np-enhancement

CHANGELOG.md

@@ -4,6 +4,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 ---
 
+## [1.12.16-bb.2]
+### Changed
+- Separated network policies for required egress
+- Updated Redis dependency to 14.1.0-bb.1
+
 ## [1.12.16-bb.1]
 ### Fixed
 - allow-istio network policy fixed to remove duplicate ports

chart/Chart.lock

@@ -7,9 +7,9 @@ dependencies:
   version: 1.0.1
 - name: redis
   repository: file://./deps/redis
-  version: 14.1.0-bb.0
+  version: 14.1.0-bb.1
 - name: bb-test-lib
   repository: oci://registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates
   version: 0.5.2
-digest: sha256:4b0f80a6ef5cabb741367909dc3f5c970844b55aeead2f7ce5fee46d515416b4
-generated: "2021-06-12T15:47:28.997659-04:00"
+digest: sha256:e417dbb27341361457c2abee500efe4ec58f0bd669480b1da2dbdaf0f6e61503
+generated: "2021-06-28T11:30:17.802593-04:00"

chart/Chart.yaml

 apiVersion: v2
 name: anchore-engine
-version: 1.12.16-bb.1
+version: 1.12.16-bb.2
 appVersion: 0.9.4
 description: Anchore container analysis and policy evaluation engine service
 keywords:
@@ -33,7 +33,7 @@ dependencies:
    condition: anchore-feeds-db.enabled,anchoreEnterpriseGlobal.enabled
    alias: anchore-feeds-db
  - name: redis
-   version: "14.1.0-bb.0"
+   version: "14.1.0-bb.1"
    repository: "file://./deps/redis"
    condition: anchore-ui-redis.enabled,anchoreEnterpriseGlobal.enabled
    alias: anchore-ui-redis

chart/deps/redis/Chart.yaml

@@ -25,4 +25,4 @@ name: redis
 sources:
   - https://github.com/bitnami/bitnami-docker-redis
   - http://redis.io/
-version: 14.1.0-bb.0
+version: 14.1.0-bb.1

chart/deps/redis/Kptfile

@@ -5,7 +5,7 @@ metadata:
 upstream:
   type: git
   git:
-    commit: 424349e5f1d571a2dbddf8c6c0621db120986c1f
+    commit: 252844f7954ce93be28543ff653dcf9e154db2c8
     repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/redis
     directory: /chart
-    ref: 14.1.0-bb.0
+    ref: 14.1.0-bb.1

chart/deps/redis/templates/bigbang/redis-upgrade.yaml

 {{- if .Values.cleanUpgrade.enabled }}
+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: api-egress-upgrade-job
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-upgrade
+    "helm.sh/hook-weight": "-10"
+    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed,before-hook-creation
+spec:
+  egress:
+  - to:
+    - ipBlock:
+        cidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+        {{- if eq .Values.networkPolicies.controlPlaneCidr "0.0.0.0/0" }}
+        # ONLY Block requests to cloud metadata IP
+        except:
+        - 169.254.169.254/32
+        {{- end }}
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: bigbang-redis-upgrade-job
+  policyTypes:
+  - Egress
+---
+{{- end }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -59,6 +86,8 @@ spec:
       name: redis-clean-upgrade
       annotations:
         sidecar.istio.io/inject: 'false'
+      labels:
+        app.kubernetes.io/name: bigbang-redis-upgrade-job
     spec:
       serviceAccountName: redis-upgrade-sa
       imagePullSecrets:
@@ -75,7 +104,7 @@ spec:
       restartPolicy: OnFailure
       containers:
         - name: redis-clean-upgrade
-          image: "registry1.dso.mil/ironbank/gitlab/gitlab/kubectl:13.9.0"
+          image: "{{ .Values.cleanUpgrade.image }}"
           command:
             - /bin/sh
             - -c

chart/deps/redis/values.yaml

@@ -22,6 +22,12 @@ monitoring:
 # REQUIRED for Chart v14 upgrade
 cleanUpgrade:
   enabled: true
+  image: "registry1.dso.mil/ironbank/gitlab/gitlab/kubectl:13.9.0"
+
+# NOTE: We default this to true in case packages consuming Redis forget to turn it on and have API traffic blocked
+networkPolicies:
+  enabled: true
+  controlPlaneCidr: 0.0.0.0/0
 
