From e16cdfeddcf603acf0037f3c9c87a2d313d9ddee Mon Sep 17 00:00:00 2001 From: Brendon Lloyd Date: Wed, 21 Jul 2021 11:02:44 -1000 Subject: [PATCH 1/4] Add openshift toggle, conditionally add port 5353 egress. Changing "openshift:" to true in values.yaml will enable. --- CHANGELOG.md | 4 ++++ chart/Chart.yaml | 2 +- chart/templates/bigbang/networkpolicies/allow-kube-dns.yaml | 6 +++++- chart/values.yaml | 2 ++ 4 files changed, 12 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6b0152c..ed1d091 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), --- +## [1.13.0-bb.4] +### Fixed +- Add openshift toggle, conditionally add port 5353 egress. Changing "openshift:" to true in values.yaml will enable. + ## [1.13.0-bb.3] ### Fixed - incorrect label on `allow-egress-enterprise-engine-upgrade-job` network policy diff --git a/chart/Chart.yaml b/chart/Chart.yaml index fc5c4c8..eeeaaee 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.13.0-bb.3 +version: 1.13.0-bb.4 appVersion: 0.10.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/chart/templates/bigbang/networkpolicies/allow-kube-dns.yaml b/chart/templates/bigbang/networkpolicies/allow-kube-dns.yaml index 17d27b1..3b425ca 100644 --- a/chart/templates/bigbang/networkpolicies/allow-kube-dns.yaml +++ b/chart/templates/bigbang/networkpolicies/allow-kube-dns.yaml @@ -19,4 +19,8 @@ spec: protocol: UDP - port: 443 protocol: TCP -{{- end }} \ No newline at end of file + {{- if .Values.openshift }} + - port: 5353 + protocol: UDP + {{- end }} +{{- end }} diff --git a/chart/values.yaml b/chart/values.yaml index 77ccead..ca3b554 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -1126,3 +1126,5 @@ anchoreEnterpriseEngineUpgradeJob: # To inject secrets ( credentails data ) via env, rather k8s secrets please set this flag to true. # This feature will be useful, especially to inject secrets directly into k8s pods from hashicorp vault # inject_secrets_via_env: false + +openshift: false -- GitLab From 953f7da279d3f2b31226eb935d6daa01ca38c294 Mon Sep 17 00:00:00 2001 From: Brendon Lloyd Date: Thu, 22 Jul 2021 18:57:31 +0000 Subject: [PATCH 2/4] Update values.yaml to remove local openshift variable in favor of global one --- chart/values.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/chart/values.yaml b/chart/values.yaml index ca3b554..77ccead 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -1126,5 +1126,3 @@ anchoreEnterpriseEngineUpgradeJob: # To inject secrets ( credentails data ) via env, rather k8s secrets please set this flag to true. # This feature will be useful, especially to inject secrets directly into k8s pods from hashicorp vault # inject_secrets_via_env: false - -openshift: false -- GitLab From a8f215d7b85e9005c0faff4651d890dd3bbab330 Mon Sep 17 00:00:00 2001 From: Brendon Lloyd Date: Thu, 22 Jul 2021 18:59:18 +0000 Subject: [PATCH 3/4] Update allow-kube-dns.yaml to use global .Values.anchoreGlobal.openShiftDeployment variable for the port 5353 egress rule --- chart/templates/bigbang/networkpolicies/allow-kube-dns.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chart/templates/bigbang/networkpolicies/allow-kube-dns.yaml b/chart/templates/bigbang/networkpolicies/allow-kube-dns.yaml index 3b425ca..87bb579 100644 --- a/chart/templates/bigbang/networkpolicies/allow-kube-dns.yaml +++ b/chart/templates/bigbang/networkpolicies/allow-kube-dns.yaml @@ -19,7 +19,7 @@ spec: protocol: UDP - port: 443 protocol: TCP - {{- if .Values.openshift }} + {{- if .Values.anchoreGlobal.openShiftDeployment }} - port: 5353 protocol: UDP {{- end }} -- GitLab From a703dff82d3750d696fc553a7fdad33bc795dbb4 Mon Sep 17 00:00:00 2001 From: Brendon Lloyd Date: Thu, 22 Jul 2021 22:30:37 +0000 Subject: [PATCH 4/4] Apply 1 suggestion(s) to 1 file(s) --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ed1d091..e586c7e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,7 +6,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), ## [1.13.0-bb.4] ### Fixed -- Add openshift toggle, conditionally add port 5353 egress. Changing "openshift:" to true in values.yaml will enable. +- update allow-kube-dns NP to conditionally add port 5353 egress when `.Values.anchoreGlobal.openShiftDeployment` is `true` ## [1.13.0-bb.3] ### Fixed -- GitLab