Merge branch 'add-network-policy' into 'main'

Add network policy

See merge request !22

.gitlab-ci.yml

 include:
-  - project: 'platform-one/big-bang/pipeline-templates/pipeline-templates'
+  - project: "platform-one/big-bang/pipeline-templates/pipeline-templates"
     ref: master
-    file: '/templates/package-tests.yml'
+    file: "/templates/package-tests.yml"

chart/Chart.yaml

 apiVersion: v2
 name: twistlock
-version: 0.0.4-bb.0
+version: 0.0.4-bb.1
 appVersion: 21.04.412

chart/templates/network-policy/egress-default-deny-external.yml

+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-external-egress
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  podSelector: {}
+  policyTypes:
+    - Egress
+  egress: []
+{{- end }}
\ No newline at end of file

chart/templates/network-policy/ingress-default-deny.yml

+{{- if .Values.networkPolicies.enabled}}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-ingress
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  podSelector: {}
+  ingress: []
+  policyTypes:
+    - Ingress
+{{- end }}
\ No newline at end of file

chart/templates/network-policy/ingress-egress-istio.yml

+{{- if and .Values.networkPolicies.enabled .Values.istio.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: istio
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              app.kubernetes.io/name: istio-controlplane
+  egress:
+    - to:
+      - namespaceSelector:
+          matchLabels:
+            app.kubernetes.io/name: istio-controlplane
+{{- end }}

chart/templates/network-policy/ingress-monitoring.yml

+{{- if and .Values.networkPolicies.enabled .Values.monitoring.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-scraping
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  ingress:
+    - from:
+        - namespaceSelector: {} # all namespaces for now
+      ports:
+        - port: PROMETHEUS_PORT
+          protocol: TCP
+  podSelector: {} # all pods
+  policyTypes:
+    - Ingress
+{{- end }}

chart/values.yaml

@@ -16,9 +16,12 @@ istio:
     hosts:
       - twistlock.{{ .Values.hostname }}
 
+networkPolicies:
+  enabled: false
+
 # imagePullSecrets defines the secrets to use when pulling the operator container image.
 imagePullSecrets: []
-  
+
 console:
   image:
     repository: registry1.dso.mil/ironbank/twistlock/console/console
@@ -28,7 +31,8 @@ console:
     size: 100Gi
     accessMode: ReadWriteOnce
 
-affinity: {}
+affinity:
+  {}
   # podAntiAffinity:
   #   requiredDuringSchedulingIgnoredDuringExecution:
   #     - topologyKey: "kubernetes.io/hostname"
@@ -44,10 +48,12 @@ affinity: {}
   #         values:
   #         - "twistlock"
 
-nodeSelector: {}
+nodeSelector:
+  {}
   # node-type: twistlock"
 
-tolerations: []
+tolerations:
+  []
   # - key: "key1"
   #   operator: "Equal"
   #   value: "value1"

tests/test-values.yml

@@ -2,7 +2,7 @@ istio:
   enabled: true
 
 imagePullSecrets:
-- name: private-registry-mil
+  - name: private-registry-mil
 
 console:
   persistence: