OSDOCS-16585 created doc for config network policy for operand #100980
Conversation
openshift-ci
bot
added
the
size/L
|
🤖 Wed Oct 29 14:22:43 - Prow CI generated the docs preview: |
wgabor0427
changed the title
bharath-b-rh
left a comment
bharath-b-rh
left a comment
There was a problem hiding this comment.
LGTM, except for couple of nits.
@siddhibhor-56 Could you please validate the suggestions made.
| apiVersion: operator.openshift.io/v1alpha1 | ||
| kind: ExternalSecretsConfig | ||
| metadata: | ||
| name: cluster | ||
| spec: | ||
| networkPolicies: | ||
| - name: allow-external-secrets-egress | ||
| componentName: CoreController | ||
| policyTypes: | ||
| - Egress | ||
| egress: # Allow all egress traffic |
There was a problem hiding this comment.
| apiVersion: operator.openshift.io/v1alpha1 | |
| kind: ExternalSecretsConfig | |
| metadata: | |
| name: cluster | |
| spec: | |
| networkPolicies: | |
| - name: allow-external-secrets-egress | |
| componentName: CoreController | |
| policyTypes: | |
| - Egress | |
| egress: # Allow all egress traffic | |
| apiVersion: operator.openshift.io/v1alpha1 | |
| kind: ExternalSecretsConfig | |
| metadata: | |
| name: cluster | |
| spec: | |
| controllerConfig: | |
| networkPolicies: | |
| - name: allow-external-secrets-egress | |
| componentName: ExternalSecretsCoreController | |
| egress: # Allow all egress traffic |
| $ oc edit externalsecretsconfigs.operator.openshift.io cluster | ||
| ---- | ||
|
|
||
| . Set the policy by editing the `networkPolicies` section. The following example shows how to allow egress to {aws-first} endpoints, the Kubernetes API server, and the Domain Name Service (DNS). |
There was a problem hiding this comment.
| . Set the policy by editing the `networkPolicies` section. The following example shows how to allow egress to {aws-first} endpoints, the Kubernetes API server, and the Domain Name Service (DNS). | |
| . Set the policy by editing the `networkPolicies` section. The following example shows how to allow egress to {aws-first} endpoints. |
| apiVersion: operator.openshift.io/v1alpha1 | ||
| kind: ExternalSecretsConfig | ||
| metadata: | ||
| labels: | ||
| app.kubernetes.io/name: cluster | ||
| app.kubernetes.io/managed-by: external-secrets-operator-e2e | ||
| name: cluster | ||
| spec: | ||
| controllerConfig: | ||
| networkPolicies: | ||
| - name: allow-external-secrets-egress | ||
| componentName: ExternalSecretsCoreController | ||
| egress: | ||
| # Allow egress to Kubernetes API server, AWS endpoints, and DNS | ||
| - to: [] | ||
| ports: | ||
| - protocol: TCP | ||
| port: 6443 # Kubernetes API | ||
| - protocol: TCP | ||
| port: 443 # HTTPS (AWS Secrets Manager) |
There was a problem hiding this comment.
| apiVersion: operator.openshift.io/v1alpha1 | |
| kind: ExternalSecretsConfig | |
| metadata: | |
| labels: | |
| app.kubernetes.io/name: cluster | |
| app.kubernetes.io/managed-by: external-secrets-operator-e2e | |
| name: cluster | |
| spec: | |
| controllerConfig: | |
| networkPolicies: | |
| - name: allow-external-secrets-egress | |
| componentName: ExternalSecretsCoreController | |
| egress: | |
| # Allow egress to Kubernetes API server, AWS endpoints, and DNS | |
| - to: [] | |
| ports: | |
| - protocol: TCP | |
| port: 6443 # Kubernetes API | |
| - protocol: TCP | |
| port: 443 # HTTPS (AWS Secrets Manager) | |
| apiVersion: operator.openshift.io/v1alpha1 | |
| kind: ExternalSecretsConfig | |
| metadata: | |
| labels: | |
| app.kubernetes.io/name: cluster | |
| app.kubernetes.io/managed-by: external-secrets-operator-e2e | |
| name: cluster | |
| spec: | |
| controllerConfig: | |
| networkPolicies: | |
| - componentName: ExternalSecretsCoreController | |
| egress: | |
| - ports: | |
| - port: 443 # HTTPS (AWS Secrets Manager) | |
| protocol: TCP | |
| name: allow-external-secrets-egress |
There was a problem hiding this comment.
we need to add DNS port for both TCP and UDP
- protocol: TCP
port: 5353 # DNS
- protocol: UDP
port: 5353 # DNS
There was a problem hiding this comment.