 ## Global Docker image parameters
 ## Please, note that this will override the image parameters, including dependencies, configured to use the global value

chart/templates/bigbang/networkpolicies/allow-egress-from-jobs.yaml

+{{- if .Values.networkPolicies.enabled }}
+# if external db is enabled, allow egress from ensure db job, engine upgrade job, and enterprise engine upgrade job
+{{- if (hasKey .Values.postgresql "enabled") }}
+{{- if (not .Values.postgresql.enabled) }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-egress-ensure-db-job
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      job-name: ensure-anchore-db
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        # ONLY Block requests to AWS metadata IP
+        except:
+        - 169.254.169.254/32
+{{- if .Values.anchoreEngineUpgradeJob.enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-egress-engine-upgrade-job
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      job-name: anchore-engine-upgrade
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        # ONLY Block requests to AWS metadata IP
+        except:
+        - 169.254.169.254/32
+{{- end }}
+{{- if and .Values.anchoreEnterpriseEngineUpgradeJob.enabled .Values.anchoreEnterpriseGlobal.enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-egress-enterprise-engine-upgrade-job
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      job-name: anchore-engine-upgrade
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        # ONLY Block requests to AWS metadata IP
+        except:
+        - 169.254.169.254/32
+{{- end }}
+{{- end }}
+{{- end }}
+# if external feeds db is enabled, allow egress from ensure feeds db job and enterprise feeds upgrade job
+{{- if and (hasKey (index .Values "anchore-feeds-db") "enabled")  }}
+{{- if and (not (index .Values "anchore-feeds-db" "enabled")) .Values.anchoreEnterpriseGlobal.enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-egress-ensure-feeds-db-job
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      job-name: ensure-feeds-db
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        # ONLY Block requests to AWS metadata IP
+        except:
+        - 169.254.169.254/32
+{{- if .Values.anchoreEnterpriseFeedsUpgradeJob.enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-egress-enterprise-feeds-upgrade-job
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      job-name: anchore-enterprise-feeds-upgrade
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        # ONLY Block requests to AWS metadata IP
+        except:
+        - 169.254.169.254/32
+{{- end }}
+{{- end }}
+{{- end }}
+# if sso is enabled, allow egress from configure sso job
+{{- if and .Values.sso.enabled .Values.anchoreEnterpriseGlobal.enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-egress-sso-job
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      job-name: configure-sso
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        # ONLY Block requests to AWS metadata IP
+        except:
+        - 169.254.169.254/32
+{{- end }}
+{{- end }}
\ No newline at end of file

chart/templates/bigbang/networkpolicies/allow-egress-from-pods.yaml

+{{- if .Values.networkPolicies.enabled }}
+# the api pod requires egress for:
+# - reaching out to SSO services
+# - sending out alerts/notifications
+# - optionally, communicating with an external db
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-egress-from-api
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      component: api
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        # ONLY Block requests to AWS metadata IP
+        except:
+        - 169.254.169.254/32
+---
+# the catalog and analyzer pods requires egress for:
+# - making connections with registries
+# - optionally, communicating with an external db
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-egress-from-catalog
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      component: catalog
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        # ONLY Block requests to AWS metadata IP
+        except:
+        - 169.254.169.254/32
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-egress-from-analyzers
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      component: analyzer
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        # ONLY Block requests to AWS metadata IP
+        except:
+        - 169.254.169.254/32
+{{- if or (hasKey .Values.postgresql "enabled") (not .Values.anchoreEnterpriseGlobal.enabled) }}
+{{- if or (not .Values.postgresql.enabled) (not .Values.anchoreEnterpriseGlobal.enabled) }}
+---
+# if an external db is enabled OR anchore enterprise is disabled, the policy engine pods will require egress to communicate with the db OR pull opensource feed data
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-egress-from-policy-engine
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      component: policy
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        # ONLY Block requests to AWS metadata IP
+        except:
+        - 169.254.169.254/32
+{{- end }}
+{{- end }}
+{{- if hasKey .Values.postgresql "enabled" }}
+{{- if (not .Values.postgresql.enabled) }}
+---
+# if an external db is enabled, the simplequeue pod will require egress to communicate with the db
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-egress-from-simplequeue
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      component: simplequeue
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        # ONLY Block requests to AWS metadata IP
+        except:
+        - 169.254.169.254/32
+{{- end }}
+{{- end }}
+{{- if .Values.anchoreEnterpriseGlobal.enabled }}
+---
+# if anchore enterprise is enabled, the enterprise feeds pod will require egress to pull enterprise feed data
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-egress-from-feeds-service
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      component: enterprise-feeds
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        # ONLY Block requests to AWS metadata IP
+        except:
+        - 169.254.169.254/32
+{{- end }}
+{{- if and (hasKey (index .Values "anchore-ui-redis") "enabled") }}
+{{- if and (not (index .Values "anchore-ui-redis" "enabled")) .Values.anchoreEnterpriseGlobal.enabled }}
+---
+# if external redis is enabled, the ui pod will require egress as it depends on redis
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-egress-to-external-redis
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      component: enterprise-ui
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        # ONLY Block requests to AWS metadata IP
+        except:
+        - 169.254.169.254/32
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file

