From ff5188619d0e76cc5eb155f5a00e4599d6127226 Mon Sep 17 00:00:00 2001 From: bhearn7 Date: Wed, 19 May 2021 11:26:27 -0400 Subject: [PATCH 01/24] initial network policy commit --- CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9b80ccc..f1eb1c9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). --- +## [TO-DO] +### Changed +- Updated docs for BB documentation standards +- Added Network Policies + ## [1.12.7-bb.4] ### Changed - Added Helm bash testing for API using approved Iron Bank image -- GitLab From 6c67a1c28950b03b049c00b785783f4f0a447585 Mon Sep 17 00:00:00 2001 From: bhearn7 Date: Wed, 19 May 2021 12:27:26 -0400 Subject: [PATCH 02/24] fix changelog --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f1eb1c9..a6b0fa2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,12 +3,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). --- -## [TO-DO] +## [1.12.13-bb.1] ### Changed - Updated docs for BB documentation standards - Added Network Policies -## [1.12.7-bb.4] +## [1.12.13-bb.0] ### Changed - Added Helm bash testing for API using approved Iron Bank image - Bumped upstream chart version to 1.12.13 -- GitLab From 33bc0bc1582e445b518a21bb34f4513b42ce6a3c Mon Sep 17 00:00:00 2001 From: bhearn7 Date: Wed, 19 May 2021 12:28:01 -0400 Subject: [PATCH 03/24] update chart.yaml --- chart/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chart/Chart.yaml b/chart/Chart.yaml index f33ad55..9bb5cf8 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.12.13-bb.0 +version: 1.12.13-bb.1 appVersion: 0.9.3 description: Anchore container analysis and policy evaluation engine service keywords: -- GitLab From bd2b65d596e8e47a664285e61e6fdb44800f0f6c Mon Sep 17 00:00:00 2001 From: bhearn7 Date: Wed, 19 May 2021 15:42:17 -0400 Subject: [PATCH 04/24] add networkPolicies --- CHANGELOG.md | 2 +- .../networkpolicies/allow-all-egress.yaml | 18 ++++++++++++++++++ chart/values.yaml | 3 +++ docs/BBCHANGES.md | 5 ++++- tests/test-values.yml | 3 +++ 5 files changed, 29 insertions(+), 2 deletions(-) create mode 100644 chart/templates/bigbang/networkpolicies/allow-all-egress.yaml diff --git a/CHANGELOG.md b/CHANGELOG.md index a6b0fa2..d736cd1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,7 +6,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), ## [1.12.13-bb.1] ### Changed - Updated docs for BB documentation standards -- Added Network Policies +- Added optional network policies for blocking egress to AWS metadata IP ## [1.12.13-bb.0] ### Changed diff --git a/chart/templates/bigbang/networkpolicies/allow-all-egress.yaml b/chart/templates/bigbang/networkpolicies/allow-all-egress.yaml new file mode 100644 index 0000000..305da84 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-all-egress.yaml @@ -0,0 +1,18 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: anchore-allow-all-egress + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Egress + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + # ONLY Block requests to AWS metadata IP + except: + - 169.254.169.254/32 +{{- end }} \ No newline at end of file diff --git a/chart/values.yaml b/chart/values.yaml index bd8eda6..15e7b08 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -26,6 +26,9 @@ istio: hosts: - "anchore-api.{{ .Values.hostname }}" +networkPolicies: + enabled: false + # Enable Prometheus Monitoring monitoring: enabled: false diff --git a/docs/BBCHANGES.md b/docs/BBCHANGES.md index 7f2c004..dafeb7b 100644 --- a/docs/BBCHANGES.md +++ b/docs/BBCHANGES.md @@ -8,7 +8,7 @@ This provides a log of these changes to make updates from upstream faster. ## Big Bang Modifications -Added at the top of the values file are changes to support Istio, automated license creation, monitoring, and SSO. +Added at the top of the values file are changes to support Istio, optional network policies, automated license creation, monitoring, and SSO. ```yaml # Big Bang Values @@ -37,6 +37,9 @@ istio: hosts: - "anchore-api.{{ .Values.hostname }}" +networkPolicies: + enabled: false + # Enable Prometheus Monitoring monitoring: enabled: false diff --git a/tests/test-values.yml b/tests/test-values.yml index 33f2d27..5f138f8 100644 --- a/tests/test-values.yml +++ b/tests/test-values.yml @@ -1,6 +1,9 @@ istio: enabled: true +networkPolicies: + enabled: false + bbtests: scripts: image: registry1.dso.mil/ironbank/anchore/cli/cli:0.9.1 -- GitLab From 1d7073f31d7de40020e88830291d4313a43b53b0 Mon Sep 17 00:00:00 2001 From: bhearn7 Date: Wed, 19 May 2021 16:19:55 -0400 Subject: [PATCH 05/24] add network policies --- .../bigbang/networkpolicies/dns-to-all.yaml | 17 +++++++++++++++++ .../bigbang/networkpolicies/monitoring.yaml | 19 +++++++++++++++++++ 2 files changed, 36 insertions(+) create mode 100644 chart/templates/bigbang/networkpolicies/dns-to-all.yaml create mode 100644 chart/templates/bigbang/networkpolicies/monitoring.yaml diff --git a/chart/templates/bigbang/networkpolicies/dns-to-all.yaml b/chart/templates/bigbang/networkpolicies/dns-to-all.yaml new file mode 100644 index 0000000..0395ca6 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/dns-to-all.yaml @@ -0,0 +1,17 @@ +# Allow DNS. Due to inconsistencies in how distros label dns pods, +# we just allow all port 53. We could provide better if we enforce/ +# standardize the kube-system labels or the coredns/kubedns labesl +{{ if .Values.networkPolicies.enabled }} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: anchore-dns-to-all + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} # all pods + egress: + - to: + - namespaceSelector: {} # all namespaces + ports: + - port: 53 # dns port + {{- end }} \ No newline at end of file diff --git a/chart/templates/bigbang/networkpolicies/monitoring.yaml b/chart/templates/bigbang/networkpolicies/monitoring.yaml new file mode 100644 index 0000000..061000e --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/monitoring.yaml @@ -0,0 +1,19 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: anchore-monitoring + namespace: {{ .Release.Namespace }} +spec: + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: monitoring + podSelector: + matchLabels: + app: prometheus + podSelector: {} +{{- end }} \ No newline at end of file -- GitLab From 5c02e158b896f565cbde6d856a15a875e7e4a432 Mon Sep 17 00:00:00 2001 From: bhearn7 Date: Wed, 19 May 2021 16:41:26 -0400 Subject: [PATCH 06/24] update changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d736cd1..5e907c7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,7 +6,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), ## [1.12.13-bb.1] ### Changed - Updated docs for BB documentation standards -- Added optional network policies for blocking egress to AWS metadata IP +- Added optional network policies ## [1.12.13-bb.0] ### Changed -- GitLab From b0922b4ad531f46cbacd8dabbdc204348651a133 Mon Sep 17 00:00:00 2001 From: bhearn7 Date: Thu, 20 May 2021 14:53:53 -0400 Subject: [PATCH 07/24] testing network policy rules --- .../networkpolicies/allow-all-egress.yaml | 18 -------- .../bigbang/networkpolicies/allow-egress.yaml | 46 +++++++++++++++++++ .../networkpolicies/allow-ingress.yaml | 37 +++++++++++++++ .../networkpolicies/default-deny-all.yaml | 12 +++++ .../bigbang/networkpolicies/dns-to-all.yaml | 17 ------- .../bigbang/networkpolicies/monitoring.yaml | 19 -------- chart/values.yaml | 3 ++ tests/test-values.yml | 3 ++ 8 files changed, 101 insertions(+), 54 deletions(-) delete mode 100644 chart/templates/bigbang/networkpolicies/allow-all-egress.yaml create mode 100644 chart/templates/bigbang/networkpolicies/allow-egress.yaml create mode 100644 chart/templates/bigbang/networkpolicies/allow-ingress.yaml create mode 100644 chart/templates/bigbang/networkpolicies/default-deny-all.yaml delete mode 100644 chart/templates/bigbang/networkpolicies/dns-to-all.yaml delete mode 100644 chart/templates/bigbang/networkpolicies/monitoring.yaml diff --git a/chart/templates/bigbang/networkpolicies/allow-all-egress.yaml b/chart/templates/bigbang/networkpolicies/allow-all-egress.yaml deleted file mode 100644 index 305da84..0000000 --- a/chart/templates/bigbang/networkpolicies/allow-all-egress.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if .Values.networkPolicies.enabled }} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: anchore-allow-all-egress - namespace: {{ .Release.Namespace }} -spec: - podSelector: {} - policyTypes: - - Egress - egress: - - to: - - ipBlock: - cidr: 0.0.0.0/0 - # ONLY Block requests to AWS metadata IP - except: - - 169.254.169.254/32 -{{- end }} \ No newline at end of file diff --git a/chart/templates/bigbang/networkpolicies/allow-egress.yaml b/chart/templates/bigbang/networkpolicies/allow-egress.yaml new file mode 100644 index 0000000..2e4e23b --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-egress.yaml @@ -0,0 +1,46 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-egress + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Egress + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + # ONLY Block requests to AWS metadata IP + except: + - 169.254.169.254/32 + # - to: + # - namespaceSelector: {} # all namespaces + # ports: + # - port: 53 # dns port + # - to: + # - namespaceSelector: + # matchLabels: + # app.kubernetes.io/name: istio-controlplane # label name for istio-system namespace + # podSelector: + # matchLabels: + # istio: pilot # label match for istiod pods + # - ports: + # - port: 53 + # protocol: TCP + # - port: 53 + # protocol: UDP +# {{ if .Values.elasticsearch.enabled }} +# - to: +# - namespaceSelector: +# matchLabels: +# app.kubernetes.io/name: {{ .Values.elasticsearch.namespace }} +# podSelector: +# matchLabels: # copied from svc "logging-ek-es-http" in logging namespace +# common.k8s.elastic.co/type: elasticsearch +# elasticsearch.k8s.elastic.co/cluster-name: {{ .Values.elasticsearch.name }} +# ports: +# - port: 9200 +# {{- end }} +{{- end }} \ No newline at end of file diff --git a/chart/templates/bigbang/networkpolicies/allow-ingress.yaml b/chart/templates/bigbang/networkpolicies/allow-ingress.yaml new file mode 100644 index 0000000..b4fac2b --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-ingress.yaml @@ -0,0 +1,37 @@ +{{ if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-ingress + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + {{- toYaml .Values.networkPolicies.ingressLabels | nindent 10 }} + namespaceSelector: + matchLabels: + app.kubernetes.io/name: istio-controlplane + ports: + - port: 15021 + protocol: TCP + - port: 80 + protocol: TCP + - port: 443 + protocol: TCP + - port: 15012 + protocol: TCP + - port: 15443 + protocol: TCP + - from: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: monitoring + podSelector: + matchLabels: + app: prometheus +{{- end }} \ No newline at end of file diff --git a/chart/templates/bigbang/networkpolicies/default-deny-all.yaml b/chart/templates/bigbang/networkpolicies/default-deny-all.yaml new file mode 100644 index 0000000..e5454cc --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/default-deny-all.yaml @@ -0,0 +1,12 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny-all + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress +{{- end }} \ No newline at end of file diff --git a/chart/templates/bigbang/networkpolicies/dns-to-all.yaml b/chart/templates/bigbang/networkpolicies/dns-to-all.yaml deleted file mode 100644 index 0395ca6..0000000 --- a/chart/templates/bigbang/networkpolicies/dns-to-all.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# Allow DNS. Due to inconsistencies in how distros label dns pods, -# we just allow all port 53. We could provide better if we enforce/ -# standardize the kube-system labels or the coredns/kubedns labesl -{{ if .Values.networkPolicies.enabled }} -kind: NetworkPolicy -apiVersion: networking.k8s.io/v1 -metadata: - name: anchore-dns-to-all - namespace: {{ .Release.Namespace }} -spec: - podSelector: {} # all pods - egress: - - to: - - namespaceSelector: {} # all namespaces - ports: - - port: 53 # dns port - {{- end }} \ No newline at end of file diff --git a/chart/templates/bigbang/networkpolicies/monitoring.yaml b/chart/templates/bigbang/networkpolicies/monitoring.yaml deleted file mode 100644 index 061000e..0000000 --- a/chart/templates/bigbang/networkpolicies/monitoring.