c886ae4340d2a3eca4420d..09f3a4930b74a109013e95739fd8e74f37749362 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.12.16-bb.1 +version: 1.12.16-bb.2 appVersion: 0.9.4 description: Anchore container analysis and policy evaluation engine service keywords: @@ -33,7 +33,7 @@ dependencies: condition: anchore-feeds-db.enabled,anchoreEnterpriseGlobal.enabled alias: anchore-feeds-db - name: redis - version: "14.1.0-bb.0" + version: "14.1.0-bb.1" repository: "file://./deps/redis" condition: anchore-ui-redis.enabled,anchoreEnterpriseGlobal.enabled alias: anchore-ui-redis diff --git a/chart/charts/postgresql-1.0.1.tgz b/chart/charts/postgresql-1.0.1.tgz index 6e0d9b2e68dc0e8a9b6d4b8812e01d1171d029fd..778887b1230266d397275628a253043d590cefaf 100644 Binary files a/chart/charts/postgresql-1.0.1.tgz and b/chart/charts/postgresql-1.0.1.tgz differ diff --git a/chart/charts/redis-14.1.0-bb.0.tgz b/chart/charts/redis-14.1.0-bb.0.tgz deleted file mode 100644 index 2315733aa09a5dabe1d7bb3c819c1e492f43b1d4..0000000000000000000000000000000000000000 Binary files a/chart/charts/redis-14.1.0-bb.0.tgz and /dev/null differ diff --git a/chart/charts/redis-14.1.0-bb.1.tgz b/chart/charts/redis-14.1.0-bb.1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..5b280b156f067537ea89b22a3ecaefb0f9080a48 Binary files /dev/null and b/chart/charts/redis-14.1.0-bb.1.tgz differ diff --git a/chart/deps/redis/Chart.yaml b/chart/deps/redis/Chart.yaml index b963b251f7fe4b27fc2ceb1b6fadb12670bb1d63..41d31bbed879755a06ee049ead8e4cdd32c8da69 100644 --- a/chart/deps/redis/Chart.yaml +++ b/chart/deps/redis/Chart.yaml @@ -25,4 +25,4 @@ name: redis sources: - https://github.com/bitnami/bitnami-docker-redis - http://redis.io/ -version: 14.1.0-bb.0 +version: 14.1.0-bb.1 diff --git a/chart/deps/redis/Kptfile b/chart/deps/redis/Kptfile index 87f6d28a512ccbf47b26b865c27041aaa0bacdb4..1cc7583924f6fa53bcbcd59ccea434772a73dcc6 100644 --- a/chart/deps/redis/Kptfile +++ b/chart/deps/redis/Kptfile @@ -5,7 +5,7 @@ metadata: upstream: type: git git: - commit: 424349e5f1d571a2dbddf8c6c0621db120986c1f + commit: 252844f7954ce93be28543ff653dcf9e154db2c8 repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/redis directory: /chart - ref: 14.1.0-bb.0 + ref: 14.1.0-bb.1 diff --git a/chart/deps/redis/templates/bigbang/redis-upgrade.yaml b/chart/deps/redis/templates/bigbang/redis-upgrade.yaml index bcc8e7483b53b697862cf9f5dba3235ea996ae5e..a9960197584721b664234fe8a374b420d413206c 100644 --- a/chart/deps/redis/templates/bigbang/redis-upgrade.yaml +++ b/chart/deps/redis/templates/bigbang/redis-upgrade.yaml @@ -1,4 +1,31 @@ {{- if .Values.cleanUpgrade.enabled }} +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: api-egress-upgrade-job + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "-10" + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed,before-hook-creation +spec: + egress: + - to: + - ipBlock: + cidr: {{ .Values.networkPolicies.controlPlaneCidr }} + {{- if eq .Values.networkPolicies.controlPlaneCidr "0.0.0.0/0" }} + # ONLY Block requests to cloud metadata IP + except: + - 169.254.169.254/32 + {{- end }} + podSelector: + matchLabels: + app.kubernetes.io/name: bigbang-redis-upgrade-job + policyTypes: + - Egress +--- +{{- end }} apiVersion: v1 kind: ServiceAccount metadata: @@ -59,6 +86,8 @@ spec: name: redis-clean-upgrade annotations: sidecar.istio.io/inject: 'false' + labels: + app.kubernetes.io/name: bigbang-redis-upgrade-job spec: serviceAccountName: redis-upgrade-sa imagePullSecrets: @@ -75,7 +104,7 @@ spec: restartPolicy: OnFailure containers: - name: redis-clean-upgrade - image: "registry1.dso.mil/ironbank/gitlab/gitlab/kubectl:13.9.0" + image: "{{ .Values.cleanUpgrade.image }}" command: - /bin/sh - -c diff --git a/chart/deps/redis/values.yaml b/chart/deps/redis/values.yaml index c96c309de20e81908eb186e67947c75686dbcc38..cd1951e57f5efea047123bc281802eb494553f22 100644 --- a/chart/deps/redis/values.yaml +++ b/chart/deps/redis/values.yaml @@ -22,6 +22,12 @@ monitoring: # REQUIRED for Chart v14 upgrade cleanUpgrade: enabled: true + image: "registry1.dso.mil/ironbank/gitlab/gitlab/kubectl:13.9.0" + +# NOTE: We default this to true in case packages consuming Redis forget to turn it on and have API traffic blocked +networkPolicies: + enabled: true + controlPlaneCidr: 0.0.0.0/0 ## Global Docker image parameters ## Please, note that this will override the image parameters, including dependencies, configured to use the global value diff --git a/chart/templates/bigbang/networkpolicies/allow-egress-except-aws.yaml b/chart/templates/bigbang/networkpolicies/allow-egress-except-aws.yaml deleted file mode 100644 index 9d4b2b8ad37b332be65a79d6c241a0869ba8d07d..0000000000000000000000000000000000000000 --- a/chart/templates/bigbang/networkpolicies/allow-egress-except-aws.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if .Values.networkPolicies.enabled }} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: allow-egress-except-aws - namespace: {{ .Release.Namespace }} -spec: - podSelector: {} - policyTypes: - - Egress - egress: - - to: - - ipBlock: - cidr: 0.0.0.0/0 - # ONLY Block requests to AWS metadata IP - except: - - 169.254.169.254/32 -{{- end }} \ No newline at end of file diff --git a/chart/templates/bigbang/networkpolicies/allow-egress-from-jobs.yaml b/chart/templates/bigbang/networkpolicies/allow-egress-from-jobs.yaml new file mode 100644 index 0000000000000000000000000000000000000000..20051cd7752a88950ec211c154302b2f30dead21 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-egress-from-jobs.yaml @@ -0,0 +1,135 @@ +{{- if .Values.networkPolicies.enabled }} +# if external db is enabled, allow egress from ensure db job, engine upgrade job, and enterprise engine upgrade job +{{- if (hasKey .Values.postgresql "enabled") }} +{{- if (not .Values.postgresql.enabled) }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-egress-ensure-db-job + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + job-name: ensure-anchore-db + policyTypes: + - Egress + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + # ONLY Block requests to AWS metadata IP + except: + - 169.254.169.254/32 +{{- if .Values.anchoreEngineUpgradeJob.enabled }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-egress-engine-upgrade-job + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + job-name: anchore-engine-upgrade + policyTypes: + - Egress + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + # ONLY Block requests to AWS metadata IP + except: + - 169.254.169.254/32 +{{- end }} +{{- if and .Values.anchoreEnterpriseEngineUpgradeJob.enabled .Values.anchoreEnterpriseGlobal.enabled }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-egress-enterprise-engine-upgrade-job + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + job-name: anchore-engine-upgrade + policyTypes: + - Egress + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + # ONLY Block requests to AWS metadata IP + except: + - 169.254.169.254/32 +{{- end }} +{{- end }} +{{- end }} +# if external feeds db is enabled, allow egress from ensure feeds db job and enterprise feeds upgrade job +{{- if and (hasKey (index .Values "anchore-feeds-db") "enabled") }} +{{- if and (not (index .Values "anchore-feeds-db" "enabled")) .Values.anchoreEnterpriseGlobal.enabled }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-egress-ensure-feeds-db-job + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + job-name: ensure-feeds-db + policyTypes: + - Egress + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + # ONLY Block requests to AWS metadata IP + except: + - 169.254.169.254/32 +{{- if .Values.anchoreEnterpriseFeedsUpgradeJob.enabled }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-egress-enterprise-feeds-upgrade-job + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + job-name: anchore-enterprise-feeds-upgrade + policyTypes: + - Egress + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + # ONLY Block requests to AWS metadata IP + except: + - 169.254.169.254/32 +{{- end }} +{{- end }} +{{- end }} +# if sso is enabled, allow egress from configure sso job +{{- if and .Values.sso.enabled .Values.anchoreEnterpriseGlobal.enabled }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-egress-sso-job + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + job-name: configure-sso + policyTypes: + - Egress + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + # ONLY Block requests to AWS metadata IP + except: + - 169.254.169.254/32 +{{- end }} +{{- end }} \ No newline at end of file diff --git a/chart/templates/bigbang/networkpolicies/allow-egress-from-pods.yaml b/chart/templates/bigbang/networkpolicies/allow-egress-from-pods.yaml new file mode 100644 index 0000000000000000000000000000000000000000..34ed248de4bf86ba5efc1c606fec9a118d60cb44 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-egress-from-pods.yaml @@ -0,0 +1,159 @@ +{{- if .Values.networkPolicies.enabled }} +# the api pod requires egress for: +# - reaching out to SSO services +# - sending out alerts/notifications +# - optionally, communicating with an external db +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-egress-from-api + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + component: api + policyTypes: + - Egress + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + # ONLY Block requests to AWS metadata IP + except: + - 169.254.169.254/32 +--- +# the catalog and analyzer pods requires egress for: +# - making connections with registries +# - optionally, communicating with an external db +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-egress-from-catalog + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + component: catalog + policyTypes: + - Egress + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + # ONLY Block requests to AWS metadata IP + except: + - 169.254.169.254/32 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-egress-from-analyzers + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + component: analyzer + policyTypes: + - Egress + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + # ONLY Block requests to AWS metadata IP + except: + - 169.254.169.254/32 +{{- if or (hasKey .Values.postgresql "enabled") (not .Values.anchoreEnterpriseGlobal.enabled) }} +{{- if or (not .Values.postgresql.enabled) (not .Values.anchoreEnterpriseGlobal.enabled) }} +--- +# if an external db is enabled OR anchore enterprise is disabled, the policy engine pods will require egress to communicate with the db OR pull opensource feed data +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-egress-from-policy-engine + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + component: policy + policyTypes: + - Egress + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + # ONLY Block requests to AWS metadata IP + except: + - 169.254.169.254/32 +{{- end }} +{{- end }} +{{- if hasKey .Values.postgresql "enabled" }} +{{- if (not .Values.postgresql.enabled) }} +--- +# if an external db is enabled, the simplequeue pod will require egress to communicate with the db +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-egress-from-simplequeue + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + component: simplequeue + policyTypes: + - Egress + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + # ONLY Block requests to AWS metadata IP + except: + - 169.254.169.254/32 +{{- end }} +{{- end }} +{{- if .Values.anchoreEnterpriseGlobal.enabled }} +--- +# if anchore enterprise is enabled, the enterprise feeds pod will require egress to pull enterprise feed data +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-egress-from-feeds-service + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + component: enterprise-feeds + policyTypes: + - Egress + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + # ONLY Block requests to AWS metadata IP + except: + - 169.254.169.254/32 +{{- end }} +{{- if and (hasKey (index .Values "anchore-ui-redis") "enabled") }} +{{- if and (not (index .Values "anchore-ui-redis" "enabled")) .Values.anchoreEnterpriseGlobal.enabled }} +--- +# if external redis is enabled, the ui pod will require egress as it depends on redis +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-egress-to-external-redis + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + component: enterprise-ui + policyTypes: + - Egress + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + # ONLY Block requests to AWS metadata IP + except: + - 