It's now added by default correct, why does user need to include it here?
There was a problem hiding this comment.
oh yes correct,Added by default no need to include
|
|
||
| componentName:: name for the core controller specified as `ExternalSecretsCoreController`. | ||
|
|
||
| Egress rules must include the necessary ports, such as Transmission Control Protocol (TCP) port 6443 for the Kubernetes API and TCP port 443 (HTTPS) for services like the {aws-short} Secrets Manager. |
There was a problem hiding this comment.
| Egress rules must include the necessary ports, such as Transmission Control Protocol (TCP) port 6443 for the Kubernetes API and TCP port 443 (HTTPS) for services like the {aws-short} Secrets Manager. | |
| Egress rules must include the necessary ports, such as Transmission Control Protocol (TCP) 443 (HTTPS) for services like the {aws-short} Secrets Manager. |
| | `external-secrets` | ||
| | 8080 | ||
| | 6443 | ||
| | Accesses metrics and communicates with the API server |
There was a problem hiding this comment.
@wgabor0427 Could you please help reword the description column.
There was a problem hiding this comment.
Done. @bharath-b-rh Reworded the descriptions. Please review and comment on. Thanks.
wgabor0427
force-pushed
the
OSDOCS-16585
branch
from
ff281e8 to
50daa60
Compare
| labels: | ||
| app.kubernetes.io/name: cluster | ||
| app.kubernetes.io/managed-by: external-secrets-operator-e2e |
There was a problem hiding this comment.
Sorry missed in the previous review. Please remove the labels field.
| labels: | |
| app.kubernetes.io/name: cluster | |
| app.kubernetes.io/managed-by: external-secrets-operator-e2e |
wgabor0427
force-pushed
the
OSDOCS-16585
branch
4 times, most recently
from
ddcbfcc to
7eb54d2
Compare
openshift-ci
bot
added
size/XXL
wgabor0427
force-pushed
the
OSDOCS-16585
branch
from
7eb54d2 to
ba4d86a
Compare
wgabor0427
force-pushed
the
OSDOCS-16585
branch
from
ba4d86a to
cd5c7dc
Compare
openshift-ci
bot
added
size/L
|
/lgtm |
|
@wgabor0427: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/lgtm |
|
/label merge-review-needed |
openshift-ci
bot
added
the
merge-review-needed
stevsmit
added
merge-review-in-progress
|
|
||
| * An `ExternalSecretsConfig` must be predefined. | ||
|
|
||
| * You must be able to define specific egress rules, including desitination ports and protocols |
There was a problem hiding this comment.
| * You must be able to define specific egress rules, including desitination ports and protocols | |
| * You must be able to define specific egress rules, including destination ports and protocols. |
|
|
||
| * An `ExternalSecretsConfig` must be predefined. | ||
|
|
||
| * You must be able to define specific egress rules, including desitination ports and protocols |
There was a problem hiding this comment.
| * You must be able to define specific egress rules, including desitination ports and protocols | |
| * You must be able to define specific egress rules, including destination ports and protocols. |
| - name: allow-external-secrets-egress | ||
| ---- | ||
|
|
||
| componentName:: name for the core controller specified as `ExternalSecretsCoreController`. |
There was a problem hiding this comment.
I think this would technically have "where" about it. See https://redhat-documentation.github.io/supplementary-style-guide/#explain-commands-variables-in-code-blocks. They also usually start with "Specifies. . ."
|
|
||
| toc::[] | ||
|
|
||
| The {external-secrets-operator} includes pre-defined `NetworkPolicies` for security, but you must configure additonal, custom policies through the `ExternalSecretsConfig` custom resource to set the external-secrets controller egress allow policies to communicate with external providers. These configurable policies are set via the `ExternalSecretsConfig` custom resource to establish the egress allow policy. |
There was a problem hiding this comment.
First sentence is very long and hard to get through/understand, IMO.
|
Bill is bricked from fixing these and the PR is urgent. I'm merging under the conditions that we fix these in a future PR. |
stevsmit
added
ok-to-merge
and removed
merge-review-in-progress
|
/cherry-pick enterprise-4.21 |
|
/cherry-pick enterprise-4.20 |
|
@stevsmit: new pull request created: #101690 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@stevsmit: new pull request created: #101691 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
8 participants
Version(s):
4.20+
Issue:
https://issues.redhat.com/browse/OSDOCS-16585
Link to docs preview:
https://100980--ocpdocs-pr.netlify.app/openshift-enterprise/latest/security/external_secrets_operator/external-secrets-operator-config-net-policy.html
QE review:
Additional information: