Bump Twistlock for defenders NP template & values
Package Owner Merge Request
Package Changes
-
New
networkPolicies.nodeCidrvalue in package to set CIDR notation for kubernetes nodes (so defenders hostNetwork traffic can talk to twistlock-console k8s service). -
New Network Policy resource to allow communication of Twistlock Defenders pods to twistlock-console k8s service.
https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock/-/merge_requests/33
https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock/-/tags/0.0.9-bb.0
Additional Details
Probably need discussion around including a new BigBang level value concerning the above package value networkPolicies.nodeCidr. The following private Networks are allowed by default "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" "100.64.0.0/10" so there is very small chance that someone would need to set value.
Closes #721 (closed)
Merge request reports
Activity
changed milestone to %1.17.0
added BB Customer Issues Big Bang Security priority4 statusdoing twistlock labels
added statusreview label and removed statusdoing label
Resolved by Ryan GarciaSetting the value would "technically" make things more secure since the default is open to 4 private ranges and their actual node IP range is likely to be a subset of just one of those - even if they don't need it and things work as is. The same is true with the controlPlaneCidr but its more obvious there, if not set the default is way bigger than what is likely needed.
I think exposing it as a BB value is probably smart just so that its a clear option for people to provide (if we leave it as just a twistlock passthrough no one will even know its an option). I think it doesn't hurt to have, isn't too messy since we already have the controlPlaneCidr, and we may come across more packages needing this in the future. I think
k get nodes -o widethe internal IP is what we want to cover by this right?- Last reply by Ryan Garcia
added 1 commit
- 19ce0281 - Update values.yaml with NPs.nodeCidr bigbang value
added 1 commit
- 3bfd75bc - Adding nodeCidr passthrough value for Twistlock package
requested review from @micah.nagel, @michaelmcleroy, and @runyontr
mentioned in commit 6cb190a1
mentioned in commit 98723f96
mentioned in commit d72e4e38
mentioned in issue #634 (closed)
mentioned in issue #635 (closed)
mentioned in merge request micah.nagel/micahnagel!122 (closed)
mentioned in merge request micah.nagel/micahnagel!123 (closed)
mentioned in merge request micah.nagel/micahnagel!124 (closed)
mentioned in merge request micah.nagel/micahnagel!125 (closed)
mentioned in merge request micah.nagel/micahnagel!126 (closed)
mentioned in merge request micah.nagel/micahnagel!127 (closed)
mentioned in merge request micah.nagel/micahnagel!128 (closed)
mentioned in merge request micah.nagel/micahnagel!129 (closed)