From dcb7af07e68d8bbed853962de36ef427a446ae49 Mon Sep 17 00:00:00 2001
From: jtcarnes <jcarnes1@bellsouth.net>
Date: Tue, 25 May 2021 14:10:04 -0400
Subject: [PATCH 01/21] feat(network-policy): added default denies and
 monitoring

---
 .../network-policy/egress-default-deny.yml     | 13 +++++++++++++
 .../network-policy/ingress-default-deny.yml    | 10 ++++++++++
 .../network-policy/ingress-monitoring.yml      | 18 ++++++++++++++++++
 3 files changed, 41 insertions(+)
 create mode 100644 chart/templates/network-policy/egress-default-deny.yml
 create mode 100644 chart/templates/network-policy/ingress-default-deny.yml
 create mode 100644 chart/templates/network-policy/ingress-monitoring.yml

diff --git a/chart/templates/network-policy/egress-default-deny.yml b/chart/templates/network-policy/egress-default-deny.yml
new file mode 100644
index 0000000..8a25f6f
--- /dev/null
+++ b/chart/templates/network-policy/egress-default-deny.yml
@@ -0,0 +1,13 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-external-egress
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  podSelector: {}
+  policyTypes:
+    - Egress
+  egress:
+    - to:
+        - namespaceSelector: {}
diff --git a/chart/templates/network-policy/ingress-default-deny.yml b/chart/templates/network-policy/ingress-default-deny.yml
new file mode 100644
index 0000000..f94cb09
--- /dev/null
+++ b/chart/templates/network-policy/ingress-default-deny.yml
@@ -0,0 +1,10 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-ingress
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
diff --git a/chart/templates/network-policy/ingress-monitoring.yml b/chart/templates/network-policy/ingress-monitoring.yml
new file mode 100644
index 0000000..fd91ce4
--- /dev/null
+++ b/chart/templates/network-policy/ingress-monitoring.yml
@@ -0,0 +1,18 @@
+{{- if .Values.monitoring.enabled}}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-scraping
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  ingress:
+    - from:
+        - namespaceSelector: {} # all namespaces for now
+      ports:
+        - port: PROMETHEUS_PORT
+          protocol: TCP
+  podSelector: {} # all pods
+  policyTypes:
+    - Ingress
+{{- end }}
-- 
GitLab


From 8a6738c2ac2dd8804884204ab522087c96fda5db Mon Sep 17 00:00:00 2001
From: jtcarnes <jcarnes1@bellsouth.net>
Date: Tue, 25 May 2021 14:41:06 -0400
Subject: [PATCH 02/21] added policies

---
 .../network-policy/egress-default-deny.yml     |  2 ++
 .../network-policy/ingress-default-deny.yml    |  2 ++
 .../network-policy/ingress-egress-istio.yml    | 18 ++++++++++++++++++
 .../network-policy/ingress-monitoring.yml      |  2 +-
 4 files changed, 23 insertions(+), 1 deletion(-)
 create mode 100644 chart/templates/network-policy/ingress-egress-istio.yml

diff --git a/chart/templates/network-policy/egress-default-deny.yml b/chart/templates/network-policy/egress-default-deny.yml
index 8a25f6f..fc2ba34 100644
--- a/chart/templates/network-policy/egress-default-deny.yml
+++ b/chart/templates/network-policy/egress-default-deny.yml
@@ -1,3 +1,4 @@
+{{- if and .Values.networkPolicies.enabled }}
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
@@ -11,3 +12,4 @@ spec:
   egress:
     - to:
         - namespaceSelector: {}
+{{- end }}
\ No newline at end of file
diff --git a/chart/templates/network-policy/ingress-default-deny.yml b/chart/templates/network-policy/ingress-default-deny.yml
index f94cb09..adfdffc 100644
--- a/chart/templates/network-policy/ingress-default-deny.yml
+++ b/chart/templates/network-policy/ingress-default-deny.yml
@@ -1,3 +1,4 @@
+{{- if .Values.networkPolicies.enabled}}
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
@@ -8,3 +9,4 @@ spec:
   podSelector: {}
   policyTypes:
     - Ingress
+{{- end }}
\ No newline at end of file
diff --git a/chart/templates/network-policy/ingress-egress-istio.yml b/chart/templates/network-policy/ingress-egress-istio.yml
new file mode 100644
index 0000000..326610b
--- /dev/null
+++ b/chart/templates/network-policy/ingress-egress-istio.yml
@@ -0,0 +1,18 @@
+{{- if and .Values.networkPolicies.enabled .Values.istio.enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: istio
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              app.kubernetes.io/name: istio-controlplane
+{{- end }}
\ No newline at end of file
diff --git a/chart/templates/network-policy/ingress-monitoring.yml b/chart/templates/network-policy/ingress-monitoring.yml
index fd91ce4..b62034d 100644
--- a/chart/templates/network-policy/ingress-monitoring.yml
+++ b/chart/templates/network-policy/ingress-monitoring.yml
@@ -1,4 +1,4 @@
-{{- if .Values.monitoring.enabled}}
+{{- if and .Values.networkPolicies.enabled .Values.monitoring.enabled }}
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
-- 
GitLab


From cbdae4770fa438e51363e8e1024cbafff1ee78ed Mon Sep 17 00:00:00 2001
From: jtcarnes <jcarnes1@bellsouth.net>
Date: Tue, 25 May 2021 14:42:52 -0400
Subject: [PATCH 03/21] added network policies values

---
 chart/values.yaml     | 14 ++++++++++----
 tests/test-values.yml |  5 ++++-
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/chart/values.yaml b/chart/values.yaml
index 1dfb72a..54266e5 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -16,9 +16,12 @@ istio:
     hosts:
       - twistlock.{{ .Values.hostname }}
 
+networkPolicies:
+  enabled: false
+
 # imagePullSecrets defines the secrets to use when pulling the operator container image.
 imagePullSecrets: []
-  
+
 console:
   image:
     repository: registry1.dso.mil/ironbank/twistlock/console/console
@@ -28,7 +31,8 @@ console:
     size: 100Gi
     accessMode: ReadWriteOnce
 
-affinity: {}
+affinity:
+  {}
   # podAntiAffinity:
   #   requiredDuringSchedulingIgnoredDuringExecution:
   #     - topologyKey: "kubernetes.io/hostname"
@@ -44,10 +48,12 @@ affinity: {}
   #         values:
   #         - "twistlock"
 
-nodeSelector: {}
+nodeSelector:
+  {}
   # node-type: twistlock"
 
-tolerations: []
+tolerations:
+  []
   # - key: "key1"
   #   operator: "Equal"
   #   value: "value1"
diff --git a/tests/test-values.yml b/tests/test-values.yml
index 26bab16..249fe80 100644
--- a/tests/test-values.yml
+++ b/tests/test-values.yml
@@ -1,8 +1,11 @@
 istio:
   enabled: true
 
+networkPolicies:
+  enabled: true
+
 imagePullSecrets:
-- name: private-registry-mil
+  - name: private-registry-mil
 
 console:
   persistence:
-- 
GitLab


From a27786b0ed6d2a0ed64e74b7b8e1f63708021ed8 Mon Sep 17 00:00:00 2001
From: jtcarnes <jcarnes1@bellsouth.net>
Date: Tue, 25 May 2021 14:43:43 -0400
Subject: [PATCH 04/21] removed trailing enable

---
 chart/templates/network-policy/egress-default-deny.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/chart/templates/network-policy/egress-default-deny.yml b/chart/templates/network-policy/egress-default-deny.yml
index fc2ba34..b392143 100644
--- a/chart/templates/network-policy/egress-default-deny.yml
+++ b/chart/templates/network-policy/egress-default-deny.yml
@@ -1,4 +1,4 @@
-{{- if and .Values.networkPolicies.enabled }}
+{{- if .Values.networkPolicies.enabled }}
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
-- 
GitLab


From 0687af865b410778431f565931c278bc8caf9a50 Mon Sep 17 00:00:00 2001
From: jtcarnes <jcarnes1@bellsouth.net>
Date: Tue, 25 May 2021 14:44:31 -0400
Subject: [PATCH 05/21] adding end new lines

---
 chart/templates/network-policy/egress-default-deny.yml  | 2 +-
 chart/templates/network-policy/ingress-default-deny.yml | 2 +-
 chart/templates/network-policy/ingress-egress-istio.yml | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/chart/templates/network-policy/egress-default-deny.yml b/chart/templates/network-policy/egress-default-deny.yml
index b392143..fa33864 100644
--- a/chart/templates/network-policy/egress-default-deny.yml
+++ b/chart/templates/network-policy/egress-default-deny.yml
@@ -12,4 +12,4 @@ spec:
   egress:
     - to:
         - namespaceSelector: {}
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/chart/templates/network-policy/ingress-default-deny.yml b/chart/templates/network-policy/ingress-default-deny.yml
index adfdffc..968bdf2 100644
--- a/chart/templates/network-policy/ingress-default-deny.yml
+++ b/chart/templates/network-policy/ingress-default-deny.yml
@@ -9,4 +9,4 @@ spec:
   podSelector: {}
   policyTypes:
     - Ingress
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/chart/templates/network-policy/ingress-egress-istio.yml b/chart/templates/network-policy/ingress-egress-istio.yml
index 326610b..3e85bc3 100644
--- a/chart/templates/network-policy/ingress-egress-istio.yml
+++ b/chart/templates/network-policy/ingress-egress-istio.yml
@@ -15,4 +15,4 @@ spec:
         - namespaceSelector:
             matchLabels:
               app.kubernetes.io/name: istio-controlplane
-{{- end }}
\ No newline at end of file
+{{- end }}
-- 
GitLab


From 0378553de5c488b2d38b352f33ac61262cfd4b4c Mon Sep 17 00:00:00 2001
From: jtcarnes <jcarnes1@bellsouth.net>
Date: Tue, 25 May 2021 15:04:29 -0400
Subject: [PATCH 06/21] add egress rule as well

---
 ...ess-default-deny.yml => egress-default-deny-external.yml} | 0
 chart/templates/network-policy/ingress-egress-istio.yml      | 5 +++++
 2 files changed, 5 insertions(+)
 rename chart/templates/network-policy/{egress-default-deny.yml => egress-default-deny-external.yml} (100%)

diff --git a/chart/templates/network-policy/egress-default-deny.yml b/chart/templates/network-policy/egress-default-deny-external.yml
similarity index 100%
rename from chart/templates/network-policy/egress-default-deny.yml
rename to chart/templates/network-policy/egress-default-deny-external.yml
diff --git a/chart/templates/network-policy/ingress-egress-istio.yml b/chart/templates/network-policy/ingress-egress-istio.yml
index 3e85bc3..a3cd129 100644
--- a/chart/templates/network-policy/ingress-egress-istio.yml
+++ b/chart/templates/network-policy/ingress-egress-istio.yml
@@ -15,4 +15,9 @@ spec:
         - namespaceSelector:
             matchLabels:
               app.kubernetes.io/name: istio-controlplane
+  egress:
+    - to:
+      - namespaceSelector:
+          matchLabels:
+            app.kubernetes.io/name: istio-controlplane
 {{- end }}
-- 
GitLab


From d2495ca06317648c743f6f03e9b6384d00217ac4 Mon Sep 17 00:00:00 2001
From: jtcarnes <jcarnes1@bellsouth.net>
Date: Tue, 25 May 2021 15:09:27 -0400
Subject: [PATCH 07/21] remove egress default deny

