-
Notifications
You must be signed in to change notification settings - Fork 451
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Networkpolicy
s for istio-system
#6826
Add Networkpolicy
s for istio-system
#6826
Conversation
Skipping CI for Draft Pull Request. |
allow-to-seed-apiserver in namespace istio-system.
06c29b4
to
f5876a9
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please check the multi-az tests and clarify my questions.
pkg/operation/botanist/component/istio/charts/istio/istio-istiod/templates/deployment.yaml
Outdated
Show resolved
Hide resolved
* Add namespace selectors for networkpolicies. * Change format in deployment chart. * Use constant for string "monitoring"
26a0a16
to
dbf9a6e
Compare
Networkpolicy
s for istio-system
/test pull-gardener-e2e-kind-ha-single-zone |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have only 1 inline comment. Otherwise lgtm.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall looks good, but please add the missing comment for the exported constant.
/lgtm
Add constant for "vpn-shoot" Add description to the "allow-to-shoot-vpn-seed-server" policy.
226e70a
to
164ddb1
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cc @plkokanov, this seems to be close to be merged. Can we add it to the v1.58 milestone?
/milestone v1.58 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
@axel7born: The following tests failed, say
Full PR test history. Your PR dashboard. Command help for this repository. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
@axel7born , can you run |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: DockToFuture, ialidzhikov, ScheererJ The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
How to categorize this PR?
/area networking
/kind enhancement
What this PR does / why we need it:
Provide strict network policies for the istio-system so that it can only establish network connectivity to the endpoints that it is configured to reach inside the cluster and the seed api-server.
This is a second line of defence in case of a bug or misconfiguration of istio.
Which issue(s) this PR fixes:
None
Special notes for your reviewer:
Release note: