Egress NetworkPolicies missing for Redis in HA Authservice

Bug

Description

When using HA authservice with redis, there is no network policy to allow egress from the redis pods, so the Istio sidecars fail due to not being able to reach out to istio for their configuration settings.

To reproduce:

Deploy BigBang v1.9.1
Check logs on Redis slaves
Cycling Redis slave pods will cause them to remain unhealthy

BigBang Version

1.9.1

Proposed Solutions

Document in release notes that kube-system namespace needs to be labeled with name=kube-system.
Apply the following networkpolicies in the authservice namespace when HA is enabled:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-redis-to-dns
  namespace: authservice
spec:
  podSelector:
    matchLabels:
      app: redis-bb
  policyTypes:
  - Egress
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          name: kube-system
    ports:
    - port: 53
      protocol: UDP
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-redis-to-istiod
  namespace: authservice
spec:
  podSelector:
    matchLabels:
      app: redis-bb
  policyTypes:
  - Egress
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          app.kubernetes.io/name: istio-controlplane
    - podSelector:
        matchLabels:
          app: istiod
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-redis-internal
  namespace: authservice
spec:
  podSelector:
    matchLabels:
      app: redis-bb
  policyTypes:
  - Egress
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          app.kubernetes.io/name: authservice
    - podSelector:
        matchLabels:
          app: redis-bb

Edited Jun 14, 2021 by adam.toy

Admin message

Egress NetworkPolicies missing for Redis in HA Authservice

Bug

Description

BigBang Version

Proposed Solutions