np-enhancement

fc165573 · bhearn · 66302fd3 · fc165573 · fc165573 · fc165573
Commit fc165573 authored Jul 01, 2021 by bhearn
16 changed files
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 ---
+## [1.12.16-bb.2]
+### Changed
+- Separated network policies for required egress
+- Updated Redis dependency to 14.1.0-bb.1
 ## [1.12.16-bb.1]
 ### Fixed
 - allow-istio network policy fixed to remove duplicate ports

--- a/chart/Chart.lock
+++ b/chart/Chart.lock
@@ -7,9 +7,9 @@ dependencies:
  version: 1.0.1
 - name: redis
  repository: file://./deps/redis
-  version: 14.1.0-bb.0
+  version: 14.1.0-bb.1
 - name: bb-test-lib
  repository: oci://registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates
  version: 0.5.2
-digest: sha256:4b0f80a6ef5cabb741367909dc3f5c970844b55aeead2f7ce5fee46d515416b4
+digest: sha256:e417dbb27341361457c2abee500efe4ec58f0bd669480b1da2dbdaf0f6e61503
-generated: "2021-06-12T15:47:28.997659-04:00"
+generated: "2021-06-28T11:30:17.802593-04:00"
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
 apiVersion: v2
 name: anchore-engine
-version: 1.12.16-bb.1
+version: 1.12.16-bb.2
 appVersion: 0.9.4
 description: Anchore container analysis and policy evaluation engine service
 keywords:
@@ -33,7 +33,7 @@ dependencies:
   condition: anchore-feeds-db.enabled,anchoreEnterpriseGlobal.enabled
   alias: anchore-feeds-db
 - name: redis
-   version: "14.1.0-bb.0"
+   version: "14.1.0-bb.1"
   repository: "file://./deps/redis"
   condition: anchore-ui-redis.enabled,anchoreEnterpriseGlobal.enabled
   alias: anchore-ui-redis

--- a/chart/charts/postgresql-1.0.1.tgz
+++ b/chart/charts/postgresql-1.0.1.tgz
--- a/chart/charts/redis-14.1.0-bb.0.tgz
+++ b/chart/charts/redis-14.1.0-bb.0.tgz
--- a/chart/charts/redis-14.1.0-bb.1.tgz
+++ b/chart/charts/redis-14.1.0-bb.1.tgz
--- a/chart/deps/redis/Chart.yaml
+++ b/chart/deps/redis/Chart.yaml
@@ -25,4 +25,4 @@ name: redis
 sources:
  - https://github.com/bitnami/bitnami-docker-redis
  - http://redis.io/
-version: 14.1.0-bb.0
+version: 14.1.0-bb.1
--- a/chart/deps/redis/Kptfile
+++ b/chart/deps/redis/Kptfile
@@ -5,7 +5,7 @@ metadata:
 upstream:
  type: git
  git:
-    commit: 424349e5f1d571a2dbddf8c6c0621db120986c1f
+    commit: 252844f7954ce93be28543ff653dcf9e154db2c8
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/redis
    directory: /chart
-    ref: 14.1.0-bb.0
+    ref: 14.1.0-bb.1
--- a/chart/deps/redis/templates/bigbang/redis-upgrade.yaml
+++ b/chart/deps/redis/templates/bigbang/redis-upgrade.yaml
 {{- if .Values.cleanUpgrade.enabled }}
+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: api-egress-upgrade-job
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-upgrade
+    "helm.sh/hook-weight": "-10"
+    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed,before-hook-creation
+spec:
+  egress:
+  - to:
+    - ipBlock:
+        cidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+        {{- if eq .Values.networkPolicies.controlPlaneCidr "0.0.0.0/0" }}
+        # ONLY Block requests to cloud metadata IP
+        except:
+        - 169.254.169.254/32
+        {{- end }}
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: bigbang-redis-upgrade-job
+  policyTypes:
+  - Egress
+---
+{{- end }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -59,6 +86,8 @@ spec:
      name: redis-clean-upgrade
      annotations:
        sidecar.istio.io/inject: 'false'
+      labels:
+        app.kubernetes.io/name: bigbang-redis-upgrade-job
    spec:
      serviceAccountName: redis-upgrade-sa
      imagePullSecrets:
@@ -75,7 +104,7 @@ spec:
      restartPolicy: OnFailure
      containers:
        - name: redis-clean-upgrade
-          image: "registry1.dso.mil/ironbank/gitlab/gitlab/kubectl:13.9.0"
+          image: "{{ .Values.cleanUpgrade.image }}"
          command:
            - /bin/sh
            - -c

--- a/chart/deps/redis/values.yaml
+++ b/chart/deps/redis/values.yaml
@@ -22,6 +22,12 @@ monitoring:
 # REQUIRED for Chart v14 upgrade
 cleanUpgrade:
  enabled: true
+  image: "registry1.dso.mil/ironbank/gitlab/gitlab/kubectl:13.9.0"
+# NOTE: We default this to true in case packages consuming Redis forget to turn it on and have API traffic blocked
+networkPolicies:
+  enabled: true
+  controlPlaneCidr: 0.0.0.0/0
 ## Global Docker image parameters
 ## Please, note that this will override the image parameters, including dependencies, configured to use the global value

--- a/chart/templates/bigbang/networkpolicies/allow-egress-from-jobs.yaml
+++ b/chart/templates/bigbang/networkpolicies/allow-egress-from-jobs.yaml
+{{- if .Values.networkPolicies.enabled }}
+# if external db is enabled, allow egress from ensure db job, engine upgrade job, and enterprise engine upgrade job
+{{- if (hasKey .Values.postgresql "enabled") }}
+{{- if (not .Values.postgresql.enabled) }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-egress-ensure-db-job
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      job-name: ensure-anchore-db
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        # ONLY Block requests to AWS metadata IP
+        except:
+        - 169.254.169.254/32
+{{- if .Values.anchoreEngineUpgradeJob.enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-egress-engine-upgrade-job
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      job-name: anchore-engine-upgrade
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        # ONLY Block requests to AWS metadata IP
+        except:
+        - 169.254.169.254/32
+{{- end }}
+{{- if and .Values.anchoreEnterpriseEngineUpgradeJob.enabled .Values.anchoreEnterpriseGlobal.enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-egress-enterprise-engine-upgrade-job
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      job-name: anchore-engine-upgrade
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        # ONLY Block requests to AWS metadata IP
+        except:
+        - 169.254.169.254/32
+{{- end }}
+{{- end }}
+{{- end }}
+# if external feeds db is enabled, allow egress from ensure feeds db job and enterprise feeds upgrade job
+{{- if and (hasKey (index .Values "anchore-feeds-db") "enabled")  }}
+{{- if and (not (index .Values "anchore-feeds-db" "enabled")) .Values.anchoreEnterpriseGlobal.enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-egress-ensure-feeds-db-job
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      job-name: ensure-feeds-db
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        # ONLY Block requests to AWS metadata IP
+        except:
+        - 169.254.169.254/32
+{{- if .Values.anchoreEnterpriseFeedsUpgradeJob.enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-egress-enterprise-feeds-upgrade-job
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      job-name: anchore-enterprise-feeds-upgrade
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        # ONLY Block requests to AWS metadata IP
+        except:
+        - 169.254.169.254/32
+{{- end }}
+{{- end }}
+{{- end }}
+# if sso is enabled, allow egress from configure sso job
+{{- if and .Values.sso.enabled .Values.anchoreEnterpriseGlobal.enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-egress-sso-job
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      job-name: configure-sso
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        # ONLY Block requests to AWS metadata IP
+        except:
+        - 169.254.169.254/32
+{{- end }}
+{{- end }}
\ No newline at end of file
--- a/chart/templates/bigbang/networkpolicies/allow-egress-from-pods.yaml
+++ b/chart/templates/bigbang/networkpolicies/allow-egress-from-pods.yaml
+{{- if .Values.networkPolicies.enabled }}
+# the api pod requires egress for:
+# - reaching out to SSO services
+# - sending out alerts/notifications
+# - optionally, communicating with an external db
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-egress-from-api
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      component: api
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        # ONLY Block requests to AWS metadata IP
+        except:
+        - 169.254.169.254/32
+---
+# the catalog and analyzer pods requires egress for:
+# - making connections with registries
+# - optionally, communicating with an external db
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-egress-from-catalog
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      component: catalog
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        # ONLY Block requests to AWS metadata IP
+        except:
+        - 169.254.169.254/32
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-egress-from-analyzers
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      component: analyzer
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        # ONLY Block requests to AWS metadata IP
+        except:
+        - 169.254.169.254/32
+{{- if or (hasKey .Values.postgresql "enabled") (not .Values.anchoreEnterpriseGlobal.enabled) }}
+{{- if or (not .Values.postgresql.enabled) (not .Values.anchoreEnterpriseGlobal.enabled) }}
+---
+# if an external db is enabled OR anchore enterprise is disabled, the policy engine pods will require egress to communicate with the db OR pull opensource feed data
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-egress-from-policy-engine
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      component: policy
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        # ONLY Block requests to AWS metadata IP
+        except:
+        - 169.254.169.254/32
+{{- end }}
+{{- end }}
+{{- if hasKey .Values.postgresql "enabled" }}
+{{- if (not .Values.postgresql.enabled) }}
+---
+# if an external db is enabled, the simplequeue pod will require egress to communicate with the db
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-egress-from-simplequeue
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      component: simplequeue
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        # ONLY Block requests to AWS metadata IP
+        except:
+        - 169.254.169.254/32
+{{- end }}
+{{- end }}
+{{- if .Values.anchoreEnterpriseGlobal.enabled }}
+---
+# if anchore enterprise is enabled, the enterprise feeds pod will require egress to pull enterprise feed data
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-egress-from-feeds-service
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      component: enterprise-feeds
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        # ONLY Block requests to AWS metadata IP
+        except:
+        - 169.254.169.254/32
+{{- end }}
+{{- if and (hasKey (index .Values "anchore-ui-redis") "enabled") }}
+{{- if and (not (index .Values "anchore-ui-redis" "enabled")) .Values.anchoreEnterpriseGlobal.enabled }}
+---
+# if external redis is enabled, the ui pod will require egress as it depends on redis
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-egress-to-external-redis
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      component: enterprise-ui
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        # ONLY Block requests to AWS metadata IP
+        except:
+        - 169.254.169.254/32
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
--- a/chart/templates/bigbang/networkpolicies/allow-monitoring.yaml
+++ b/chart/templates/bigbang/networkpolicies/allow-monitoring.yaml
@@ -25,6 +25,8 @@ spec:
      protocol: TCP
    - port: {{ .Values.anchoreSimpleQueue.service.port }} # anchore simplequeue api (default: 8083)
      protocol: TCP
+    - port: {{ .Values.anchoreAnalyzer.containerPort }} # anchore analyzer (default: 8084)
+      protocol: TCP
    {{- if .Values.anchoreEnterpriseGlobal.enabled }}
    - port: {{ .Values.anchoreEnterpriseFeeds.service.port }} # anchore enterprise feeds api (default: 8448)
      protocol: TCP

--- a/chart/templates/bigbang/networkpolicies/allow-egress-except-aws.yaml
+++ b/chart/templates/bigbang/networkpolicies/allow-egress-except-aws.yaml
-{{- if .Values.networkPolicies.enabled }}
+{{- $bbtests := .Values.bbtests | default dict -}}
+{{- $enabled := (hasKey $bbtests "enabled") -}}
+{{- if $enabled }}
+{{- if and .Values.networkPolicies.enabled .Values.bbtests.enabled }}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: allow-egress-except-aws
+  name: test-anchore-allow-egress
  namespace: {{ .Release.Namespace }}
 spec:
-  podSelector: {}
  policyTypes:
  - Egress
+  podSelector:
+    matchLabels:
+      helm-test: enabled 
  egress:
  - to:
    - ipBlock:
@@ -16,3 +21,4 @@ spec:
        except:
        - 169.254.169.254/32
 {{- end }}
+{{- end }}
--- a/chart/tests/scripts/test.sh
+++ b/chart/tests/scripts/test.sh
@@ -11,7 +11,8 @@ status=$(anchore-cli --debug system status 2>&1)
 # IF status code is 200 AND all services are up
 if [[ ${status} =~ "httpcode from response: 200" && ${status} =~ "analyzer:8084): up" && ${status} =~ "simplequeue:8083): up" && ${status} =~ "policy:8087): up" && ${status} =~ "api:8228): up" && ${status} =~ "catalog:8082): up" ]]; then
-  echo "200 OK - all services up!"
+  echo ${status}
+  echo "***** 200 OK - all services up! *****"
 else
  echo ${status}
  sleep 10
@@ -23,7 +24,8 @@ add=$(anchore-cli --debug image add docker.io/library/centos:latest 2>&1)
 # IF status code is 200
 if [[ ${add} =~ "httpcode from response: 200" ]]; then
-  echo "200 OK - image analysis initiated!"
+  echo ${add}
+  echo "***** 200 OK - image analysis initiated! *****"
 else
  echo ${add}
  sleep 10
@@ -35,7 +37,8 @@ wait=$(anchore-cli --debug image wait docker.io/library/centos:latest 2>&1)
 # IF status code is 200
 if [[ ${wait} =~ "httpcode from response: 200" ]]; then
-  echo "200 OK - image analysis completed!"
+  echo ${wait}
+  echo "***** 200 OK - image analysis completed! *****"
 else
  echo ${wait}
  sleep 10
@@ -48,7 +51,8 @@ list=$(anchore-cli --debug image list 2>&1)
 # IF status code is 200
 if [[ ${list} =~ "httpcode from response: 200" ]]; then
-  echo "200 OK - image analysis stored!"
+  echo ${list}
+  echo "***** 200 OK - image analysis stored! *****"
 else
  echo ${list}
  sleep 10

--- a/tests/test-values.yml
+++ b/tests/test-values.yml
@@ -3,11 +3,9 @@ istio:
 networkPolicies:
  enabled: true
-#   ingressLabels:
-#     app: istio-ingressgateway
-#     istio: ingressgateway
 bbtests:
+  enabled: true
  scripts:
    image: registry1.dso.mil/ironbank/anchore/cli/cli:0.9.1
    envs:
@@ -20,19 +18,9 @@ bbtests:
            name: "{{ template \"anchore-engine.fullname\" . }}-admin-pass"
            key: ANCHORE_ADMIN_PASSWORD
-postgresql:
-  enabled: true
 anchoreGlobal:
  saml:
    secret: ci-testing-only
 anchoreAnalyzer:
  replicaCount: 1
\ No newline at end of file
-# anchoreEnterpriseGlobal:
-# anchore-feeds-db:
-# anchore-ui-redis:
-#   global:
\ No newline at end of file