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if .Values.networkPolicies.enabled }} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: anchore-monitoring - namespace: {{ .Release.Namespace }} -spec: - policyTypes: - - Ingress - ingress: - - from: - - namespaceSelector: - matchLabels: - app.kubernetes.io/name: monitoring - podSelector: - matchLabels: - app: prometheus - podSelector: {} -{{- end }} \ No newline at end of file diff --git a/chart/values.yaml b/chart/values.yaml index 15e7b08..d11be9a 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -28,6 +28,9 @@ istio: networkPolicies: enabled: false + ingressLabels: + app: istio-ingressgateway + istio: ingressgateway # Enable Prometheus Monitoring monitoring: diff --git a/tests/test-values.yml b/tests/test-values.yml index 5f138f8..f104212 100644 --- a/tests/test-values.yml +++ b/tests/test-values.yml @@ -3,6 +3,9 @@ istio: networkPolicies: enabled: false + ingressLabels: + app: istio-ingressgateway + istio: ingressgateway bbtests: scripts: -- GitLab From efa34af2183a6e31a10ce906dedaedc09d94b932 Mon Sep 17 00:00:00 2001 From: bhearn7 Date: Mon, 24 May 2021 12:10:23 -0400 Subject: [PATCH 08/24] testing network policies --- .../bigbang/networkpolicies/allow-egress.yaml | 28 ------------------- .../bigbang/networkpolicies/dns.yaml | 19 +++++++++++++ .../{allow-ingress.yaml => istio.yaml} | 24 +++++++++++++--- .../bigbang/networkpolicies/monitoring.yaml | 19 +++++++++++++ docs/BBCHANGES.md | 5 +++- tests/test-values.yml | 2 +- 6 files changed, 63 insertions(+), 34 deletions(-) create mode 100644 chart/templates/bigbang/networkpolicies/dns.yaml rename chart/templates/bigbang/networkpolicies/{allow-ingress.yaml => istio.yaml} (60%) create mode 100644 chart/templates/bigbang/networkpolicies/monitoring.yaml diff --git a/chart/templates/bigbang/networkpolicies/allow-egress.yaml b/chart/templates/bigbang/networkpolicies/allow-egress.yaml index 2e4e23b..e1d66b9 100644 --- a/chart/templates/bigbang/networkpolicies/allow-egress.yaml +++ b/chart/templates/bigbang/networkpolicies/allow-egress.yaml @@ -15,32 +15,4 @@ spec: # ONLY Block requests to AWS metadata IP except: - 169.254.169.254/32 - # - to: - # - namespaceSelector: {} # all namespaces - # ports: - # - port: 53 # dns port - # - to: - # - namespaceSelector: - # matchLabels: - # app.kubernetes.io/name: istio-controlplane # label name for istio-system namespace - # podSelector: - # matchLabels: - # istio: pilot # label match for istiod pods - # - ports: - # - port: 53 - # protocol: TCP - # - port: 53 - # protocol: UDP -# {{ if .Values.elasticsearch.enabled }} -# - to: -# - namespaceSelector: -# matchLabels: -# app.kubernetes.io/name: {{ .Values.elasticsearch.namespace }} -# podSelector: -# matchLabels: # copied from svc "logging-ek-es-http" in logging namespace -# common.k8s.elastic.co/type: elasticsearch -# elasticsearch.k8s.elastic.co/cluster-name: {{ .Values.elasticsearch.name }} -# ports: -# - port: 9200 -# {{- end }} {{- end }} \ No newline at end of file diff --git a/chart/templates/bigbang/networkpolicies/dns.yaml b/chart/templates/bigbang/networkpolicies/dns.yaml new file mode 100644 index 0000000..1f90c04 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/dns.yaml @@ -0,0 +1,19 @@ +# Allow DNS. Due to inconsistencies in how distros label dns pods, +# we just allow all port 53. We could provide better if we enforce/ +# standardize the kube-system labels or the coredns/kubedns labels +{{ if .Values.networkPolicies.enabled }} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: dns-to-all + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} # all pods + policyTypes: + - Egress + egress: + - to: + - namespaceSelector: {} # all namespaces + ports: + - port: 53 # dns port +{{- end }} \ No newline at end of file diff --git a/chart/templates/bigbang/networkpolicies/allow-ingress.yaml b/chart/templates/bigbang/networkpolicies/istio.yaml similarity index 60% rename from chart/templates/bigbang/networkpolicies/allow-ingress.yaml rename to chart/templates/bigbang/networkpolicies/istio.yaml index b4fac2b..09a481a 100644 --- a/chart/templates/bigbang/networkpolicies/allow-ingress.yaml +++ b/chart/templates/bigbang/networkpolicies/istio.yaml @@ -2,7 +2,7 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: allow-ingress + name: istio-ingress namespace: {{ .Release.Namespace }} spec: podSelector: {} @@ -27,11 +27,27 @@ spec: protocol: TCP - port: 15443 protocol: TCP - - from: +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-to-istiod + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Egress + egress: + - to: - namespaceSelector: matchLabels: - app.kubernetes.io/name: monitoring + app.kubernetes.io/name: istio-controlplane # label name for istio-system namespace podSelector: matchLabels: - app: prometheus + istio: pilot # label match for istiod pods + - ports: + - port: 53 + protocol: TCP + - port: 53 + protocol: UDP {{- end }} \ No newline at end of file diff --git a/chart/templates/bigbang/networkpolicies/monitoring.yaml b/chart/templates/bigbang/networkpolicies/monitoring.yaml new file mode 100644 index 0000000..d3a1cd2 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/monitoring.yaml @@ -0,0 +1,19 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: monitoring + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: monitoring + podSelector: + matchLabels: + app: prometheus +{{- end }} \ No newline at end of file diff --git a/docs/BBCHANGES.md b/docs/BBCHANGES.md index dafeb7b..61d229d 100644 --- a/docs/BBCHANGES.md +++ b/docs/BBCHANGES.md @@ -39,7 +39,10 @@ istio: networkPolicies: enabled: false - + ingressLabels: + app: istio-ingressgateway + istio: ingressgateway + # Enable Prometheus Monitoring monitoring: enabled: false diff --git a/tests/test-values.yml b/tests/test-values.yml index f104212..c4085f4 100644 --- a/tests/test-values.yml +++ b/tests/test-values.yml @@ -2,7 +2,7 @@ istio: enabled: true networkPolicies: - enabled: false + enabled: true ingressLabels: app: istio-ingressgateway istio: ingressgateway -- GitLab From 3638ad0ba3ee9bda0870a74a23f8a93073933e6f Mon Sep 17 00:00:00 2001 From: bhearn7 Date: Mon, 24 May 2021 13:36:57 -0400 Subject: [PATCH 09/24] update networkpolicies --- .../bigbang/networkpolicies/anchore.yaml | 26 +++++++++++++++++++ .../bigbang/networkpolicies/dns.yaml | 2 +- .../bigbang/networkpolicies/istio.yaml | 2 +- 3 files changed, 28 insertions(+), 2 deletions(-) create mode 100644 chart/templates/bigbang/networkpolicies/anchore.yaml diff --git a/chart/templates/bigbang/networkpolicies/anchore.yaml b/chart/templates/bigbang/networkpolicies/anchore.yaml new file mode 100644 index 0000000..70dc64a --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/anchore.yaml @@ -0,0 +1,26 @@ +{{- if .Values.networkPolicies.enabled }} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: anchore-allow-ingress + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} # all pods + policyTypes: + - Ingress + ingress: + - from: + - ipBlock: + cidr: 0.0.0.0/0 + ports: + - port: 80 # enterprise UI + protocol: TCP + - port: 8228 # anchore engine api + protocol: TCP + - port: 8229 # rbac manager + protocol: TCP + - port: 8558 # reports api + protocol: TCP + - port: 8668 # notifications api + protocol: TCP +{{- end }} \ No newline at end of file diff --git a/chart/templates/bigbang/networkpolicies/dns.yaml b/chart/templates/bigbang/networkpolicies/dns.yaml index 1f90c04..0f6bf98 100644 --- a/chart/templates/bigbang/networkpolicies/dns.yaml +++ b/chart/templates/bigbang/networkpolicies/dns.yaml @@ -1,7 +1,7 @@ # Allow DNS. Due to inconsistencies in how distros label dns pods, # we just allow all port 53. We could provide better if we enforce/ # standardize the kube-system labels or the coredns/kubedns labels -{{ if .Values.networkPolicies.enabled }} +{{- if .Values.networkPolicies.enabled }} kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: diff --git a/chart/templates/bigbang/networkpolicies/istio.yaml b/chart/templates/bigbang/networkpolicies/istio.yaml index 09a481a..b9c5579 100644 --- a/chart/templates/bigbang/networkpolicies/istio.yaml +++ b/chart/templates/bigbang/networkpolicies/istio.yaml @@ -1,4 +1,4 @@ -{{ if .Values.networkPolicies.enabled }} +{{- if .Values.networkPolicies.enabled }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: -- GitLab From dac5102580cde31f4f65bb4b91a9d7a9adb905d0 Mon Sep 17 00:00:00 2001 From: bhearn7 Date: Mon, 24 May 2021 13:52:34 -0400 Subject: [PATCH 10/24] testing network policies --- .../bigbang/networkpolicies/istio.yaml | 20 ++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/chart/templates/bigbang/networkpolicies/istio.yaml b/chart/templates/bigbang/networkpolicies/istio.yaml index b9c5579..cb578b0 100644 --- a/chart/templates/bigbang/networkpolicies/istio.yaml +++ b/chart/templates/bigbang/networkpolicies/istio.yaml @@ -17,16 +17,26 @@ spec: matchLabels: app.kubernetes.io/name: istio-controlplane ports: - - port: 15021 + - port: 80 # enterprise UI protocol: TCP - - port: 80 + - port: 8228 # anchore engine api protocol: TCP - - port: 443 + - port: 8229 # rbac manager protocol: TCP - - port: 15012 + - port: 8558 # reports api protocol: TCP - - port: 15443 + - port: 8668 # notifications api protocol: TCP + # - port: 15021 + # protocol: TCP + # - port: 80 + # protocol: TCP + # - port: 443 + # protocol: TCP + # - port: 15012 + # protocol: TCP + # - port: 15443 + # protocol: TCP --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy -- GitLab From 6c4189b343f042595cf86d13e586be33d1fcd768 Mon Sep 17 00:00:00 2001 From: bhearn7 Date: Mon, 24 May 2021 14:13:36 -0400 Subject: [PATCH 11/24] update network policy --- .../bigbang/networkpolicies/anchore.yaml | 26 ------------------- .../bigbang/networkpolicies/istio.yaml | 10 ------- 2 files changed, 36 deletions(-) delete mode 100644 chart/templates/bigbang/networkpolicies/anchore.yaml diff --git a/chart/templates/bigbang/networkpolicies/anchore.yaml b/chart/templates/bigbang/networkpolicies/anchore.yaml deleted file mode 100644 index 70dc64a..0000000 --- a/chart/templates/bigbang/networkpolicies/anchore.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if .Values.networkPolicies.enabled }} -kind: NetworkPolicy -apiVersion: networking.k8s.io/v1 -metadata: - name: anchore-allow-ingress - namespace: {{ .Release.Namespace }} -spec: - podSelector: {} # all pods - policyTypes: - - Ingress - ingress: - - from: - - ipBlock: - cidr: 0.0.0.0/0 - ports: - - port: 80 # enterprise UI - protocol: TCP - - port: 8228 # anchore engine api - protocol: TCP - - port: 8229 # rbac manager - protocol: TCP - - port: 8558 # reports api - protocol: TCP - - port: 8668 # notifications api - protocol: TCP -{{- end }} \ No newline at end of file diff --git a/chart/templates/bigbang/networkpolicies/istio.yaml b/chart/templates/bigbang/networkpolicies/istio.yaml index cb578b0..84bcd49 100644 --- a/chart/templates/bigbang/networkpolicies/istio.yaml +++ b/chart/templates/bigbang/networkpolicies/istio.yaml @@ -27,16 +27,6 @@ spec: protocol: TCP - port: 8668 # notifications api protocol: TCP - # - port: 15021 - # protocol: TCP - # - port: 80 - # protocol: TCP - # - port: 443 - # protocol: TCP - # - port: 15012 - # protocol: TCP - # - port: 15443 - # protocol: TCP --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy -- GitLab From 0fe5f0f036ed91aaf61ae850cdc869492a86be85 Mon Sep 17 00:00:00 2001 From: bhearn7 Date: Mon, 24 May 2021 14:20:51 -0400 Subject: [PATCH 12/24] testing network policy --- .../bigbang/networkpolicies/istio2.yaml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 chart/templates/bigbang/networkpolicies/istio2.yaml diff --git a/chart/templates/bigbang/networkpolicies/istio2.yaml b/chart/templates/bigbang/networkpolicies/istio2.yaml new file mode 100644 index 0000000..f50c45e --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/istio2.yaml @@ -0,0 +1,31 @@ +{{- if and .Values.networkPolicies.enabled .Values.istio.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-istio + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + ingress: + - from: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: istio-controlplane + - podSelector: + matchLabels: + {{- toYaml .Values.networkPolicies.ingressLabels | nindent 10}} + ports: + - port: 8065 + protocol: TCP + egress: + - to: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: istio-controlplane + podSelector: + matchLabels: + istio: pilot +{{- end }} \ No newline at end of file -- GitLab From 71f72a604922970b57057a99af69dfce97ecc23e Mon Sep 17 00:00:00 2001 From: bhearn7 Date: Mon, 24 May 2021 14:27:00 -0400 Subject: [PATCH 13/24] update istio network policy --- .../bigbang/networkpolicies/istio.yaml | 32 ++++++------------- .../bigbang/networkpolicies/istio2.yaml | 31 ------------------ 2 files changed, 9 insertions(+), 54 deletions(-) delete mode 100644 chart/templates/bigbang/networkpolicies/istio2.yaml diff --git a/chart/templates/bigbang/networkpolicies/istio.yaml b/chart/templates/bigbang/networkpolicies/istio.yaml index 84bcd49..0307832 100644 --- a/chart/templates/bigbang/networkpolicies/istio.yaml +++ b/chart/templates/bigbang/networkpolicies/istio.yaml @@ -1,21 +1,22 @@ -{{- if .Values.networkPolicies.enabled }} +{{- if and .Values.networkPolicies.enabled .Values.istio.enabled }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: istio-ingress + name: allow-istio namespace: {{ .Release.Namespace }} spec: podSelector: {} policyTypes: - Ingress + - Egress ingress: - from: - - podSelector: - matchLabels: - {{- toYaml .Values.networkPolicies.ingressLabels | nindent 10 }} - namespaceSelector: + - namespaceSelector: matchLabels: app.kubernetes.io/name: istio-controlplane + - podSelector: + matchLabels: + {{- toYaml .Values.networkPolicies.ingressLabels | nindent 10}} ports: - port: 80 # enterprise UI protocol: TCP @@ -27,27 +28,12 @@ spec: protocol: TCP - port: 8668 # notifications api protocol: TCP ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: allow-to-istiod - namespace: {{ .Release.Namespace }} -spec: - podSelector: {} - policyTypes: - - Egress egress: - to: - namespaceSelector: matchLabels: - app.kubernetes.io/name: istio-controlplane # label name for istio-system namespace + app.kubernetes.io/name: istio-controlplane podSelector: matchLabels: - istio: pilot # label match for istiod pods - - ports: - - port: 53 - protocol: TCP - - port: 53 - protocol: UDP + istio: pilot {{- end }} \ No newline at end of file diff --git a/chart/templates/bigbang/networkpolicies/istio2.yaml b/chart/templates/bigbang/networkpolicies/istio2.yaml deleted file mode 100644 index f50c45e..0000000 --- a/chart/templates/bigbang/networkpolicies/istio2.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{- if and .Values.networkPolicies.enabled .Values.istio.enabled }} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: allow-istio - namespace: {{ .Release.Namespace }} -spec: - podSelector: {} - policyTypes: - - Ingress - - Egress - ingress: - - from: - - namespaceSelector: - matchLabels: - app.kubernetes.io/name: istio-controlplane - - podSelector: - matchLabels: - {{- toYaml .Values.networkPolicies.ingressLabels | nindent 10}} - ports: - - port: 8065 - protocol: TCP - egress: - - to: - - namespaceSelector: - matchLabels: - app.kubernetes.io/name: istio-controlplane - podSelector: - matchLabels: - istio: pilot -{{- end }} \ No newline at end of file -- GitLab From 9c67dd91a710f306859001b189c33a9bae795f7d Mon Sep 17 00:00:00 2001 From: bhearn7 Date: Tue, 25 May 2021 11:30:56 -0400 Subject: [PATCH 14/24] update "chart" (https://github.com/anchore/anchore-charts) from "anchore-engine-1.12.13" (f9a34a42d694e657b5f3d493f590fc3f7a8b933e) to "anchore-engine-1.12.15" (f50573427adb8d582eaea20c968bb0391cb79c48) --- CHANGELOG.md | 6 +++++- chart/Chart.yaml | 4 ++-- chart/Kptfile | 4 ++-- chart/templates/enterprise_ui_deployment.yaml | 2 +- chart/values.yaml | 6 +++--- 5 files changed, 13 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5e907c7..757147f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,10 +3,14 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). --- -## [1.12.13-bb.1] +## [1.12.15-bb.0] ### Changed - Updated docs for BB documentation standards - Added optional network policies +- Bumped upstream chart version to 1.12.15 +- Bumped Anchore Engine image version to 0.9.4 from Registry1 +- Bumped Anchore Enterprise image version to 3.0.3 from Registry1 +- Bumped Anchore Enterprise UI image version to 3.0.3 from Registry1 ## [1.12.13-bb.0] ### Changed diff --git a/chart/Chart.yaml b/chart/Chart.yaml index 9bb5cf8..6d4387d 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: anchore-engine -version: 1.12.13-bb.1 -appVersion: 0.9.3 +version: 1.12.15-bb.0 +appVersion: 0.9.4 description: Anchore container analysis and policy evaluation engine service keywords: - analysis diff --git a/chart/Kptfile b/chart/Kptfile index f248c9f..e44bd5e 100644 --- a/chart/Kptfile +++ b/chart/Kptfile @@ -5,7 +5,7 @@ metadata: upstream: type: git git: - commit: f9a34a42d694e657b5f3d493f590fc3f7a8b933e + commit: f50573427adb8d582eaea20c968bb0391cb79c48 repo: https://github.com/anchore/anchore-charts directory: /stable/anchore-engine - ref: anchore-engine-1.12.13 + ref: anchore-engine-1.12.15 diff --git a/chart/templates/enterprise_ui_deployment.yaml b/chart/templates/enterprise_ui_deployment.yaml index d46ab6d..f6b45dd 100644 --- a/chart/templates/enterprise_ui_deployment.yaml +++ b/chart/templates/enterprise_ui_deployment.yaml @@ -80,7 +80,7 @@ spec: env: {{- if and (index .Values "anchoreEnterpriseUi" "existingSecret") (not (index .Values "anchore-ui-redis" "externalEndpoint")) }} - name: ANCHORE_REDIS_URI - value: redis://:{{ index .Values "anchore-ui-redis" "password" }}@{{ template "redis.fullname" . }}-master:6379 + value: redis://nouser:{{ index .Values "anchore-ui-redis" "password" }}@{{ template "redis.fullname" . }}-master:6379 {{- end }} {{ if .Values.anchoreGlobal.dbConfig.ssl }} - name: PGSSLROOTCERT diff --git a/chart/values.yaml b/chart/values.yaml index d11be9a..7e610d6 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -166,7 +166,7 @@ ingress: # Global configuration shared by all anchore-engine services. anchoreGlobal: # Image used for all anchore engine deployments (excluding enterprise components). - image: registry1.dso.mil/ironbank/anchore/engine/engine:0.9.3 + image: registry1.dso.mil/ironbank/anchore/engine/engine:0.9.4 imagePullPolicy: IfNotPresent # Set image pull secret name if using an anchore-engine image from a private registry @@ -710,7 +710,7 @@ anchoreEnterpriseGlobal: # Create this secret with the following command - kubectl create secret generic anchore-enterprise-license --from-file=license.yaml= licenseSecretName: anchore-enterprise-license - image: registry1.dso.mil/ironbank/anchore/enterprise/enterprise:3.0.2 + image: registry1.dso.mil/ironbank/anchore/enterprise/enterprise:3.0.3 imagePullPolicy: IfNotPresent # Name of the kubernetes secret containing your dockerhub creds with access to the anchore enterprise images. # Create this secret with the following command - kubectl create secret docker-registry anchore-dockerhub-creds --docker-server=docker.io --docker-username= --docker-password= --docker-email= @@ -959,7 +959,7 @@ anchoreEnterpriseNotifications: anchoreEnterpriseUi: # If enabled is set to false, set anchore-ui-redis.enabled to false to ensure that helm doesn't stand up a unneccessary redis instance. enabled: true - image: registry1.dso.mil/ironbank/anchore/enterpriseui/enterpriseui:3.0.2 + image: registry1.dso.mil/ironbank/anchore/enterpriseui/enterpriseui:3.0.3 imagePullPolicy: IfNotPresent imagePullSecretName: private-registry -- GitLab From ca490869ebcccfbdbb6c385e9fe3d48aad744b90 Mon Sep 17 00:00:00 2001 From: bhearn7 Date: Tue, 25 May 2021 11:54:20 -0400 Subject: [PATCH 15/24] update network policies --- ...gress.yaml => allow-egress-except-aws.yaml} | 2 +- .../bigbang/networkpolicies/allow-in-ns.yaml | 18 ++++++++++++++++++ .../{istio.yaml => allow-istio.yaml} | 0 .../{dns.yaml => allow-kube-dns.yaml} | 2 +- .../{monitoring.yaml => allow-monitoring.yaml} | 2 +- ...default-deny-all.yaml => default-deny.yaml} | 2 +- 6 files changed, 22 insertions(+), 4 deletions(-) rename chart/templates/bigbang/networkpolicies/{allow-egress.yaml => allow-egress-except-aws.yaml} (89%) create mode 100644 chart/templates/bigbang/networkpolicies/allow-in-ns.yaml rename chart/templates/bigbang/networkpolicies/{istio.yaml => allow-istio.yaml} (100%) rename chart/templates/bigbang/networkpolicies/{dns.yaml => allow-kube-dns.yaml} (93%) rename chart/templates/bigbang/networkpolicies/{monitoring.yaml => allow-monitoring.yaml} (91%) rename chart/templates/bigbang/networkpolicies/{default-deny-all.yaml => default-deny.yaml} (85%) diff --git a/chart/templates/bigbang/networkpolicies/allow-egress.yaml b/chart/templates/bigbang/networkpolicies/allow-egress-except-aws.yaml similarity index 89% rename from chart/templates/bigbang/networkpolicies/allow-egress.yaml rename to chart/templates/bigbang/networkpolicies/allow-egress-except-aws.yaml index e1d66b9..9d4b2b8 100644 --- a/chart/templates/bigbang/networkpolicies/allow-egress.yaml +++ b/chart/templates/bigbang/networkpolicies/allow-egress-except-aws.yaml @@ -2,7 +2,7 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: allow-egress + name: allow-egress-except-aws namespace: {{ .Release.Namespace }} spec: podSelector: {} diff --git a/chart/templates/bigbang/networkpolicies/allow-in-ns.yaml b/chart/templates/bigbang/networkpolicies/allow-in-ns.yaml new file mode 100644 index 0000000..495131c --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-in-ns.yaml @@ -0,0 +1,18 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-in-ns + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + ingress: + - from: + - podSelector: {} + egress: + - to: + - podSelector: {} +{{- end }} \ No newline at end of file diff --git a/chart/templates/bigbang/networkpolicies/istio.yaml b/chart/templates/bigbang/networkpolicies/allow-istio.yaml similarity index 100% rename from chart/templates/bigbang/networkpolicies/istio.yaml rename to chart/templates/bigbang/networkpolicies/allow-istio.yaml diff --git a/chart/templates/bigbang/networkpolicies/dns.yaml b/chart/templates/bigbang/networkpolicies/allow-kube-dns.yaml similarity index 93% rename from chart/templates/bigbang/networkpolicies/dns.yaml rename to chart/templates/bigbang/networkpolicies/allow-kube-dns.yaml index 0f6bf98..dc1db2a 100644 --- a/chart/templates/bigbang/networkpolicies/dns.yaml +++ b/chart/templates/bigbang/networkpolicies/allow-kube-dns.yaml @@ -5,7 +5,7 @@ kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: - name: dns-to-all + name: allow-kube-dns namespace: {{ .Release.Namespace }} spec: podSelector: {} # all pods diff --git a/chart/templates/bigbang/networkpolicies/monitoring.yaml b/chart/templates/bigbang/networkpolicies/allow-monitoring.yaml similarity index 91% rename from chart/templates/bigbang/networkpolicies/monitoring.yaml rename to chart/templates/bigbang/networkpolicies/allow-monitoring.yaml index d3a1cd2..4056e28 100644 --- a/chart/templates/bigbang/networkpolicies/monitoring.yaml +++ b/chart/templates/bigbang/networkpolicies/allow-monitoring.yaml @@ -2,7 +2,7 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: monitoring + name: allow-monitoring namespace: {{ .Release.Namespace }} spec: podSelector: {} diff --git a/chart/templates/bigbang/networkpolicies/default-deny-all.yaml b/chart/templates/bigbang/networkpolicies/default-deny.yaml similarity index 85% rename from chart/templates/bigbang/networkpolicies/default-deny-all.yaml rename to chart/templates/bigbang/networkpolicies/default-deny.yaml index e5454cc..a6a043e 100644 --- a/chart/templates/bigbang/networkpolicies/default-deny-all.yaml +++ b/chart/templates/bigbang/networkpolicies/default-deny.yaml @@ -2,7 +2,7 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: default-deny-all + name: default-deny namespace: {{ .Release.Namespace }} spec: podSelector: {} -- GitLab From f76ef83b6e61d7d70f9e1abba2ffabff0071998d Mon Sep 17 00:00:00 2001 From: bhearn7 Date: Tue, 25 May 2021 16:48:21 -0400 Subject: [PATCH 16/24] testing istio network policy --- chart/templates/bigbang/networkpolicies/allow-istio.