From f775a3a62f579849a1561c8fb0febf1aab97fef5 Mon Sep 17 00:00:00 2001 From: "garcia.ryan" Date: Thu, 27 May 2021 09:36:01 -0600 Subject: [PATCH 01/28] feat: Finalizing Network Policy layout --- .../templates/network-policy/ingress-egress-istio.yml | 11 ++++------- chart/templates/network-policy/ingress-monitoring.yml | 10 ++++++---- chart/values.yaml | 5 ++++- 3 files changed, 14 insertions(+), 12 deletions(-) diff --git a/chart/templates/network-policy/ingress-egress-istio.yml b/chart/templates/network-policy/ingress-egress-istio.yml index 80fb410..e737e92 100644 --- a/chart/templates/network-policy/ingress-egress-istio.yml +++ b/chart/templates/network-policy/ingress-egress-istio.yml @@ -2,21 +2,18 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: istio + name: istio-ingress namespace: "{{ .Release.Namespace }}" spec: podSelector: {} policyTypes: - Ingress - - Egress ingress: - from: - namespaceSelector: matchLabels: app.kubernetes.io/name: istio-controlplane - egress: - - to: - - namespaceSelector: - matchLabels: - app.kubernetes.io/name: istio-controlplane + podSelector: + matchLabels: + {{- toYaml .Values.networkPolicies.ingressLabels | nindent 10}} {{- end }} diff --git a/chart/templates/network-policy/ingress-monitoring.yml b/chart/templates/network-policy/ingress-monitoring.yml index 0bc7274..b8a2b34 100644 --- a/chart/templates/network-policy/ingress-monitoring.yml +++ b/chart/templates/network-policy/ingress-monitoring.yml @@ -7,10 +7,12 @@ metadata: spec: ingress: - from: - - namespaceSelector: {} # all namespaces for now - ports: - - port: PROMETHEUS_PORT - protocol: TCP + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: monitoring + podSelector: + matchLabels: + app: prometheus podSelector: {} # all pods policyTypes: - Ingress diff --git a/chart/values.yaml b/chart/values.yaml index 54266e5..0d3cb63 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -17,7 +17,10 @@ istio: - twistlock.{{ .Values.hostname }} networkPolicies: - enabled: false + enabled: true + ingressLabels: + app: istio-ingressgateway + istio: ingressgateway # imagePullSecrets defines the secrets to use when pulling the operator container image. imagePullSecrets: [] -- GitLab From e8d5f5753c50d582c0b2633d78a5bbae32fe4407 Mon Sep 17 00:00:00 2001 From: "garcia.ryan" Date: Thu, 27 May 2021 09:57:01 -0600 Subject: [PATCH 02/28] feat: Finalizing Network Policy layout 2 --- .../network-policy/ingress-egress-istio.yml | 14 +++++++------- .../network-policy/ingress-monitoring.yml | 16 +++++++++------- 2 files changed, 16 insertions(+), 14 deletions(-) diff --git a/chart/templates/network-policy/ingress-egress-istio.yml b/chart/templates/network-policy/ingress-egress-istio.yml index e737e92..e72f72a 100644 --- a/chart/templates/network-policy/ingress-egress-istio.yml +++ b/chart/templates/network-policy/ingress-egress-istio.yml @@ -1,4 +1,4 @@ -{{- if and .Values.networkPolicies.enabled .Values.istio.enabled }} +{{- if .Values.networkPolicies.enabled }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -10,10 +10,10 @@ spec: - Ingress ingress: - from: - - namespaceSelector: - matchLabels: - app.kubernetes.io/name: istio-controlplane - podSelector: - matchLabels: - {{- toYaml .Values.networkPolicies.ingressLabels | nindent 10}} + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: istio-controlplane + podSelector: + matchLabels: + {{- toYaml .Values.networkPolicies.ingressLabels | nindent 12}} {{- end }} diff --git a/chart/templates/network-policy/ingress-monitoring.yml b/chart/templates/network-policy/ingress-monitoring.yml index b8a2b34..88478e6 100644 --- a/chart/templates/network-policy/ingress-monitoring.yml +++ b/chart/templates/network-policy/ingress-monitoring.yml @@ -1,4 +1,4 @@ -{{- if and .Values.networkPolicies.enabled .Values.monitoring.enabled }} +{{- if .Values.networkPolicies.enabled }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -7,12 +7,14 @@ metadata: spec: ingress: - from: - - namespaceSelector: - matchLabels: - app.kubernetes.io/name: monitoring - podSelector: - matchLabels: - app: prometheus + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: monitoring + podSelector: + matchLabels: + app: prometheus + ports: + - port: 8083 podSelector: {} # all pods policyTypes: - Ingress -- GitLab From 625ef4a604d651758cf5be36ed0bcabd800f7192 Mon Sep 17 00:00:00 2001 From: "garcia.ryan" Date: Thu, 27 May 2021 10:33:45 -0600 Subject: [PATCH 03/28] feat: Finalizing Network Policy layout for real --- chart/templates/network-policy/ingress-monitoring.