---
 .../egress-default-deny-external.yml              | 15 ---------------
 1 file changed, 15 deletions(-)

diff --git a/chart/templates/network-policy/egress-default-deny-external.yml b/chart/templates/network-policy/egress-default-deny-external.yml
index fa33864..e69de29 100644
--- a/chart/templates/network-policy/egress-default-deny-external.yml
+++ b/chart/templates/network-policy/egress-default-deny-external.yml
@@ -1,15 +0,0 @@
-{{- if .Values.networkPolicies.enabled }}
----
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: default-deny-external-egress
-  namespace: "{{ .Release.Namespace }}"
-spec:
-  podSelector: {}
-  policyTypes:
-    - Egress
-  egress:
-    - to:
-        - namespaceSelector: {}
-{{- end }}
-- 
GitLab


From aa920c5ddbc79b9cb38652fcd6d01b6dd7c4685f Mon Sep 17 00:00:00 2001
From: jtcarnes <jcarnes1@bellsouth.net>
Date: Tue, 25 May 2021 15:12:19 -0400
Subject: [PATCH 08/21] disabling default deny

---
 .../network-policy/ingress-default-deny.yml          | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/chart/templates/network-policy/ingress-default-deny.yml b/chart/templates/network-policy/ingress-default-deny.yml
index 968bdf2..e69de29 100644
--- a/chart/templates/network-policy/ingress-default-deny.yml
+++ b/chart/templates/network-policy/ingress-default-deny.yml
@@ -1,12 +0,0 @@
-{{- if .Values.networkPolicies.enabled}}
----
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: default-deny-ingress
-  namespace: "{{ .Release.Namespace }}"
-spec:
-  podSelector: {}
-  policyTypes:
-    - Ingress
-{{- end }}
-- 
GitLab


From 0b1b2c67d50f015ff9a44012e689ea44cd8ca1d9 Mon Sep 17 00:00:00 2001
From: jtcarnes <jcarnes1@bellsouth.net>
Date: Tue, 25 May 2021 15:15:34 -0400
Subject: [PATCH 09/21] removing all policies

---
 .../network-policy/ingress-egress-istio.yml   | 23 -------------------
 .../network-policy/ingress-monitoring.yml     | 18 ---------------
 2 files changed, 41 deletions(-)

diff --git a/chart/templates/network-policy/ingress-egress-istio.yml b/chart/templates/network-policy/ingress-egress-istio.yml
index a3cd129..e69de29 100644
--- a/chart/templates/network-policy/ingress-egress-istio.yml
+++ b/chart/templates/network-policy/ingress-egress-istio.yml
@@ -1,23 +0,0 @@
-{{- if and .Values.networkPolicies.enabled .Values.istio.enabled }}
----
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: istio
-  namespace: "{{ .Release.Namespace }}"
-spec:
-  podSelector: {}
-  policyTypes:
-    - Ingress
-    - Egress
-  ingress:
-    - from:
-        - namespaceSelector:
-            matchLabels:
-              app.kubernetes.io/name: istio-controlplane
-  egress:
-    - to:
-      - namespaceSelector:
-          matchLabels:
-            app.kubernetes.io/name: istio-controlplane
-{{- end }}
diff --git a/chart/templates/network-policy/ingress-monitoring.yml b/chart/templates/network-policy/ingress-monitoring.yml
index b62034d..e69de29 100644
--- a/chart/templates/network-policy/ingress-monitoring.yml
+++ b/chart/templates/network-policy/ingress-monitoring.yml
@@ -1,18 +0,0 @@
-{{- if and .Values.networkPolicies.enabled .Values.monitoring.enabled }}
----
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: allow-scraping
-  namespace: "{{ .Release.Namespace }}"
-spec:
-  ingress:
-    - from:
-        - namespaceSelector: {} # all namespaces for now
-      ports:
-        - port: PROMETHEUS_PORT
-          protocol: TCP
-  podSelector: {} # all pods
-  policyTypes:
-    - Ingress
-{{- end }}
-- 
GitLab


