From 526ad98739030c2b03f8428f08f48a07c6771a62 Mon Sep 17 00:00:00 2001 From: Joshua Carnes Date: Tue, 25 May 2021 20:27:49 +0000 Subject: [PATCH] Add network policy --- .gitlab-ci.yml | 4 ++-- chart/Chart.yaml | 2 +- .../egress-default-deny-external.yml | 12 ++++++++++ .../network-policy/ingress-default-deny.yml | 12 ++++++++++ .../network-policy/ingress-egress-istio.yml | 22 +++++++++++++++++++ .../network-policy/ingress-monitoring.yml | 17 ++++++++++++++ chart/values.yaml | 14 ++++++++---- tests/test-values.yml | 2 +- 8 files changed, 77 insertions(+), 8 deletions(-) create mode 100644 chart/templates/network-policy/egress-default-deny-external.yml create mode 100644 chart/templates/network-policy/ingress-default-deny.yml create mode 100644 chart/templates/network-policy/ingress-egress-istio.yml create mode 100644 chart/templates/network-policy/ingress-monitoring.yml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 6e9f482..a231cd5 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,4 +1,4 @@ include: - - project: 'platform-one/big-bang/pipeline-templates/pipeline-templates' + - project: "platform-one/big-bang/pipeline-templates/pipeline-templates" ref: master - file: '/templates/package-tests.yml' + file: "/templates/package-tests.yml" diff --git a/chart/Chart.yaml b/chart/Chart.yaml index 8f810a3..df56b60 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -1,4 +1,4 @@ apiVersion: v2 name: twistlock -version: 0.0.4-bb.0 +version: 0.0.4-bb.1 appVersion: 21.04.412 diff --git a/chart/templates/network-policy/egress-default-deny-external.yml b/chart/templates/network-policy/egress-default-deny-external.yml new file mode 100644 index 0000000..59ddf47 --- /dev/null +++ b/chart/templates/network-policy/egress-default-deny-external.yml @@ -0,0 +1,12 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny-external-egress + namespace: "{{ .Release.Namespace }}" +spec: + podSelector: {} + policyTypes: + - Egress + egress: [] +{{- end }} \ No newline at end of file diff --git a/chart/templates/network-policy/ingress-default-deny.yml b/chart/templates/network-policy/ingress-default-deny.yml new file mode 100644 index 0000000..54c9ad5 --- /dev/null +++ b/chart/templates/network-policy/ingress-default-deny.yml @@ -0,0 +1,12 @@ +{{- if .Values.networkPolicies.enabled}} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny-ingress + namespace: "{{ .Release.Namespace }}" +spec: + podSelector: {} + ingress: [] + policyTypes: + - Ingress +{{- end }} \ No newline at end of file diff --git a/chart/templates/network-policy/ingress-egress-istio.yml b/chart/templates/network-policy/ingress-egress-istio.yml new file mode 100644 index 0000000..80fb410 --- /dev/null +++ b/chart/templates/network-policy/ingress-egress-istio.yml @@ -0,0 +1,22 @@ +{{- if and .Values.networkPolicies.enabled .Values.istio.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: istio + namespace: "{{ .Release.Namespace }}" +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + ingress: + - from: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: istio-controlplane + egress: + - to: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: istio-controlplane +{{- end }} diff --git a/chart/templates/network-policy/ingress-monitoring.yml b/chart/templates/network-policy/ingress-monitoring.yml new file mode 100644 index 0000000..0bc7274 --- /dev/null +++ b/chart/templates/network-policy/ingress-monitoring.yml @@ -0,0 +1,17 @@ +{{- if and .Values.networkPolicies.enabled .Values.monitoring.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-scraping + namespace: "{{ .Release.Namespace }}" +spec: + ingress: + - from: + - namespaceSelector: {} # all namespaces for now + ports: + - port: PROMETHEUS_PORT + protocol: TCP + podSelector: {} # all pods + policyTypes: + - Ingress +{{- end }} diff --git a/chart/values.yaml b/chart/values.yaml index 1dfb72a..54266e5 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -16,9 +16,12 @@ istio: hosts: - twistlock.{{ .Values.hostname }} +networkPolicies: + enabled: false + # imagePullSecrets defines the secrets to use when pulling the operator container image. imagePullSecrets: [] - + console: image: repository: registry1.dso.mil/ironbank/twistlock/console/console @@ -28,7 +31,8 @@ console: size: 100Gi accessMode: ReadWriteOnce -affinity: {} +affinity: + {} # podAntiAffinity: # requiredDuringSchedulingIgnoredDuringExecution: # - topologyKey: "kubernetes.io/hostname" @@ -44,10 +48,12 @@ affinity: {} # values: # - "twistlock" -nodeSelector: {} +nodeSelector: + {} # node-type: twistlock" -tolerations: [] +tolerations: + [] # - key: "key1" # operator: "Equal" # value: "value1" diff --git a/tests/test-values.yml b/tests/test-values.yml index 26bab16..2986adb 100644 --- a/tests/test-values.yml +++ b/tests/test-values.yml @@ -2,7 +2,7 @@ istio: enabled: true imagePullSecrets: -- name: private-registry-mil + - name: private-registry-mil console: persistence: -- GitLab