Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: investigate and restrict network policies #719

Merged
merged 12 commits into from
Sep 10, 2024
Merged

feat: investigate and restrict network policies #719

merged 12 commits into from
Sep 10, 2024

Conversation

UnicornChance
Copy link
Contributor

Description

Our package should operate under a "least privilege" type model for network access, and specifically egress network access should be limited to specific services/addresses rather than "anywhere".

Investigated current anywhere policies, updated restrictions where necessary. Added a new package CR field remoteCidr for defining a custom cidr to be used in place of the anywhere cidr. Add some validations to verify the use the remoteGenerated, remoteSelector, remoteNamespace, and remoteCidr don't overlap or break each other. They should be used individually except remoteSelector and remoteNamespace being used together.

Potentially follow on issues for _KubeAPI ingress relation network policy management, as well as utilizing service entries for known things like S3 buckets.

Related Issue

Fixes #558

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Other (security config, docs update, etc)

Checklist before merging

@UnicornChance UnicornChance self-assigned this Sep 3, 2024
@UnicornChance UnicornChance requested a review from a team as a code owner September 3, 2024 22:07
@UnicornChance UnicornChance linked an issue Sep 3, 2024 that may be closed by this pull request
Lock down "egress anywhere" policies for known external services #558
Closed
mjnagel
mjnagel reviewed Sep 5, 2024
View reviewed changes
Copy link
Contributor

@mjnagel mjnagel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A ton of great work here - thanks for locking this down @UnicornChance . Couple of other notes beyond my specific line comments here:

  • Might be good to document the new storage, etc values somewhere and their effect on netpols
  • @MxNxPx tagging for awareness on the "document package CR" side - remoteCidr would be a good new item to include
  • I'm unsure if some of the keycloak access is working as expected. I deleted the uds-k3d coredns override and am seeing some connection refused errors from Grafana as well as Neuvector (nothing clear on this one for the actual error.

src/keycloak/chart/templates/uds-package.yaml Outdated Show resolved Hide resolved
src/authservice/chart/templates/uds-package.yaml Outdated Show resolved Hide resolved
src/pepr/operator/crd/validators/package-validator.ts Outdated Show resolved Hide resolved
src/keycloak/chart/templates/uds-package.yaml Show resolved Hide resolved
src/grafana/chart/templates/uds-package.yaml Outdated Show resolved Hide resolved
src/grafana/chart/templates/uds-package.yaml Outdated Show resolved Hide resolved
src/pepr/operator/controllers/network/generate.ts Show resolved Hide resolved
mjnagel
mjnagel previously approved these changes Sep 9, 2024
View reviewed changes
@UnicornChance UnicornChance merged commit b6ebc49 into main Sep 10, 2024
46 checks passed
@UnicornChance UnicornChance deleted the lock-down-egress branch September 10, 2024 17:55
@github-actions github-actions bot mentioned this pull request Sep 10, 2024
Merged
mjnagel pushed a commit that referenced this pull request Sep 11, 2024
@github-actions
chore(main): release 0.27.0 (#711)
b38ea70 
🤖 I have created a release *beep* *boop*
---


##
[0.27.0](v0.26.1...v0.27.0)
(2024-09-11)


### Features

* add support for Keycloak attribute `saml.assertion.signature`
([#723](#723))
([0e1a3da](0e1a3da))
* investigate and restrict network policies
([#719](#719))
([b6ebc49](b6ebc49))
* protocol mappers
([#621](#621))
([d71cb44](d71cb44))


### Bug Fixes

* correct keycloak chart schema for additionalGateways
([#745](#745))
([1fd8ef3](1fd8ef3))
* default `ctx.allowPrivilegeEscalation` to `false` if `undefined`
([#698](#698))
([7ecd130](7ecd130))
* pre-commit linting
([#703](#703))
([c3a2f62](c3a2f62))
* switch secret `data` to `stringData`
([#710](#710))
([9323d4e](9323d4e))
* update ci workflows for docs shim
([#700](#700))
([5d89254](5d89254))


### Miscellaneous

* adding uds core prerequisites documentation
([#636](#636))
([6225766](6225766))
* **deps:** update dependency weaveworks/eksctl to v0.190.0
([#721](#721))
([16d208a](16d208a))
* **deps:** update githubactions
([#642](#642))
([0705ba6](0705ba6))
* **deps:** update grafana curl image to v8.10.0
([#751](#751))
([0cdb020](0cdb020))
* **deps:** update grafana sidecar image to v1.27.6
([#732](#732))
([ad4808b](ad4808b))
* **deps:** update grafana to 11.2.0
([#670](#670))
([84e099a](84e099a))
* **deps:** update istio to v1.23.0
([#672](#672))
([3266a3a](3266a3a))
* **deps:** update keycloak chart version to v25
([#470](#470))
([3e805e7](3e805e7))
* **deps:** update keycloak to 25.0.5
(#742)
([45c540a](45c540a))
* **deps:** update loki memcached images to v1.6.31
([#752](#752))
([f94daf1](f94daf1))
* **deps:** update metrics-server to v0.7.2
([#708](#708))
([53f1bfd](53f1bfd))
* **deps:** update prometheus-stack
([#437](#437))
([526aab1](526aab1))
* **deps:** update prometheus-stack chart to v62.6.0
([#740](#740))
([424570d](424570d))
* **deps:** update promtail helm chart to v6.16.5
([#706](#706))
([4689d54](4689d54))
* **deps:** update uds cli to v0.14.2
([#697](#697))
([f92bf53](f92bf53))
* **deps:** update uds to v0.15.0
([#733](#733))
([57e0e64](57e0e64))
* **deps:** update velero
([#695](#695))
([c188393](c188393))
* **deps:** update velero chart to 7.2.1, kubectl image for unicorn
flavor ([#725](#725))
([a98bac4](a98bac4))
* **deps:** update velero helm chart to v7.2.0
([#720](#720))
([6309882](6309882))
* **deps:** update zarf to v0.39.0
([#731](#731))
([7268680](7268680))
* update configure policy exemptions doc link
([#739](#739))
([6ad1256](6ad1256))
* update loki to 3.1.1
([#449](#449))
([e61da27](e61da27))
* update renovate config/values to match all neuvector images
([#755](#755))
([72a97ba](72a97ba))
* update resources for prometheus, document resource overrides
([#713](#713))
([e80c1a4](e80c1a4))
* update to keycloak 25
([#707](#707))
([0551aa5](0551aa5))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rjferguson21 rjferguson21 rjferguson21 approved these changes

@mjnagel mjnagel mjnagel approved these changes

Assignees

@UnicornChance UnicornChance

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Lock down "egress anywhere" policies for known external services
3 participants
@UnicornChance @rjferguson21 @mjnagel