From cbc019efb7d9330dd2e10184c565bf718ad20694 Mon Sep 17 00:00:00 2001
From: jtcarnes <jcarnes1@bellsouth.net>
Date: Tue, 25 May 2021 15:18:52 -0400
Subject: [PATCH 10/21] adding scraping

---
 .../network-policy/ingress-monitoring.yml       | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/chart/templates/network-policy/ingress-monitoring.yml b/chart/templates/network-policy/ingress-monitoring.yml
index e69de29..0bc7274 100644
--- a/chart/templates/network-policy/ingress-monitoring.yml
+++ b/chart/templates/network-policy/ingress-monitoring.yml
@@ -0,0 +1,17 @@
+{{- if and .Values.networkPolicies.enabled .Values.monitoring.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-scraping
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  ingress:
+    - from:
+        - namespaceSelector: {} # all namespaces for now
+      ports:
+        - port: PROMETHEUS_PORT
+          protocol: TCP
+  podSelector: {} # all pods
+  policyTypes:
+    - Ingress
+{{- end }}
-- 
GitLab


From 9ed5bd272470cbf9831d2d6018913f014ff6b97a Mon Sep 17 00:00:00 2001
From: jtcarnes <jcarnes1@bellsouth.net>
Date: Tue, 25 May 2021 15:23:41 -0400
Subject: [PATCH 11/21] adding istio policy back

---
 .../network-policy/ingress-egress-istio.yml   | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/chart/templates/network-policy/ingress-egress-istio.yml b/chart/templates/network-policy/ingress-egress-istio.yml
index e69de29..7b53a25 100644
--- a/chart/templates/network-policy/ingress-egress-istio.yml
+++ b/chart/templates/network-policy/ingress-egress-istio.yml
@@ -0,0 +1,22 @@
+{{- if and .Values.networkPolicies.enabled .Values.istio.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: istio
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              app.kubernetes.io/name: istio-controlplane
+  egress:
+    - to:
+      - namespaceSelector:
+          matchLabels:
+            app.kubernetes.io/name: istio-controlplane
+{{- end }}
\ No newline at end of file
-- 
GitLab


From f8549304d1da889b32c95018fa4a049f7c36fb24 Mon Sep 17 00:00:00 2001
From: jtcarnes <jcarnes1@bellsouth.net>
Date: Tue, 25 May 2021 15:45:39 -0400
Subject: [PATCH 12/21] disable external

---
 .../egress-default-deny-external.yml          | 14 ++++++++++++
 .../network-policy/ingress-egress-istio.yml   | 22 -------------------
 2 files changed, 14 insertions(+), 22 deletions(-)

diff --git a/chart/templates/network-policy/egress-default-deny-external.yml b/chart/templates/network-policy/egress-default-deny-external.yml
index e69de29..3eb7c4f 100644
--- a/chart/templates/network-policy/egress-default-deny-external.yml
+++ b/chart/templates/network-policy/egress-default-deny-external.yml
@@ -0,0 +1,14 @@
+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-external-egress
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  podSelector: {}
+  policyTypes:
+    - Egress
+  egress:
+    - to:
+        - namespaceSelector: {}
+{{- end }}
\ No newline at end of file
diff --git a/chart/templates/network-policy/ingress-egress-istio.yml b/chart/templates/network-policy/ingress-egress-istio.yml
index 7b53a25..e69de29 100644
--- a/chart/templates/network-policy/ingress-egress-istio.yml
+++ b/chart/templates/network-policy/ingress-egress-istio.yml
@@ -1,22 +0,0 @@
-{{- if and .Values.networkPolicies.enabled .Values.istio.enabled }}
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: istio
-  namespace: "{{ .Release.Namespace }}"
-spec:
-  podSelector: {}
-  policyTypes:
-    - Ingress
-    - Egress
-  ingress:
-    - from:
-        - namespaceSelector:
-            matchLabels:
-              app.kubernetes.io/name: istio-controlplane
-  egress:
-    - to:
-      - namespaceSelector:
-          matchLabels:
-            app.kubernetes.io/name: istio-controlplane
-{{- end }}
\ No newline at end of file
-- 
GitLab


From 95fcd111fd488e7ed16bf519e392f7600567d14f Mon Sep 17 00:00:00 2001
From: jtcarnes <jcarnes1@bellsouth.net>
Date: Tue, 25 May 2021 15:49:19 -0400
Subject: [PATCH 13/21] disable ingress

---
 .../network-policy/ingress-default-deny.yml          | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/chart/templates/network-policy/ingress-default-deny.yml b/chart/templates/network-policy/ingress-default-deny.yml
index e69de29..54c9ad5 100644
--- a/chart/templates/network-policy/ingress-default-deny.yml
+++ b/chart/templates/network-policy/ingress-default-deny.yml
@@ -0,0 +1,12 @@
+{{- if .Values.networkPolicies.enabled}}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-ingress
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  podSelector: {}
+  ingress: []
+  policyTypes:
+    - Ingress
+{{- end }}
\ No newline at end of file
-- 
GitLab


From 9b58ff7f64b98de6a9325bb11db6b577a7887051 Mon Sep 17 00:00:00 2001
From: jtcarnes <jcarnes1@bellsouth.net>
Date: Tue, 25 May 2021 15:55:16 -0400
Subject: [PATCH 14/21] adding describe on twistlock

---
 .gitlab-ci.yml                                | 28 +++++++++++++++++--
 .../network-policy/ingress-default-deny.yml   | 12 --------
 .../network-policy/ingress-egress-istio.yml   | 22 +++++++++++++++
 3 files changed, 48 insertions(+), 14 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 6e9f482..29feded 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,4 +1,28 @@
 include:
-  - project: 'platform-one/big-bang/pipeline-templates/pipeline-templates'
+  - project: "platform-one/big-bang/pipeline-templates/pipeline-templates"
     ref: master
-    file: '/templates/package-tests.yml'
+    file: "/templates/package-tests.yml"
+
+package tests:
+  after_script:
+    - kubectl describe ns twistlock
+    - |
+      if [ -e success ]; then
+        echo "Job Succeeded"
+      else
+        echo "Job Failed Printing Debug Logs"
+        echo "kubectl get all -A"
+        kubectl get all -A
+      fi
+    # Fetch list of all images run
+    - docker exec -i k3d-${CI_JOB_ID}-server-0 crictl images -o json | jq -r '.images[].repoTags[0] | select(. != null)' > images.txt
+    # Remove istio and rancher upstream images
+    - sed -i '/docker.io\/istio\//d' images.txt
+    - sed -i '/docker.io\/rancher\//d' images.txt
+    - |
+      if [ -f tests/images.txt ]; then
+        cat tests/images.txt >> images.txt
+      fi
+    # Delete Cluster
+    - k3d cluster delete ${CI_JOB_ID}
+    - docker network rm ${CI_JOB_ID}
diff --git a/chart/templates/network-policy/ingress-default-deny.yml b/chart/templates/network-policy/ingress-default-deny.yml
index 54c9ad5..e69de29 100644
--- a/chart/templates/network-policy/ingress-default-deny.yml
+++ b/chart/templates/network-policy/ingress-default-deny.yml
@@ -1,12 +0,0 @@
-{{- if .Values.networkPolicies.enabled}}
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: default-deny-ingress
-  namespace: "{{ .Release.Namespace }}"
-spec:
-  podSelector: {}
-  ingress: []
-  policyTypes:
-    - Ingress
-{{- end }}
\ No newline at end of file
diff --git a/chart/templates/network-policy/ingress-egress-istio.yml b/chart/templates/network-policy/ingress-egress-istio.yml
index e69de29..80fb410 100644
--- a/chart/templates/network-policy/ingress-egress-istio.yml
+++ b/chart/templates/network-policy/ingress-egress-istio.yml
@@ -0,0 +1,22 @@
+{{- if and .Values.networkPolicies.enabled .Values.istio.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: istio
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              app.kubernetes.io/name: istio-controlplane
+  egress:
+    - to:
+      - namespaceSelector:
+          matchLabels:
+            app.kubernetes.io/name: istio-controlplane
+{{- end }}
-- 
GitLab


From a9b51b6ef89d1582dc55cb9fc4d34e772c88bcd8 Mon Sep 17 00:00:00 2001
From: jtcarnes <jcarnes1@bellsouth.net>
Date: Tue, 25 May 2021 15:57:14 -0400
Subject: [PATCH 15/21] add istio system description

---
 .gitlab-ci.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 29feded..7c64be6 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -6,6 +6,7 @@ include:
 package tests:
   after_script:
     - kubectl describe ns twistlock
+    - kubectl describe ns istio-system
     - |
       if [ -e success ]; then
         echo "Job Succeeded"
-- 
GitLab


From c2f6c28db7c41d5b44433f0cd64f57204e2a9190 Mon Sep 17 00:00:00 2001
From: jtcarnes <jcarnes1@bellsouth.net>
Date: Tue, 25 May 2021 16:12:56 -0400
Subject: [PATCH 16/21] added policies back and disabled in pipeline

---
 .gitlab-ci.yml                                | 25 -------------------
 .../network-policy/ingress-default-deny.yml   | 12 +++++++++
 tests/test-values.yml                         |  3 ++-
 3 files changed, 14 insertions(+), 26 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 7c64be6..a231cd5 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -2,28 +2,3 @@ include:
   - project: "platform-one/big-bang/pipeline-templates/pipeline-templates"
     ref: master
     file: "/templates/package-tests.yml"
-
-package tests:
-  after_script:
-    - kubectl describe ns twistlock
-    - kubectl describe ns istio-system
-    - |
-      if [ -e success ]; then
-        echo "Job Succeeded"
-      else
-        echo "Job Failed Printing Debug Logs"
-        echo "kubectl get all -A"
-        kubectl get all -A
-      fi
-    # Fetch list of all images run
-    - docker exec -i k3d-${CI_JOB_ID}-server-0 crictl images -o json | jq -r '.images[].repoTags[0] | select(. != null)' > images.txt
-    # Remove istio and rancher upstream images
-    - sed -i '/docker.io\/istio\//d' images.txt
-    - sed -i '/docker.io\/rancher\//d' images.txt
-    - |
-      if [ -f tests/images.txt ]; then
-        cat tests/images.txt >> images.txt
-      fi
-    # Delete Cluster
-    - k3d cluster delete ${CI_JOB_ID}
-    - docker network rm ${CI_JOB_ID}
diff --git a/chart/templates/network-policy/ingress-default-deny.yml b/chart/templates/network-policy/ingress-default-deny.yml
index e69de29..54c9ad5 100644
--- a/chart/templates/network-policy/ingress-default-deny.yml
+++ b/chart/templates/network-policy/ingress-default-deny.yml
@@ -0,0 +1,12 @@
+{{- if .Values.networkPolicies.enabled}}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-ingress
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  podSelector: {}
+  ingress: []
+  policyTypes:
+    - Ingress
+{{- end }}
\ No newline at end of file
diff --git a/tests/test-values.yml b/tests/test-values.yml
index 249fe80..a97eff3 100644
--- a/tests/test-values.yml
+++ b/tests/test-values.yml
@@ -1,8 +1,9 @@
 istio:
   enabled: true
 
+# Later story to enable testing of network Policies
 networkPolicies:
-  enabled: true
+  enabled: false
 
 imagePullSecrets:
   - name: private-registry-mil
-- 
GitLab


From 72a9e60283b38a940a563afe73c341f2458178bc Mon Sep 17 00:00:00 2001
From: jtcarnes <jcarnes1@bellsouth.net>
Date: Tue, 25 May 2021 16:20:24 -0400
Subject: [PATCH 17/21] removed test values

---
 tests/test-values.yml | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/tests/test-values.yml b/tests/test-values.yml
index a97eff3..2986adb 100644
--- a/tests/test-values.yml
+++ b/tests/test-values.yml
@@ -1,10 +1,6 @@
 istio:
   enabled: true
 
-# Later story to enable testing of network Policies
-networkPolicies:
-  enabled: false
-
 imagePullSecrets:
   - name: private-registry-mil
 
-- 
GitLab


From 3cff6ca745620d048feff11bc91a9e382376160b Mon Sep 17 00:00:00 2001
From: jtcarnes <jcarnes1@bellsouth.net>
Date: Tue, 25 May 2021 16:22:27 -0400
Subject: [PATCH 18/21] deny all egress

---
 .../templates/network-policy/egress-default-deny-external.yml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/chart/templates/network-policy/egress-default-deny-external.yml b/chart/templates/network-policy/egress-default-deny-external.yml
index 3eb7c4f..59ddf47 100644
--- a/chart/templates/network-policy/egress-default-deny-external.yml
+++ b/chart/templates/network-policy/egress-default-deny-external.yml
@@ -8,7 +8,5 @@ spec:
   podSelector: {}
   policyTypes:
     - Egress
-  egress:
-    - to:
-        - namespaceSelector: {}
+  egress: []
 {{- end }}
\ No newline at end of file
-- 
GitLab


From 0e6430b5504efaf52b58ab70b6654c7f515ffa9a Mon Sep 17 00:00:00 2001
From: jtcarnes <jcarnes1@bellsouth.net>
Date: Tue, 25 May 2021 16:24:48 -0400
Subject: [PATCH 19/21] bump chart version

---
 chart/Chart.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/chart/Chart.yaml b/chart/Chart.yaml
index 8f810a3..df56b60 100644
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
@@ -1,4 +1,4 @@
 apiVersion: v2
 name: twistlock
-version: 0.0.4-bb.0
+version: 0.0.4-bb.1
 appVersion: 21.04.412
-- 
GitLab


From 6f203cfdbe32c2ae93c6e5f3cc94ad99f0531442 Mon Sep 17 00:00:00 2001
From: jtcarnes <jcarnes1@bellsouth.net>
Date: Wed, 26 May 2021 08:37:01 -0400
Subject: [PATCH 20/21] restrict to just comms port

---
 .../templates/network-policy/ingress-all-ns.yml  | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 chart/templates/network-policy/ingress-all-ns.yml

diff --git a/chart/templates/network-policy/ingress-all-ns.yml b/chart/templates/network-policy/ingress-all-ns.yml
new file mode 100644
index 0000000..49f8bba
--- /dev/null
+++ b/chart/templates/network-policy/ingress-all-ns.yml
@@ -0,0 +1,16 @@
+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: ingress-allow-cluster
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  ingress:
+    - from:
+        - namespaceSelector: {} # all namespaces for now
+      ports:
+        - port: 8084 # communications port
+  podSelector: {} # all pods
+  policyTypes:
+    - Ingress
+{{- end }}
-- 
GitLab


From 7b225a3e35b6fe0da0bb36b7e3f997027b59a029 Mon Sep 17 00:00:00 2001
From: jtcarnes <jcarnes1@bellsouth.net>
Date: Wed, 26 May 2021 10:23:17 -0400
Subject: [PATCH 21/21] bump version

---
 chart/Chart.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/chart/Chart.yaml b/chart/Chart.yaml
index df56b60..143e0cb 100644
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
@@ -1,4 +1,4 @@
 apiVersion: v2
 name: twistlock
-version: 0.0.4-bb.1
+version: 0.0.4-bb.2
 appVersion: 21.04.412
-- 
GitLab