New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HOSTEDCP-1064: Add egress policy for private-router #2792
HOSTEDCP-1064: Add egress policy for private-router #2792
Conversation
@muraee: This pull request references HOSTEDCP-1064 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/retest-required |
2 similar comments
/retest-required |
/retest-required |
a35caf1
to
4a740f4
Compare
✅ Deploy Preview for hypershift-docs ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
1f98c4e
to
ec3053b
Compare
/retest-required |
5 similar comments
/retest-required |
/retest-required |
/retest-required |
/retest-required |
/retest-required |
/test e2e-kubevirt-aws-ovn |
can we please add a t.run("EnsureEgressTrafficForPrivateRouter") within hypershift/test/e2e/util/util.go Lines 823 to 831 in 5f604fb
lgtm otherwise |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: enxebre, muraee The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
a08e2a6
to
85815b7
Compare
85815b7
to
17e92f3
Compare
/retest-required |
17e92f3
to
7aad3c8
Compare
} | ||
|
||
// Allow to any destination not on the management cluster service network | ||
policy.Spec.Egress = []networkingv1.NetworkPolicyEgressRule{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we cover IPv6 also in this PR? Could be done in a follow up one? same as we do in
if len(ipv6CIDRs) > 0 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would rather we merged this as it is now, because it is needed for the ROSA security hardening epic.
We can have a follow-up for disconnected/ipv6 if it is needed
/lgtm |
/retest-required |
@muraee: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
What this PR does / why we need it:
The private router should only be able to use the pod network to contact considered request serving components.
Which issue(s) this PR fixes (optional, use
fixes #<issue_number>(, fixes #<issue_number>, ...)
format, where issue_number might be a GitHub issue, or a Jira story:Fixes #HOSTEDCP-1064
Checklist