Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Networkpolicys for istio-system #6826

Merged
merged 9 commits into from
Oct 19, 2022
Merged

Add Networkpolicys for istio-system #6826

merged 9 commits into from
Oct 19, 2022

Conversation

axel7born
Copy link
Contributor

How to categorize this PR?

/area networking
/kind enhancement

What this PR does / why we need it:
Provide strict network policies for the istio-system so that it can only establish network connectivity to the endpoints that it is configured to reach inside the cluster and the seed api-server.
This is a second line of defence in case of a bug or misconfiguration of istio.

Which issue(s) this PR fixes:
None

Special notes for your reviewer:

Release note:

Deploy network policies to namespace istio-system to only allow traffic to configured endpoints inside the cluster and the seed api-server.

@gardener-prow
Copy link
Contributor

gardener-prow bot commented Oct 13, 2022

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@gardener-prow gardener-prow bot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. area/networking Networking related kind/enhancement Enhancement, improvement, extension labels Oct 13, 2022
@gardener-prow gardener-prow bot added cla: yes Indicates the PR's author has signed the cla-assistant.io CLA. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Oct 13, 2022
@axel7born axel7born marked this pull request as ready for review October 13, 2022 08:42
@gardener-prow gardener-prow bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 13, 2022
@axel7born
Let networkpolicy controller manage networkpolicy
f5876a9 
allow-to-seed-apiserver in namespace istio-system.
DockToFuture
DockToFuture approved these changes Oct 13, 2022
View reviewed changes
Copy link
Member

@DockToFuture DockToFuture left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@gardener-prow gardener-prow bot added the lgtm Indicates that a PR is ready to be merged. label Oct 13, 2022
@gardener-prow gardener-prow bot removed the lgtm Indicates that a PR is ready to be merged. label Oct 13, 2022
ScheererJ
ScheererJ requested changes Oct 17, 2022
View reviewed changes
Copy link
Contributor

@ScheererJ ScheererJ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please check the multi-az tests and clarify my questions.

pkg/operation/botanist/component/istio/charts/istio/istio-istiod/templates/deployment.yaml Outdated Show resolved Hide resolved
pkg/operation/botanist/component/istio/networkpolicies.go Show resolved Hide resolved
pkg/operation/botanist/component/istio/networkpolicies.go Outdated Show resolved Hide resolved
pkg/operation/botanist/component/istio/networkpolicies.go Outdated Show resolved Hide resolved
pkg/operation/botanist/component/istio/networkpolicies.go Outdated Show resolved Hide resolved
pkg/operation/botanist/component/istio/networkpolicies.go Outdated Show resolved Hide resolved
pkg/operation/botanist/component/istio/networkpolicies.go Show resolved Hide resolved
@axel7born
Address requested changes:
dbf9a6e 
* Add namespace selectors for networkpolicies.
* Change format in deployment chart.
* Use constant for string "monitoring"
@rfranzke rfranzke changed the title Add networkpolicies for istio-system Add Networkpolicys for istio-system Oct 18, 2022
@axel7born
Copy link
Contributor Author

/test pull-gardener-e2e-kind-ha-single-zone

ialidzhikov
ialidzhikov reviewed Oct 18, 2022
View reviewed changes
Copy link
Member

@ialidzhikov ialidzhikov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have only 1 inline comment. Otherwise lgtm.

pkg/operation/botanist/component/istio/istiod_test.go Show resolved Hide resolved
@ialidzhikov ialidzhikov self-assigned this Oct 18, 2022
ScheererJ
ScheererJ approved these changes Oct 19, 2022
View reviewed changes
Copy link
Contributor

@ScheererJ ScheererJ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall looks good, but please add the missing comment for the exported constant.