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/chart/templates/network-policy/ingress-monitoring.yml b/chart/templates/network-policy/ingress-monitoring.yml index 88478e6..3c95802 100644 --- a/chart/templates/network-policy/ingress-monitoring.yml +++ b/chart/templates/network-policy/ingress-monitoring.yml @@ -14,8 +14,10 @@ spec: matchLabels: app: prometheus ports: - - port: 8083 - podSelector: {} # all pods + - port: 8081 + podSelector: + matchLabels: + name: twistlock-console policyTypes: - Ingress {{- end }} -- GitLab From a9a171e88d0a8baa46ada809d70e26ce2ba8cbc7 Mon Sep 17 00:00:00 2001 From: "garcia.ryan" Date: Thu, 27 May 2021 10:52:46 -0600 Subject: [PATCH 04/28] chore: Bumping chart version and changelog --- CHANGELOG.md | 12 ++++++++++++ chart/Chart.yaml | 2 +- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2259d76..53140c9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,18 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), --- +## [0.0.4-bb.3] - 2021-05-27 + +### Changed + +- Network policy resource Templates + +## [0.0.4-bb.2] - 2021-05-26 + +### Added + +- Network policy resource Templates + ## [0.0.4-bb.0] - 2021-05-12 ### Added diff --git a/chart/Chart.yaml b/chart/Chart.yaml index 143e0cb..59ac82b 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -1,4 +1,4 @@ apiVersion: v2 name: twistlock -version: 0.0.4-bb.2 +version: 0.0.4-bb.3 appVersion: 21.04.412 -- GitLab From cd73d6493a558b505bc68f7cbbd97caa13e65175 Mon Sep 17 00:00:00 2001 From: "garcia.ryan" Date: Thu, 27 May 2021 11:16:37 -0600 Subject: [PATCH 05/28] feat: Finalizing Network Policy layout for real 2 --- chart/templates/network-policy/ingress-egress-istio.yml | 3 +++ chart/values.yaml | 2 +- tests/test-values.yml | 3 +++ 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/chart/templates/network-policy/ingress-egress-istio.yml b/chart/templates/network-policy/ingress-egress-istio.yml index e72f72a..c9b0fe5 100644 --- a/chart/templates/network-policy/ingress-egress-istio.yml +++ b/chart/templates/network-policy/ingress-egress-istio.yml @@ -16,4 +16,7 @@ spec: podSelector: matchLabels: {{- toYaml .Values.networkPolicies.ingressLabels | nindent 12}} + ports: + - port: 8081 + - port: 8083 {{- end }} diff --git a/chart/values.yaml b/chart/values.yaml index 0d3cb63..1795bdd 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -17,7 +17,7 @@ istio: - twistlock.{{ .Values.hostname }} networkPolicies: - enabled: true + enabled: false ingressLabels: app: istio-ingressgateway istio: ingressgateway diff --git a/tests/test-values.yml b/tests/test-values.yml index 2986adb..d4e4ce8 100644 --- a/tests/test-values.yml +++ b/tests/test-values.yml @@ -1,6 +1,9 @@ istio: enabled: true +networkPolicies: + enabled: false + imagePullSecrets: - name: private-registry-mil -- GitLab From d067a9ac162dee1a1eaf9d3aa2c0cd1392f008f2 Mon Sep 17 00:00:00 2001 From: "garcia.ryan" Date: Thu, 27 May 2021 11:20:12 -0600 Subject: [PATCH 06/28] feat: Finalizing Network Policy layout for real 3 --- .../templates/network-policy/ingress-egress-istio.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/chart/templates/network-policy/ingress-egress-istio.yml b/chart/templates/network-policy/ingress-egress-istio.yml index c9b0fe5..aa7746a 100644 --- a/chart/templates/network-policy/ingress-egress-istio.yml +++ b/chart/templates/network-policy/ingress-egress-istio.yml @@ -2,7 +2,7 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: istio-ingress + name: istio-ingress-egress namespace: "{{ .Release.Namespace }}" spec: podSelector: {} @@ -19,4 +19,12 @@ spec: ports: - port: 8081 - port: 8083 + egress: + - to: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: istio-controlplane + podSelector: + matchLabels: + istio: pilot {{- end }} -- GitLab From d11969a34046f5464442722f8c5d745ee8cb4e65 Mon Sep 17 00:00:00 2001 From: "garcia.ryan" Date: Thu, 27 May 2021 11:29:51 -0600 Subject: [PATCH 07/28] This 'll be it for sure --- chart/templates/network-policy/ingress-egress-istio.yml | 2 +- chart/templates/network-policy/ingress-monitoring.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/chart/templates/network-policy/ingress-egress-istio.yml b/chart/templates/network-policy/ingress-egress-istio.yml index aa7746a..2e25d40 100644 --- a/chart/templates/network-policy/ingress-egress-istio.yml +++ b/chart/templates/network-policy/ingress-egress-istio.yml @@ -1,4 +1,4 @@ -{{- if .Values.networkPolicies.enabled }} +{{- if and .Values.networkPolicies.enabled .Values.istio.enabled }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: diff --git a/chart/templates/network-policy/ingress-monitoring.yml b/chart/templates/network-policy/ingress-monitoring.yml index 3c95802..8f683c7 100644 --- a/chart/templates/network-policy/ingress-monitoring.yml +++ b/chart/templates/network-policy/ingress-monitoring.yml @@ -1,4 +1,4 @@ -{{- if .Values.networkPolicies.enabled }} +{{- if and .Values.networkPolicies.enabled .Values.monitoring.enabled }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: -- GitLab From acb80ed8f2ee5d4ae1a83d8161430185c2efb906 Mon Sep 17 00:00:00 2001 From: Ryan Garcia Date: Thu, 27 May 2021 17:32:00 +0000 Subject: [PATCH 08/28] Apply 1 suggestion(s) to 1 file(s) --- tests/test-values.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test-values.yml b/tests/test-values.yml index d4e4ce8..249fe80 100644 --- a/tests/test-values.yml +++ b/tests/test-values.yml @@ -2,7 +2,7 @@ istio: enabled: true networkPolicies: - enabled: false + enabled: true imagePullSecrets: - name: private-registry-mil -- GitLab From bcaba4d91aaf8e79de85cf739f3ecd0eec6702c4 Mon Sep 17 00:00:00 2001 From: "garcia.ryan" Date: Thu, 27 May 2021 15:24:18 -0600 Subject: [PATCH 09/28] This 'll be it for sure 2 --- .../templates/network-policy/ingress-egress-istio.yml | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/chart/templates/network-policy/ingress-egress-istio.yml b/chart/templates/network-policy/ingress-egress-istio.yml index 2e25d40..11b09f4 100644 --- a/chart/templates/network-policy/ingress-egress-istio.yml +++ b/chart/templates/network-policy/ingress-egress-istio.yml @@ -2,7 +2,7 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: istio-ingress-egress + name: istio-ingress namespace: "{{ .Release.Namespace }}" spec: podSelector: {} @@ -19,12 +19,4 @@ spec: ports: - port: 8081 - port: 8083 - egress: - - to: - - namespaceSelector: - matchLabels: - app.kubernetes.io/name: istio-controlplane - podSelector: - matchLabels: - istio: pilot {{- end }} -- GitLab From 4498e834f57862eb5605c3dbd9c7045615318827 Mon Sep 17 00:00:00 2001 From: "garcia.ryan" Date: Thu, 27 May 2021 15:25:20 -0600 Subject: [PATCH 10/28] This 'll be it for sure 3 --- chart/templates/network-policy/ingress-egress-istio.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/chart/templates/network-policy/ingress-egress-istio.yml b/chart/templates/network-policy/ingress-egress-istio.yml index 11b09f4..04b2f43 100644 --- a/chart/templates/network-policy/ingress-egress-istio.yml +++ b/chart/templates/network-policy/ingress-egress-istio.yml @@ -5,7 +5,9 @@ metadata: name: istio-ingress namespace: "{{ .Release.Namespace }}" spec: - podSelector: {} + podSelector: + matchLabels: + app: twistlock-console policyTypes: - Ingress ingress: -- GitLab From e197503e0fc2ecea04b143ba34dd461a8c977826 Mon Sep 17 00:00:00 2001 From: "garcia.ryan" Date: Tue, 1 Jun 2021 08:30:33 -0600 Subject: [PATCH 11/28] feat: Finalizing NP template layout --- .../egress-default-deny-external.yml | 0 .../{network-policy => networkpolicies}/ingress-all-ns.yml | 0 .../ingress-default-deny.yml | 0 .../ingress-egress-istio.yml | 4 ++-- .../ingress-monitoring.yml | 0 5 files changed, 2 insertions(+), 2 deletions(-) rename chart/templates/{network-policy => networkpolicies}/egress-default-deny-external.yml (100%) rename chart/templates/{network-policy => networkpolicies}/ingress-all-ns.yml (100%) rename chart/templates/{network-policy => networkpolicies}/ingress-default-deny.yml (100%) rename chart/templates/{network-policy => networkpolicies}/ingress-egress-istio.yml (85%) rename chart/templates/{network-policy => networkpolicies}/ingress-monitoring.yml (100%) diff --git a/chart/templates/network-policy/egress-default-deny-external.yml b/chart/templates/networkpolicies/egress-default-deny-external.yml similarity index 100% rename from chart/templates/network-policy/egress-default-deny-external.yml rename to chart/templates/networkpolicies/egress-default-deny-external.yml diff --git a/chart/templates/network-policy/ingress-all-ns.yml