chart/templates/bigbang/networkpolicies/allow-monitoring.yaml

@@ -25,6 +25,8 @@ spec:
       protocol: TCP
     - port: {{ .Values.anchoreSimpleQueue.service.port }} # anchore simplequeue api (default: 8083)
       protocol: TCP
+    - port: {{ .Values.anchoreAnalyzer.containerPort }} # anchore analyzer (default: 8084)
+      protocol: TCP
     {{- if .Values.anchoreEnterpriseGlobal.enabled }}
     - port: {{ .Values.anchoreEnterpriseFeeds.service.port }} # anchore enterprise feeds api (default: 8448)
       protocol: TCP

chart/templates/bigbang/networkpolicies/allow-egress-except-aws.yaml → chart/templates/tests/test-anchore-allow-egress.yaml

-{{- if .Values.networkPolicies.enabled }}
+{{- $bbtests := .Values.bbtests | default dict -}}
+{{- $enabled := (hasKey $bbtests "enabled") -}}
+{{- if $enabled }}
+{{- if and .Values.networkPolicies.enabled .Values.bbtests.enabled }}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: allow-egress-except-aws
+  name: test-anchore-allow-egress
   namespace: {{ .Release.Namespace }}
 spec:
-  podSelector: {}
   policyTypes:
   - Egress
+  podSelector:
+    matchLabels:
+      helm-test: enabled 
   egress:
   - to:
     - ipBlock:
@@ -15,4 +20,5 @@ spec:
         # ONLY Block requests to AWS metadata IP
         except:
         - 169.254.169.254/32
-{{- end }}
\ No newline at end of file
+{{- end }}
+{{- end }}

chart/tests/scripts/test.sh

@@ -11,7 +11,8 @@ status=$(anchore-cli --debug system status 2>&1)
 
 # IF status code is 200 AND all services are up
 if [[ ${status} =~ "httpcode from response: 200" && ${status} =~ "analyzer:8084): up" && ${status} =~ "simplequeue:8083): up" && ${status} =~ "policy:8087): up" && ${status} =~ "api:8228): up" && ${status} =~ "catalog:8082): up" ]]; then
-  echo "200 OK - all services up!"
+  echo ${status}
+  echo "***** 200 OK - all services up! *****"
 else
   echo ${status}
   sleep 10
@@ -23,7 +24,8 @@ add=$(anchore-cli --debug image add docker.io/library/centos:latest 2>&1)
 
 # IF status code is 200
 if [[ ${add} =~ "httpcode from response: 200" ]]; then
-  echo "200 OK - image analysis initiated!"
+  echo ${add}
+  echo "***** 200 OK - image analysis initiated! *****"
 else
   echo ${add}
   sleep 10
@@ -35,7 +37,8 @@ wait=$(anchore-cli --debug image wait docker.io/library/centos:latest 2>&1)
 
 # IF status code is 200
 if [[ ${wait} =~ "httpcode from response: 200" ]]; then
-  echo "200 OK - image analysis completed!"
+  echo ${wait}
+  echo "***** 200 OK - image analysis completed! *****"
 else
   echo ${wait}
   sleep 10
@@ -48,7 +51,8 @@ list=$(anchore-cli --debug image list 2>&1)
 
 # IF status code is 200
 if [[ ${list} =~ "httpcode from response: 200" ]]; then
-  echo "200 OK - image analysis stored!"
+  echo ${list}
+  echo "***** 200 OK - image analysis stored! *****"
 else
   echo ${list}
   sleep 10

tests/test-values.yml

@@ -3,11 +3,9 @@ istio:
 
 networkPolicies:
   enabled: true
-#   ingressLabels:
-#     app: istio-ingressgateway
-#     istio: ingressgateway
 
 bbtests:
+  enabled: true
   scripts:
     image: registry1.dso.mil/ironbank/anchore/cli/cli:0.9.1
     envs:
@@ -20,19 +18,9 @@ bbtests:
             name: "{{ template \"anchore-engine.fullname\" . }}-admin-pass"
             key: ANCHORE_ADMIN_PASSWORD
 
-postgresql:
-  enabled: true
-
 anchoreGlobal:
   saml:
     secret: ci-testing-only
 
 anchoreAnalyzer:
-  replicaCount: 1
-
-# anchoreEnterpriseGlobal:
-
-# anchore-feeds-db:
-
-# anchore-ui-redis:
-#   global:
\ No newline at end of file
+  replicaCount: 1
\ No newline at end of file