169.254.169.254/32 +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/chart/templates/bigbang/networkpolicies/allow-monitoring.yaml b/chart/templates/bigbang/networkpolicies/allow-monitoring.yaml index 8eed2e8b7820e3914c15f9c976fed51d4ba929b6..38fbb490948db480feb42ad4b00c66f4ab24b132 100644 --- a/chart/templates/bigbang/networkpolicies/allow-monitoring.yaml +++ b/chart/templates/bigbang/networkpolicies/allow-monitoring.yaml @@ -25,6 +25,8 @@ spec: protocol: TCP - port: {{ .Values.anchoreSimpleQueue.service.port }} # anchore simplequeue api (default: 8083) protocol: TCP + - port: {{ .Values.anchoreAnalyzer.containerPort }} # anchore analyzer (default: 8084) + protocol: TCP {{- if .Values.anchoreEnterpriseGlobal.enabled }} - port: {{ .Values.anchoreEnterpriseFeeds.service.port }} # anchore enterprise feeds api (default: 8448) protocol: TCP diff --git a/chart/templates/tests/test-anchore-allow-egress.yaml b/chart/templates/tests/test-anchore-allow-egress.yaml new file mode 100644 index 0000000000000000000000000000000000000000..e6aa9cb8eeae92ccfe34b9e02c98564a17d620d7 --- /dev/null +++ b/chart/templates/tests/test-anchore-allow-egress.yaml @@ -0,0 +1,24 @@ +{{- $bbtests := .Values.bbtests | default dict -}} +{{- $enabled := (hasKey $bbtests "enabled") -}} +{{- if $enabled }} +{{- if and .Values.networkPolicies.enabled .Values.bbtests.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: test-anchore-allow-egress + namespace: {{ .Release.Namespace }} +spec: + policyTypes: + - Egress + podSelector: + matchLabels: + helm-test: enabled + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + # ONLY Block requests to AWS metadata IP + except: + - 169.254.169.254/32 +{{- end }} +{{- end }} diff --git a/chart/tests/scripts/test.sh b/chart/tests/scripts/test.sh index 1f867f5a6c10f0fc4f70efd71eae4e7c038165d5..061f3ebccaa7ff30711234f31d9531b9ac476acb 100644 --- a/chart/tests/scripts/test.sh +++ b/chart/tests/scripts/test.sh @@ -11,7 +11,8 @@ status=$(anchore-cli --debug system status 2>&1) # IF status code is 200 AND all services are up if [[ ${status} =~ "httpcode from response: 200" && ${status} =~ "analyzer:8084): up" && ${status} =~ "simplequeue:8083): up" && ${status} =~ "policy:8087): up" && ${status} =~ "api:8228): up" && ${status} =~ "catalog:8082): up" ]]; then - echo "200 OK - all services up!" + echo ${status} + echo "***** 200 OK - all services up! *****" else echo ${status} sleep 10 @@ -23,7 +24,8 @@ add=$(anchore-cli --debug image add docker.io/library/centos:latest 2>&1) # IF status code is 200 if [[ ${add} =~ "httpcode from response: 200" ]]; then - echo "200 OK - image analysis initiated!" + echo ${add} + echo "***** 200 OK - image analysis initiated! *****" else echo ${add} sleep 10 @@ -35,7 +37,8 @@ wait=$(anchore-cli --debug image wait docker.io/library/centos:latest 2>&1) # IF status code is 200 if [[ ${wait} =~ "httpcode from response: 200" ]]; then - echo "200 OK - image analysis completed!" + echo ${wait} + echo "***** 200 OK - image analysis completed! *****" else echo ${wait} sleep 10 @@ -48,7 +51,8 @@ list=$(anchore-cli --debug image list 2>&1) # IF status code is 200 if [[ ${list} =~ "httpcode from response: 200" ]]; then - echo "200 OK - image analysis stored!" + echo ${list} + echo "***** 200 OK - image analysis stored! *****" else echo ${list} sleep 10 diff --git a/tests/test-values.yml b/tests/test-values.yml index c6eabfa38d27f1e5feccc50eab997f004ba250d1..62dbc77190ba7a2839fd16b44d4ff1e2d9b04f8b 100644 --- a/tests/test-values.yml +++ b/tests/test-values.yml @@ -3,11 +3,9 @@ istio: networkPolicies: enabled: true -# ingressLabels: -# app: istio-ingressgateway -# istio: ingressgateway bbtests: + enabled: true scripts: image: registry1.dso.mil/ironbank/anchore/cli/cli:0.9.1 envs: @@ -20,19 +18,9 @@ bbtests: name: "{{ template \"anchore-engine.fullname\" . }}-admin-pass" key: ANCHORE_ADMIN_PASSWORD -postgresql: - enabled: true - anchoreGlobal: saml: secret: ci-testing-only anchoreAnalyzer: - replicaCount: 1 - -# anchoreEnterpriseGlobal: - -# anchore-feeds-db: - -# anchore-ui-redis: -# global: \ No newline at end of file + replicaCount: 1 \ No newline at end of file