b/chart/templates/networkpolicies/ingress-all-ns.yml similarity index 100% rename from chart/templates/network-policy/ingress-all-ns.yml rename to chart/templates/networkpolicies/ingress-all-ns.yml diff --git a/chart/templates/network-policy/ingress-default-deny.yml b/chart/templates/networkpolicies/ingress-default-deny.yml similarity index 100% rename from chart/templates/network-policy/ingress-default-deny.yml rename to chart/templates/networkpolicies/ingress-default-deny.yml diff --git a/chart/templates/network-policy/ingress-egress-istio.yml b/chart/templates/networkpolicies/ingress-egress-istio.yml similarity index 85% rename from chart/templates/network-policy/ingress-egress-istio.yml rename to chart/templates/networkpolicies/ingress-egress-istio.yml index 04b2f43..29b55a7 100644 --- a/chart/templates/network-policy/ingress-egress-istio.yml +++ b/chart/templates/networkpolicies/ingress-egress-istio.yml @@ -19,6 +19,6 @@ spec: matchLabels: {{- toYaml .Values.networkPolicies.ingressLabels | nindent 12}} ports: - - port: 8081 - - port: 8083 + - port: 8081 #Default UI console Port + - port: 8083 #TLS configured UI console Port {{- end }} diff --git a/chart/templates/network-policy/ingress-monitoring.yml b/chart/templates/networkpolicies/ingress-monitoring.yml similarity index 100% rename from chart/templates/network-policy/ingress-monitoring.yml rename to chart/templates/networkpolicies/ingress-monitoring.yml -- GitLab From 8d2ea51ee6d9aa9dcbdce082093b511731a2745f Mon Sep 17 00:00:00 2001 From: "garcia.ryan" Date: Thu, 27 May 2021 09:36:01 -0600 Subject: [PATCH 12/28] feat: Finalizing Network Policy layout --- .../templates/network-policy/ingress-egress-istio.yml | 11 ++++------- chart/templates/network-policy/ingress-monitoring.yml | 10 ++++++---- chart/values.yaml | 5 ++++- 3 files changed, 14 insertions(+), 12 deletions(-) diff --git a/chart/templates/network-policy/ingress-egress-istio.yml b/chart/templates/network-policy/ingress-egress-istio.yml index 80fb410..e737e92 100644 --- a/chart/templates/network-policy/ingress-egress-istio.yml +++ b/chart/templates/network-policy/ingress-egress-istio.yml @@ -2,21 +2,18 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: istio + name: istio-ingress namespace: "{{ .Release.Namespace }}" spec: podSelector: {} policyTypes: - Ingress - - Egress ingress: - from: - namespaceSelector: matchLabels: app.kubernetes.io/name: istio-controlplane - egress: - - to: - - namespaceSelector: - matchLabels: - app.kubernetes.io/name: istio-controlplane + podSelector: + matchLabels: + {{- toYaml .Values.networkPolicies.ingressLabels | nindent 10}} {{- end }} diff --git a/chart/templates/network-policy/ingress-monitoring.yml b/chart/templates/network-policy/ingress-monitoring.yml index 0bc7274..b8a2b34 100644 --- a/chart/templates/network-policy/ingress-monitoring.yml +++ b/chart/templates/network-policy/ingress-monitoring.yml @@ -7,10 +7,12 @@ metadata: spec: ingress: - from: - - namespaceSelector: {} # all namespaces for now - ports: - - port: PROMETHEUS_PORT - protocol: TCP + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: monitoring + podSelector: + matchLabels: + app: prometheus podSelector: {} # all pods policyTypes: - Ingress diff --git a/chart/values.yaml b/chart/values.yaml index 54266e5..0d3cb63 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -17,7 +17,10 @@ istio: - twistlock.{{ .Values.hostname }} networkPolicies: - enabled: false + enabled: true + ingressLabels: + app: istio-ingressgateway + istio: ingressgateway # imagePullSecrets defines the secrets to use when pulling the operator container image. imagePullSecrets: [] -- GitLab From 9a21a798bd9de0ffe58e5daebaed3a85908fcadc Mon Sep 17 00:00:00 2001 From: "garcia.ryan" Date: Thu, 27 May 2021 09:57:01 -0600 Subject: [PATCH 13/28] feat: Finalizing Network Policy layout 2 --- .../network-policy/ingress-egress-istio.yml | 14 +++++++------- .../network-policy/ingress-monitoring.yml | 16 +++++++++------- 2 files changed, 16 insertions(+), 14 deletions(-) diff --git a/chart/templates/network-policy/ingress-egress-istio.yml b/chart/templates/network-policy/ingress-egress-istio.yml index e737e92..e72f72a 100644 --- a/chart/templates/network-policy/ingress-egress-istio.yml +++ b/chart/templates/network-policy/ingress-egress-istio.yml @@ -1,4 +1,4 @@ -{{- if and .Values.networkPolicies.enabled .Values.istio.enabled }} +{{- if .Values.networkPolicies.enabled }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -10,10 +10,10 @@ spec: - Ingress ingress: - from: - - namespaceSelector: - matchLabels: - app.kubernetes.io/name: istio-controlplane - podSelector: - matchLabels: - {{- toYaml .Values.networkPolicies.ingressLabels | nindent 10}} + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: istio-controlplane + podSelector: + matchLabels: + {{- toYaml .Values.networkPolicies.ingressLabels | nindent 12}} {{- end }} diff --git a/chart/templates/network-policy/ingress-monitoring.yml b/chart/templates/network-policy/ingress-monitoring.yml index b8a2b34..88478e6 100644 --- a/chart/templates/network-policy/ingress-monitoring.yml +++ b/chart/templates/network-policy/ingress-monitoring.yml @@ -1,4 +1,4 @@ -{{- if and .Values.networkPolicies.enabled .Values.monitoring.enabled }} +{{- if .Values.networkPolicies.enabled }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -7,12 +7,14 @@ metadata: spec: ingress: - from: - - namespaceSelector: - matchLabels: - app.kubernetes.io/name: monitoring - podSelector: - matchLabels: - app: prometheus + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: monitoring + podSelector: + matchLabels: + app: prometheus + ports: + - port: 8083 podSelector: {} # all pods policyTypes: - Ingress -- GitLab From db3f2a9a9186ea4ac9ee62fe95a7ff9bb7da463b Mon Sep 17 00:00:00 2001 From: "garcia.ryan" Date: Thu, 27 May 2021 10:33:45 -0600 Subject: [PATCH 14/28] feat: Finalizing Network Policy layout for real --- chart/templates/network-policy/ingress-monitoring.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/chart/templates/network-policy/ingress-monitoring.yml b/chart/templates/network-policy/ingress-monitoring.yml index 88478e6..3c95802 100644 --- a/chart/templates/network-policy/ingress-monitoring.yml +++ b/chart/templates/network-policy/ingress-monitoring.yml @@ -14,8 +14,10 @@ spec: matchLabels: app: prometheus ports: - - port: 8083 - podSelector: {} # all pods + - port: 8081 + podSelector: + matchLabels: + name: twistlock-console policyTypes: - Ingress {{- end }} -- GitLab From 43b03d40234ab3d35ab3126ad9ad58c659d84232 Mon Sep 17 00:00:00 2001 From: "garcia.ryan" Date: Thu, 27 May 2021 10:52:46 -0600 Subject: [PATCH 15/28] chore: Bumping chart version and changelog --- CHANGELOG.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2259d76..53140c9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,18 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), --- +## [0.0.4-bb.3] - 2021-05-27 + +### Changed + +- Network policy resource Templates + +## [0.0.4-bb.2] - 2021-05-26 + +### Added + +- Network policy resource Templates + ## [0.0.4-bb.0] - 2021-05-12 ### Added -- GitLab From b87f2880c0da82a29fdf65ef89665a2f0f1d305f Mon Sep 17 00:00:00 2001 From: "garcia.ryan" Date: Thu, 27 May 2021 11:16:37 -0600 Subject: [PATCH 16/28] feat: Finalizing Network Policy layout for real 2 --- chart/templates/network-policy/ingress-egress-istio.yml | 3 +++ chart/values.yaml | 2 +- tests/test-values.yml | 3 +++ 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/chart/templates/network-policy/ingress-egress-istio.yml b/chart/templates/network-policy/ingress-egress-istio.yml index e72f72a..c9b0fe5 100644 --- a/chart/templates/network-policy/ingress-egress-istio.yml +++ b/chart/templates/network-policy/ingress-egress-istio.yml @@ -16,4 +16,7 @@ spec: podSelector: matchLabels: {{- toYaml .Values.networkPolicies.ingressLabels | nindent 12}} + ports: + - port: 8081 + - port: 8083 {{- end }} diff --git a/chart/values.yaml b/chart/values.yaml index 0d3cb63..1795bdd 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -17,7 +17,7 @@ istio: - twistlock.{{ .Values.hostname }} networkPolicies: - enabled: true + enabled: false ingressLabels: app: istio-ingressgateway istio: ingressgateway diff --git a/tests/test-values.yml b/tests/test-values.yml index 520f8ce..0a582d1 100644 --- a/tests/test-values.yml +++ b/tests/test-values.yml @@ -1,6 +1,9 @@ istio: enabled: true +networkPolicies: + enabled: false + imagePullSecrets: - name: private-registry-mil -- GitLab From b399f2866bc7bb08362fd7a9f8d31ca6f0614ded Mon Sep 17 00:00:00 2001 From: "garcia.ryan" Date: Thu, 27 May 2021 11:20:12 -0600 Subject: [PATCH 17/28] feat: Finalizing Network Policy layout for real 3 --- .../templates/network-policy/ingress-egress-istio.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/chart/templates/network-policy/ingress-egress-istio.yml b/chart/templates/network-policy/ingress-egress-istio.yml index c9b0fe5..aa7746a 100644 --- a/chart/templates/network-policy/ingress-egress-istio.yml +++ b/chart/templates/network-policy/ingress-egress-istio.yml @@ -2,7 +2,7 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: istio-ingress + name: istio-ingress-egress namespace: "{{ .Release.Namespace }}" spec: podSelector: {} @@ -19,4 +19,12 @@ spec: ports: - port: 8081 - port: 8083 + egress: + - to: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: istio-controlplane + podSelector: + matchLabels: + istio: pilot {{- end }} -- GitLab From ab296e6a2f847fc3b583a83cc3cb42252977966f Mon Sep 17 00:00:00 2001 From: "garcia.ryan" Date: Thu, 27 May 2021 11:29:51 -0600 Subject: [PATCH 18/28] This 'll be it for sure --- chart/templates/network-policy/ingress-egress-istio.yml | 2 +- chart/templates/network-policy/ingress-monitoring.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/chart/templates/network-policy/ingress-egress-istio.yml b/chart/templates/network-policy/ingress-egress-istio.yml index aa7746a..2e25d40 100644 --- a/chart/templates/network-policy/ingress-egress-istio.yml +++ b/chart/templates/network-policy/ingress-egress-istio.yml @@ -1,4 +1,4 @@ -{{- if .Values.networkPolicies.enabled }} +{{- if and .Values.networkPolicies.enabled .Values.istio.enabled }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: diff --git a/chart/templates/network-policy/ingress-monitoring.yml b/chart/templates/network-policy/ingress-monitoring.yml index 3c95802..8f683c7 100644 --- a/chart/templates/network-policy/ingress-monitoring.yml +++ b/chart/templates/network-policy/ingress-monitoring.yml @@ -1,4 +1,4 @@ -{{- if .Values.networkPolicies.enabled }} +{{- if and .Values.networkPolicies.enabled .Values.monitoring.enabled }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: -- GitLab From 61614f553c155d7228cfb759101446995fe3dcdb Mon Sep 17 00:00:00 2001 From: "garcia.ryan" Date: Thu, 27 May 2021 15:24:18 -0600 Subject: [PATCH 19/28] This 'll be it for sure 2 --- .../templates/network-policy/ingress-egress-istio.yml | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/chart/templates/network-policy/ingress-egress-istio.yml b/chart/templates/network-policy/ingress-egress-istio.yml index 2e25d40..11b09f4 100644 --- a/chart/templates/network-policy/ingress-egress-istio.yml +++ b/chart/templates/network-policy/ingress-egress-istio.yml @@ -2,7 +2,7 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: istio-ingress-egress + name: istio-ingress namespace: "{{ .Release.Namespace }}" spec: podSelector: {} @@ -19,12 +19,4 @@ spec: ports: - port: 8081 - port: 8083 - egress: - - to: - - namespaceSelector: - matchLabels: - app.kubernetes.io/name: istio-controlplane - podSelector: - matchLabels: - istio: pilot {{- end }} -- GitLab From 0cb9f671005b388ad79edf0f698310d380a0112e Mon Sep 17 00:00:00 2001 From: Ryan Garcia Date: Thu, 27 May 2021 17:32:00 +0000 Subject: [PATCH 20/28] Apply 1 suggestion(s) to 1 file(s) --- tests/test-values.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test-values.yml b/tests/test-values.yml index 0a582d1..b0d2e56 100644 --- a/tests/test-values.yml +++ b/tests/test-values.yml @@ -2,7 +2,7 @@ istio: enabled: true networkPolicies: - enabled: false + enabled: true imagePullSecrets: - name: private-registry-mil -- GitLab From 16602f1f255b71ab8f7f91b5c8881d16d0956f41 Mon Sep 17 00:00:00 2001 From: "garcia.ryan" Date: Thu, 27 May 2021 15:25:20 -0600 Subject: [PATCH 21/28] This 'll be it for sure 3 --- chart/templates/network-policy/ingress-egress-istio.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/chart/templates/network-policy/ingress-egress-istio.yml b/chart/templates/network-policy/ingress-egress-istio.yml index 11b09f4..04b2f43 100644 --- a/chart/templates/network-policy/ingress-egress-istio.yml +++ b/chart/templates/network-policy/ingress-egress-istio.yml @@ -5,7 +5,9 @@ metadata: name: istio-ingress namespace: "{{ .Release.Namespace }}" spec: - podSelector: {} + podSelector: + matchLabels: + app: twistlock-console policyTypes: - Ingress ingress: -- GitLab From c0eff170049e7a3be6a2a51b9ff04874826a8214 Mon Sep 17 00:00:00 2001 From: "garcia.ryan" Date: Tue, 1 Jun 2021 08:30:33 -0600 Subject: [PATCH 22/28] feat: Finalizing NP template layout --- .../egress-default-deny-external.yml | 0 .../{network-policy => networkpolicies}/ingress-all-ns.yml | 0 .../ingress-default-deny.yml | 0 .../ingress-egress-istio.yml | 4 ++-- .../ingress-monitoring.yml | 0 5 files changed, 2 insertions(+), 2 deletions(-) rename chart/templates/{network-policy => networkpolicies}/egress-default-deny-external.yml (100%) rename chart/templates/{network-policy => networkpolicies}/ingress-all-ns.yml (100%) rename chart/templates/{network-policy => networkpolicies}/ingress-default-deny.yml (100%) rename chart/templates/{network-policy => networkpolicies}/ingress-egress-istio.yml (85%) rename chart/templates/{network-policy => networkpolicies}/ingress-monitoring.yml (100%) diff --git a/chart/templates/network-policy/egress-default-deny-external.yml b/chart/templates/networkpolicies/egress-default-deny-external.yml similarity index 100% rename from chart/templates/network-policy/egress-default-deny-external.yml rename to chart/templates/networkpolicies/egress-default-deny-external.yml diff --git a/chart/templates/network-policy/ingress-all-ns.yml b/chart/templates/networkpolicies/ingress-all-ns.yml similarity index 100% rename from chart/templates/network-policy/ingress-all-ns.yml rename to chart/templates/networkpolicies/ingress-all-ns.yml diff --git a/chart/templates/network-policy/ingress-default-deny.yml b/chart/templates/networkpolicies/ingress-default-deny.yml similarity index 100% rename from chart/templates/network-policy/ingress-default-deny.yml rename to chart/templates/networkpolicies/ingress-default-deny.yml diff --git a/chart/templates/network-policy/ingress-egress-istio.yml b/chart/templates/networkpolicies/ingress-egress-istio.yml similarity index 85% rename from chart/templates/network-policy/ingress-egress-istio.yml rename to chart/templates/networkpolicies/ingress-egress-istio.yml index 04b2f43..29b55a7 100644 --- a/chart/templates/network-policy/ingress-egress-istio.yml +++ b/chart/templates/networkpolicies/ingress-egress-istio.yml @@ -19,6 +19,6 @@ spec: matchLabels: {{- toYaml .Values.networkPolicies.ingressLabels | nindent 12}} ports: - - port: 8081 - - port: 8083 + - port: 8081 #Default UI console Port + - port: 8083 #TLS configured UI console Port {{- end }} diff --git a/chart/templates/network-policy/ingress-monitoring.yml b/chart/templates/networkpolicies/ingress-monitoring.yml similarity index 100% rename from chart/templates/network-policy/ingress-monitoring.yml rename to chart/templates/networkpolicies/ingress-monitoring.yml -- GitLab From 16f7c12ab499b39f6240a6dacb0c6e1955f3f2a5 Mon Sep 17 00:00:00 2001 From: "garcia.ryan" Date: Tue, 1 Jun 2021 15:53:28 -0600 Subject: [PATCH 23/28] bumping chart version and populating CHANGELOG --- CHANGELOG.md | 12 +++++++++++- chart/Chart.yaml | 2 +- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 53140c9..e75fa64 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,12 +4,22 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), --- -## [0.0.4-bb.3] - 2021-05-27 +## [0.0.5-bb.0] - 2021-06-02 ### Changed - Network policy resource Templates +## [0.0.4-bb.3] - 2021-06-01 + +### Added + +- Gluon test library dependency + +### Changed + +- CI Test infrastructure. Migrating to helm tests with script capabilities. + ## [0.0.4-bb.2] - 2021-05-26 ### Added diff --git a/chart/Chart.yaml b/chart/Chart.yaml index 571ee7b..f09518e 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: twistlock -version: 0.0.4-bb.3 +version: 0.0.5-bb.0 appVersion: 21.04.412 dependencies: - name: gluon -- GitLab From feda04a97ee60ce9c3f5174bf1269cfab7476190 Mon Sep 17 00:00:00 2001 From: "garcia.ryan" Date: Tue, 1 Jun 2021 16:10:35 -0600 Subject: [PATCH 24/28] feat: Allow ingress from namespace policy --- chart/templates/networkpolicies/ingress-all-ns.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/chart/templates/networkpolicies/ingress-all-ns.yml b/chart/templates/networkpolicies/ingress-all-ns.yml index 49f8bba..6e8a95a 100644 --- a/chart/templates/networkpolicies/ingress-all-ns.yml +++ b/chart/templates/networkpolicies/ingress-all-ns.yml @@ -2,14 +2,12 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: ingress-allow-cluster + name: ingress-allow-ns namespace: "{{ .Release.Namespace }}" spec: ingress: - from: - - namespaceSelector: {} # all namespaces for now - ports: - - port: 8084 # communications port + - podSelector: {} # all pods in namespace podSelector: {} # all pods policyTypes: - Ingress -- GitLab From e926acd16d5998b3eb1e3cda1d1a5d725adb3938 Mon Sep 17 00:00:00 2001 From: "garcia.ryan" Date: Tue, 1 Jun 2021 16:36:18 -0600 Subject: [PATCH 25/28] feat: Egress to kube-dns policy, renaming templates --- .../networkpolicies/egress-kube-dns.yaml | 17 +++++++++++++++++ ...tio.yml => ingress-istio-ingressgateway.yml} | 0 2 files changed, 17 insertions(+) create mode 100644 chart/templates/networkpolicies/egress-kube-dns.yaml rename chart/templates/networkpolicies/{ingress-egress-istio.yml => ingress-istio-ingressgateway.yml} (100%) diff --git a/chart/templates/networkpolicies/egress-kube-dns.yaml b/chart/templates/networkpolicies/egress-kube-dns.yaml new file mode 100644 index 0000000..7e7a35c --- /dev/null +++ b/chart/templates/networkpolicies/egress-kube-dns.yaml @@ -0,0 +1,17 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: egress-kube-dns + namespace: "{{ .Release.Namespace }}" +spec: + egress: + - to: + - namespaceSelector: {} # all namespaces + ports: + - port: 53 + protocol: UDP + podSelector: {} # all pods in Release namespace + policyTypes: + - Egress +{{- end }} diff --git a/chart/templates/networkpolicies/ingress-egress-istio.yml b/chart/templates/networkpolicies/ingress-istio-ingressgateway.yml similarity index 100% rename from chart/templates/networkpolicies/ingress-egress-istio.yml rename to chart/templates/networkpolicies/ingress-istio-ingressgateway.yml -- GitLab From 7368050cc738309a344440402921082be10e96c1 Mon Sep 17 00:00:00 2001 From: "garcia.ryan" Date: Tue, 1 Jun 2021 16:43:30 -0600 Subject: [PATCH 26/28] Allowing helm test pods egress to all namespaces --- .../networkpolicies/helm-test-egress.yaml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 chart/templates/networkpolicies/helm-test-egress.yaml diff --git a/chart/templates/networkpolicies/helm-test-egress.yaml b/chart/templates/networkpolicies/helm-test-egress.yaml new file mode 100644 index 0000000..2364497 --- /dev/null +++ b/chart/templates/networkpolicies/helm-test-egress.yaml @@ -0,0 +1,21 @@ +{{- $bbtests := .Values.bbtests | default dict -}} +{{- $cypress := $bbtests.cypress | default dict -}} +{{- $enabled := (hasKey $bbtests "enabled") -}} +{{- $artifacts := (hasKey $cypress "artifacts") -}} +{{- if and $enabled $artifacts }} +{{- if and .Values.networkPolicies.enabled .Values.bbtests.enabled .Values.bbtests.cypress.artifacts }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-helm-test-egress + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + helm-test: enabled + policyTypes: + - Egress + egress: + - {} +{{- end }} +{{- end }} -- GitLab From e6e22019517b6444863ea05318b3e6c914fb5070 Mon Sep 17 00:00:00 2001 From: "garcia.ryan" Date: Thu, 3 Jun 2021 08:38:09 -0600 Subject: [PATCH 27/28] Finalizing naming of templates --- .../networkpolicies/{ingress-all-ns.yml => ingress-allow-ns.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename chart/templates/networkpolicies/{ingress-all-ns.yml => ingress-allow-ns.yml} (100%) diff --git a/chart/templates/networkpolicies/ingress-all-ns.yml b/chart/templates/networkpolicies/ingress-allow-ns.yml similarity index 100% rename from chart/templates/networkpolicies/ingress-all-ns.yml rename to chart/templates/networkpolicies/ingress-allow-ns.yml -- GitLab From 91b6f1dcf9e807babfaf908643fdf52ea70e1e09 Mon Sep 17 00:00:00 2001 From: "garcia.ryan" Date: Thu, 3 Jun 2021 09:46:52 -0600 Subject: [PATCH 28/28] Adding istio-egress policy for future istio-injection --- .../networkpolicies/istiod-egress.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 chart/templates/networkpolicies/istiod-egress.yml diff --git a/chart/templates/networkpolicies/istiod-egress.yml b/chart/templates/networkpolicies/istiod-egress.yml new file mode 100644 index 0000000..f5d9665 --- /dev/null +++ b/chart/templates/networkpolicies/istiod-egress.yml @@ -0,0 +1,21 @@ +{{- if and .Values.networkPolicies.enabled .Values.istio.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-istiod-egress + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Egress + egress: + - to: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: istio-controlplane + podSelector: + matchLabels: + app: istiod + ports: + - port: 15012 +{{- end }} \ No newline at end of file -- GitLab