/lgtm

pkg/operation/botanist/component/vpnshoot/vpnshoot.go Show resolved Hide resolved
@gardener-prow gardener-prow bot added the lgtm Indicates that a PR is ready to be merged. label Oct 19, 2022
@axel7born
Fix istio-system monitoring.
164ddb1 
Add constant for "vpn-shoot"
Add description to the "allow-to-shoot-vpn-seed-server" policy.
@gardener-prow gardener-prow bot removed the lgtm Indicates that a PR is ready to be merged. label Oct 19, 2022
rfranzke
rfranzke reviewed Oct 19, 2022
View reviewed changes
Copy link
Member

@rfranzke rfranzke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cc @plkokanov, this seems to be close to be merged. Can we add it to the v1.58 milestone?

@plkokanov
Copy link
Contributor

/milestone v1.58

@gardener-prow gardener-prow bot added this to the v1.58 milestone Oct 19, 2022
ScheererJ
ScheererJ approved these changes Oct 19, 2022
View reviewed changes
Copy link
Contributor

@ScheererJ ScheererJ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@gardener-prow gardener-prow bot added the lgtm Indicates that a PR is ready to be merged. label Oct 19, 2022
@gardener-prow gardener-prow bot removed the lgtm Indicates that a PR is ready to be merged. label Oct 19, 2022
ScheererJ
ScheererJ approved these changes Oct 19, 2022
View reviewed changes
Copy link
Contributor

@ScheererJ ScheererJ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@gardener-prow gardener-prow bot added the lgtm Indicates that a PR is ready to be merged. label Oct 19, 2022
@gardener-prow
Copy link
Contributor

gardener-prow bot commented Oct 19, 2022
edited

@axel7born: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-dependency-watchdog-verify-image-build 4377d31 link true /test pull-dependency-watchdog-verify-image-build
pull-gardener-check-vulnerabilities dbf9a6e link false /test pull-gardener-check-vulnerabilities

Full PR test history. Your PR dashboard. Command help for this repository.
Please help us cut down on flakes by linking this test failure to an open flake report or filing a new flake report if you can't find an existing one. Also see our testing guideline for how to avoid and hunt flakes.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@ialidzhikov
Copy link
Member

@axel7born , can you run make format to fix the failing pull-gardener-unit test?

@gardener-prow gardener-prow bot removed the lgtm Indicates that a PR is ready to be merged. label Oct 19, 2022
ialidzhikov
ialidzhikov approved these changes Oct 19, 2022
View reviewed changes
Copy link
Member

@ialidzhikov ialidzhikov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@gardener-prow gardener-prow bot added the lgtm Indicates that a PR is ready to be merged. label Oct 19, 2022
@gardener-prow
Copy link
Contributor

gardener-prow bot commented Oct 19, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: DockToFuture, ialidzhikov, ScheererJ

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@gardener-prow gardener-prow bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 19, 2022
@gardener-prow gardener-prow bot merged commit fa40f49 into gardener:master Oct 19, 2022
@rfranzke rfranzke mentioned this pull request Oct 20, 2022
Merged
@axel7born axel7born deleted the istiod-networkpolicies branch August 21, 2023 12:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rfranzke rfranzke rfranzke left review comments

@ialidzhikov ialidzhikov ialidzhikov approved these changes

@ScheererJ ScheererJ ScheererJ approved these changes

@acumino acumino Awaiting requested review from acumino

@shafeeqes shafeeqes Awaiting requested review from shafeeqes

@plkokanov plkokanov Awaiting requested review from plkokanov

@DockToFuture DockToFuture Awaiting requested review from DockToFuture

Assignees

@ialidzhikov ialidzhikov

@DockToFuture DockToFuture

@ScheererJ ScheererJ

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/networking Networking related cla: yes Indicates the PR's author has signed the cla-assistant.io CLA. kind/enhancement Enhancement, improvement, extension lgtm Indicates that a PR is ready to be merged. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
v1.58
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@axel7born @plkokanov @ialidzhikov @rfranzke @DockToFuture @ScheererJ