diff --git a/CHANGELOG.md b/CHANGELOG.md index 2259d768d16078f5a489a015d75c772fd39d56ea..e75fa648a4ee64bbb31404919569a46e1adc5ae7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,28 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), --- +## [0.0.5-bb.0] - 2021-06-02 + +### Changed + +- Network policy resource Templates + +## [0.0.4-bb.3] - 2021-06-01 + +### Added + +- Gluon test library dependency + +### Changed + +- CI Test infrastructure. Migrating to helm tests with script capabilities. + +## [0.0.4-bb.2] - 2021-05-26 + +### Added + +- Network policy resource Templates + ## [0.0.4-bb.0] - 2021-05-12 ### Added diff --git a/chart/Chart.yaml b/chart/Chart.yaml index 571ee7b26cb879b5e297ee43b66fa2b3235cd000..f09518e01329e585d6a455de31ca4efda2ed6fe6 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: twistlock -version: 0.0.4-bb.3 +version: 0.0.5-bb.0 appVersion: 21.04.412 dependencies: - name: gluon diff --git a/chart/templates/network-policy/egress-default-deny-external.yml b/chart/templates/networkpolicies/egress-default-deny-external.yml similarity index 100% rename from chart/templates/network-policy/egress-default-deny-external.yml rename to chart/templates/networkpolicies/egress-default-deny-external.yml diff --git a/chart/templates/networkpolicies/egress-kube-dns.yaml b/chart/templates/networkpolicies/egress-kube-dns.yaml new file mode 100644 index 0000000000000000000000000000000000000000..7e7a35c87a63ae8361e87e36eb081c50e81c0f09 --- /dev/null +++ b/chart/templates/networkpolicies/egress-kube-dns.yaml @@ -0,0 +1,17 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: egress-kube-dns + namespace: "{{ .Release.Namespace }}" +spec: + egress: + - to: + - namespaceSelector: {} # all namespaces + ports: + - port: 53 + protocol: UDP + podSelector: {} # all pods in Release namespace + policyTypes: + - Egress +{{- end }} diff --git a/chart/templates/networkpolicies/helm-test-egress.yaml b/chart/templates/networkpolicies/helm-test-egress.yaml new file mode 100644 index 0000000000000000000000000000000000000000..2364497729eaaaac960fc6a37fdaf16a55442ab9 --- /dev/null +++ b/chart/templates/networkpolicies/helm-test-egress.yaml @@ -0,0 +1,21 @@ +{{- $bbtests := .Values.bbtests | default dict -}} +{{- $cypress := $bbtests.cypress | default dict -}} +{{- $enabled := (hasKey $bbtests "enabled") -}} +{{- $artifacts := (hasKey $cypress "artifacts") -}} +{{- if and $enabled $artifacts }} +{{- if and .Values.networkPolicies.enabled .Values.bbtests.enabled .Values.bbtests.cypress.artifacts }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-helm-test-egress + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + helm-test: enabled + policyTypes: + - Egress + egress: + - {} +{{- end }} +{{- end }} diff --git a/chart/templates/network-policy/ingress-all-ns.yml b/chart/templates/networkpolicies/ingress-allow-ns.yml similarity index 62% rename from chart/templates/network-policy/ingress-all-ns.yml rename to chart/templates/networkpolicies/ingress-allow-ns.yml index 49f8bba22cd5c54f6cdfa7187f3ed304e2f651af..6e8a95a703d52c275fcdc2ad635366f087b5ec76 100644 --- a/chart/templates/network-policy/ingress-all-ns.yml +++ b/chart/templates/networkpolicies/ingress-allow-ns.yml @@ -2,14 +2,12 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: ingress-allow-cluster + name: ingress-allow-ns namespace: "{{ .Release.Namespace }}" spec: ingress: - from: - - namespaceSelector: {} # all namespaces for now - ports: - - port: 8084 # communications port + - podSelector: {} # all pods in namespace podSelector: {} # all pods policyTypes: - Ingress diff --git a/chart/templates/network-policy/ingress-default-deny.yml b/chart/templates/networkpolicies/ingress-default-deny.yml similarity index 100% rename from chart/templates/network-policy/ingress-default-deny.yml rename to chart/templates/networkpolicies/ingress-default-deny.yml diff --git a/chart/templates/network-policy/ingress-egress-istio.yml b/chart/templates/networkpolicies/ingress-istio-ingressgateway.yml similarity index 52% rename from chart/templates/network-policy/ingress-egress-istio.yml rename to chart/templates/networkpolicies/ingress-istio-ingressgateway.yml index 80fb410aeb46abc785cf43a034e1075f6f5c7591..29b55a7be8b853ed073bfce3663914a21e6d7163 100644 --- a/chart/templates/network-policy/ingress-egress-istio.yml +++ b/chart/templates/networkpolicies/ingress-istio-ingressgateway.yml @@ -2,21 +2,23 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: istio + name: istio-ingress namespace: "{{ .Release.Namespace }}" spec: - podSelector: {} + podSelector: + matchLabels: + app: twistlock-console policyTypes: - Ingress - - Egress ingress: - from: - - namespaceSelector: - matchLabels: - app.kubernetes.io/name: istio-controlplane - egress: - - to: - namespaceSelector: matchLabels: app.kubernetes.io/name: istio-controlplane + podSelector: + matchLabels: + {{- toYaml .Values.networkPolicies.ingressLabels | nindent 12}} + ports: + - port: 8081 #Default UI console Port + - port: 8083 #TLS configured UI console Port {{- end }} diff --git a/chart/templates/network-policy/ingress-monitoring.yml b/chart/templates/networkpolicies/ingress-monitoring.yml similarity index 52% rename from chart/templates/network-policy/ingress-monitoring.yml rename to chart/templates/networkpolicies/ingress-monitoring.yml index 0bc727413909ec492331206379e4bcdcca4789af..8f683c776fc09dc350cf72d37230c5f53eb2b76f 100644 --- a/chart/templates/network-policy/ingress-monitoring.yml +++ b/chart/templates/networkpolicies/ingress-monitoring.yml @@ -7,11 +7,17 @@ metadata: spec: ingress: - from: - - namespaceSelector: {} # all namespaces for now + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: monitoring + podSelector: + matchLabels: + app: prometheus ports: - - port: PROMETHEUS_PORT - protocol: TCP - podSelector: {} # all pods + - port: 8081 + podSelector: + matchLabels: + name: twistlock-console policyTypes: - Ingress {{- end }} diff --git a/chart/templates/networkpolicies/istiod-egress.yml b/chart/templates/networkpolicies/istiod-egress.yml new file mode 100644 index 0000000000000000000000000000000000000000..f5d9665ad0e538af77285bcbcce25bcfbb090b14 --- /dev/null +++ b/chart/templates/networkpolicies/istiod-egress.yml @@ -0,0 +1,21 @@ +{{- if and .Values.networkPolicies.enabled .Values.istio.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-istiod-egress + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Egress + egress: + - to: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: istio-controlplane + podSelector: + matchLabels: + app: istiod + ports: + - port: 15012 +{{- end }} \ No newline at end of file diff --git a/chart/values.yaml b/chart/values.yaml index 54266e5b529c8a77960a769ee2834b7294d3b128..1795bdd1fa327fa173d7cf9adaf38387f0915b6c 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -18,6 +18,9 @@ istio: networkPolicies: enabled: false + ingressLabels: + app: istio-ingressgateway + istio: ingressgateway # imagePullSecrets defines the secrets to use when pulling the operator container image. imagePullSecrets: [] diff --git a/tests/test-values.yml b/tests/test-values.yml index 520f8ce4bf5f38c86541b9e1d0a961fdb7cb2d24..b0d2e562ae5ac17eba833a097c88f531003bd85c 100644 --- a/tests/test-values.yml +++ b/tests/test-values.yml @@ -1,6 +1,9 @@ istio: enabled: true +networkPolicies: + enabled: true + imagePullSecrets: - name: private-registry-mil