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chart/templates/bigbang/networkpolicies/allow-istio.yaml b/chart/templates/bigbang/networkpolicies/allow-istio.yaml index 0307832..9c494cc 100644 --- a/chart/templates/bigbang/networkpolicies/allow-istio.yaml +++ b/chart/templates/bigbang/networkpolicies/allow-istio.yaml @@ -14,7 +14,7 @@ spec: - namespaceSelector: matchLabels: app.kubernetes.io/name: istio-controlplane - - podSelector: + podSelector: matchLabels: {{- toYaml .Values.networkPolicies.ingressLabels | nindent 10}} ports: -- GitLab From 07c0adbe1414c36f71cec6ef7d12d19ca34b3a26 Mon Sep 17 00:00:00 2001 From: bhearn7 Date: Tue, 25 May 2021 17:21:34 -0400 Subject: [PATCH 17/24] fix istio network policy --- chart/templates/bigbang/networkpolicies/allow-istio.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chart/templates/bigbang/networkpolicies/allow-istio.yaml b/chart/templates/bigbang/networkpolicies/allow-istio.yaml index 9c494cc..cf876d2 100644 --- a/chart/templates/bigbang/networkpolicies/allow-istio.yaml +++ b/chart/templates/bigbang/networkpolicies/allow-istio.yaml @@ -18,7 +18,7 @@ spec: matchLabels: {{- toYaml .Values.networkPolicies.ingressLabels | nindent 10}} ports: - - port: 80 # enterprise UI + - port: 3000 # enterprise UI protocol: TCP - port: 8228 # anchore engine api protocol: TCP -- GitLab From bc456b836ae71b1aa1b64500e9949d8348cb361c Mon Sep 17 00:00:00 2001 From: bhearn7 Date: Thu, 27 May 2021 14:07:29 -0400 Subject: [PATCH 18/24] update istio network policy --- .../bigbang/networkpolicies/allow-istio.yaml | 38 ++++++++++++++++--- 1 file changed, 33 insertions(+), 5 deletions(-) diff --git a/chart/templates/bigbang/networkpolicies/allow-istio.yaml b/chart/templates/bigbang/networkpolicies/allow-istio.yaml index cf876d2..d44e5a2 100644 --- a/chart/templates/bigbang/networkpolicies/allow-istio.yaml +++ b/chart/templates/bigbang/networkpolicies/allow-istio.yaml @@ -18,16 +18,44 @@ spec: matchLabels: {{- toYaml .Values.networkPolicies.ingressLabels | nindent 10}} ports: - - port: 3000 # enterprise UI + - port: {{ .Values.anchoreApi.service.port }} # anchore engine api (default: 8228) protocol: TCP - - port: 8228 # anchore engine api + - port: {{ .Values.anchoreCatalog.service.port }} # anchore catalog api (default: 8082) protocol: TCP - - port: 8229 # rbac manager + - port: {{ .Values.anchorePolicyEngine.service.port }} # anchore policy engine api (default: 8087) protocol: TCP - - port: 8558 # reports api + - port: {{ .Values.anchoreSimpleQueue.service.port }} # anchore simplequeue api (default: 8083) protocol: TCP - - port: 8668 # notifications api + {{- if hasKey .Values.postgresql "enabled" }} + {{- if (not .Values.postgresql.enabled) }} + - port: "{{$v := .Values.postgresql.externalEndpoint | split ":"}}{{$v._1}}" # in-cluster postgresql anchore db (default: 5432) protocol: TCP + {{- end }} + {{- end }} + {{- if .Values.anchoreEnterpriseGlobal.enabled }} + - port: {{ .Values.anchoreEnterpriseFeeds.service.port }} # anchore enterprise feeds api (default: 8448) + protocol: TCP + - port: {{ .Values.anchoreEnterpriseRbac.service.apiPort }} # anchore enterprise rbac manager api (default: 8229) + protocol: TCP + - port: {{ .Values.anchoreEnterpriseReports.service.port }} # anchore enterprise reports api (default: 8558) + protocol: TCP + - port: {{ .Values.anchoreEnterpriseNotifications.service.port }} # anchore enterprise notifications api (default: 8668) + protocol: TCP + - port: 3000 # anchore enterprise UI (default: 3000; note: Big Bang has configured Istio to use port 80) + protocol: TCP + {{- if hasKey (index .Values "anchore-ui-redis") "enabled" }} + {{- if (not (index .Values "anchore-ui-redis" "enabled")) }} + - port: "{{$v := (index .Values "anchore-ui-redis" "externalEndpoint") | split ":"}}{{$v._3}}" # in-cluster redis anchore enterprise UI dependency (default: 6379) + protocol: TCP + {{- end }} + {{- end }} + {{- if and (hasKey (index .Values "anchore-feeds-db") "enabled") }} + {{- if (not (index .Values "anchore-feeds-db" "enabled")) }} + - port: "{{$v := (index .Values "anchore-feeds-db" "externalEndpoint") | split ":"}}{{$v._1}}" # in-cluster postgresql anchore enterprise feeds db (default: 5432) + protocol: TCP + {{- end }} + {{- end }} + {{- end }} egress: - to: - namespaceSelector: -- GitLab From 0c2f5c13d6ba45921d63fada9a8bb027fcb34b6f Mon Sep 17 00:00:00 2001 From: bhearn7 Date: Thu, 27 May 2021 14:39:50 -0400 Subject: [PATCH 19/24] update istio network policy --- .../bigbang/networkpolicies/allow-istio.yaml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/chart/templates/bigbang/networkpolicies/allow-istio.yaml b/chart/templates/bigbang/networkpolicies/allow-istio.yaml index d44e5a2..fe17541 100644 --- a/chart/templates/bigbang/networkpolicies/allow-istio.yaml +++ b/chart/templates/bigbang/networkpolicies/allow-istio.yaml @@ -26,6 +26,10 @@ spec: protocol: TCP - port: {{ .Values.anchoreSimpleQueue.service.port }} # anchore simplequeue api (default: 8083) protocol: TCP + {{- if not (hasKey .Values.postgresql "enabled") }} + - port: 5432 # in-cluster postgresql anchore db + protocol: TCP + {{- end }} {{- if hasKey .Values.postgresql "enabled" }} {{- if (not .Values.postgresql.enabled) }} - port: "{{$v := .Values.postgresql.externalEndpoint | split ":"}}{{$v._1}}" # in-cluster postgresql anchore db (default: 5432) @@ -43,13 +47,20 @@ spec: protocol: TCP - port: 3000 # anchore enterprise UI (default: 3000; note: Big Bang has configured Istio to use port 80) protocol: TCP + {{- if not (hasKey (index .Values "anchore-ui-redis") "enabled") }} + - port: 6379 # in-cluster redis anchore enterprise UI dependency + protocol: TCP + {{- end }} {{- if hasKey (index .Values "anchore-ui-redis") "enabled" }} {{- if (not (index .Values "anchore-ui-redis" "enabled")) }} - port: "{{$v := (index .Values "anchore-ui-redis" "externalEndpoint") | split ":"}}{{$v._3}}" # in-cluster redis anchore enterprise UI dependency (default: 6379) protocol: TCP {{- end }} {{- end }} - {{- if and (hasKey (index .Values "anchore-feeds-db") "enabled") }} + {{- if not (and (hasKey (index .Values "anchore-feeds-db") "enabled")) }} + - port: 5432 # in-cluster postgresql anchore enterprise feeds db + {{- end }} + {{- if and (hasKey (index .Values "anchore-feeds-db") "enabled") }} {{- if (not (index .Values "anchore-feeds-db" "enabled")) }} - port: "{{$v := (index .Values "anchore-feeds-db" "externalEndpoint") | split ":"}}{{$v._1}}" # in-cluster postgresql anchore enterprise feeds db (default: 5432) protocol: TCP -- GitLab From da44bead8526209e14138623423a981f30ce0e43 Mon Sep 17 00:00:00 2001 From: bhearn7 Date: Thu, 27 May 2021 15:17:55 -0400 Subject: [PATCH 20/24] disable networkPolicies in test-values --- tests/test-values.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/test-values.yml b/tests/test-values.yml index c4085f4..3e223f7 100644 --- a/tests/test-values.yml +++ b/tests/test-values.yml @@ -1,11 +1,11 @@ istio: enabled: true -networkPolicies: - enabled: true - ingressLabels: - app: istio-ingressgateway - istio: ingressgateway +# networkPolicies: +# enabled: true +# ingressLabels: +# app: istio-ingressgateway +# istio: ingressgateway bbtests: scripts: -- GitLab From ce1ebf13030a58f290a0ba005390ca7e149b76aa Mon Sep 17 00:00:00 2001 From: bhearn7 Date: Thu, 27 May 2021 15:35:58 -0400 Subject: [PATCH 21/24] update monitoring network policy --- .../bigbang/networkpolicies/allow-monitoring.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/chart/templates/bigbang/networkpolicies/allow-monitoring.yaml b/chart/templates/bigbang/networkpolicies/allow-monitoring.yaml index 4056e28..f610e42 100644 --- a/chart/templates/bigbang/networkpolicies/allow-monitoring.yaml +++ b/chart/templates/bigbang/networkpolicies/allow-monitoring.yaml @@ -16,4 +16,19 @@ spec: podSelector: matchLabels: app: prometheus + ports: + - port: {{ .Values.anchoreApi.service.port }} # anchore engine api (default: 8228) + protocol: TCP + - port: {{ .Values.anchoreCatalog.service.port }} # anchore catalog api (default: 8082) + protocol: TCP + - port: {{ .Values.anchorePolicyEngine.service.port }} # anchore policy engine api (default: 8087) + protocol: TCP + - port: {{ .Values.anchoreSimpleQueue.service.port }} # anchore simplequeue api (default: 8083) + protocol: TCP + {{- if .Values.anchoreEnterpriseGlobal.enabled }} + - port: {{ .Values.anchoreEnterpriseFeeds.service.port }} # anchore enterprise feeds api (default: 8448) + protocol: TCP + - port: {{ .Values.anchoreEnterpriseRbac.service.apiPort }} # anchore enterprise rbac manager api (default: 8229) + protocol: TCP + {{- end }} {{- end }} \ No newline at end of file -- GitLab From 90240286d5ce1de5017e5e18c5baf3d1b8621bd8 Mon Sep 17 00:00:00 2001 From: bhearn7 Date: Thu, 27 May 2021 15:51:13 -0400 Subject: [PATCH 22/24] fix monitoring network policy indentation --- .../networkpolicies/allow-monitoring.yaml | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/chart/templates/bigbang/networkpolicies/allow-monitoring.yaml b/chart/templates/bigbang/networkpolicies/allow-monitoring.yaml index f610e42..8eed2e8 100644 --- a/chart/templates/bigbang/networkpolicies/allow-monitoring.yaml +++ b/chart/templates/bigbang/networkpolicies/allow-monitoring.yaml @@ -16,19 +16,19 @@ spec: podSelector: matchLabels: app: prometheus - ports: - - port: {{ .Values.anchoreApi.service.port }} # anchore engine api (default: 8228) - protocol: TCP - - port: {{ .Values.anchoreCatalog.service.port }} # anchore catalog api (default: 8082) - protocol: TCP - - port: {{ .Values.anchorePolicyEngine.service.port }} # anchore policy engine api (default: 8087) - protocol: TCP - - port: {{ .Values.anchoreSimpleQueue.service.port }} # anchore simplequeue api (default: 8083) - protocol: TCP - {{- if .Values.anchoreEnterpriseGlobal.enabled }} - - port: {{ .Values.anchoreEnterpriseFeeds.service.port }} # anchore enterprise feeds api (default: 8448) - protocol: TCP - - port: {{ .Values.anchoreEnterpriseRbac.service.apiPort }} # anchore enterprise rbac manager api (default: 8229) - protocol: TCP + ports: + - port: {{ .Values.anchoreApi.service.port }} # anchore engine api (default: 8228) + protocol: TCP + - port: {{ .Values.anchoreCatalog.service.port }} # anchore catalog api (default: 8082) + protocol: TCP + - port: {{ .Values.anchorePolicyEngine.service.port }} # anchore policy engine api (default: 8087) + protocol: TCP + - port: {{ .Values.anchoreSimpleQueue.service.port }} # anchore simplequeue api (default: 8083) + protocol: TCP + {{- if .Values.anchoreEnterpriseGlobal.enabled }} + - port: {{ .Values.anchoreEnterpriseFeeds.service.port }} # anchore enterprise feeds api (default: 8448) + protocol: TCP + - port: {{ .Values.anchoreEnterpriseRbac.service.apiPort }} # anchore enterprise rbac manager api (default: 8229) + protocol: TCP {{- end }} {{- end }} \ No newline at end of file -- GitLab From af0d681d892b9f0484b60c081137464dba0f7ba0 Mon Sep 17 00:00:00 2001 From: bhearn7 Date: Fri, 28 May 2021 13:03:14 -0400 Subject: [PATCH 23/24] bump images.txt tags --- tests/images.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/images.txt b/tests/images.txt index ac96fca..686a9f3 100644 --- a/tests/images.txt +++ b/tests/images.txt @@ -1,2 +1,2 @@ -registry1.dso.mil/ironbank/anchore/enterprise/enterprise:3.0.2 -registry1.dso.mil/ironbank/anchore/enterpriseui/enterpriseui:3.0.1 +registry1.dso.mil/ironbank/anchore/enterprise/enterprise:3.0.3 +registry1.dso.mil/ironbank/anchore/enterpriseui/enterpriseui:3.0.3 -- GitLab From 292552b1cefe9ae04d4d906afe8f5103ed38e53e Mon Sep 17 00:00:00 2001 From: bhearn7 Date: Fri, 28 May 2021 13:38:08 -0400 Subject: [PATCH 24/24] enable NPs in CI --- tests/test-values.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/test-values.yml b/tests/test-values.yml index 3e223f7..ef17dcd 100644 --- a/tests/test-values.yml +++ b/tests/test-values.yml @@ -1,8 +1,8 @@ istio: enabled: true -# networkPolicies: -# enabled: true +networkPolicies: + enabled: true # ingressLabels: # app: istio-ingressgateway # istio: ingressgateway -- GitLab