Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Update cluster defaults package with network policies #866

Merged
merged 6 commits into from
Mar 13, 2024
Merged

feat: Update cluster defaults package with network policies #866

merged 6 commits into from
Mar 13, 2024

Conversation

borkodjurkovic-ssc
Copy link
Collaborator

Summary

In order to comply with the nist-sp-800-53-r5-require-namespace-network-policies constraint (of NIST SP 800-53 Rev. 5 Policy Controller bundle), cluster-defaults package required updates to add network policies to the gateway-infra and default namespaces.

gateway-infra namespace Network Policy

Added cluster-defaults/admin-namespaces/networkpolicy.yaml file to implement network policy in the gateway-infra namespace.

Network policies implement following rules:

  • Allow ingress within namespace
  • Allow ingress from lb health check
  • Allow egress within namespace
  • Allow egress to metadata server
  • Allow egress for GCP API
  • Allow egress to private IP ranges (includes K8S cluster)

default namespace Network Policy

Added cluster-defaults/default-namespace/networkpolicy.yaml file to implement network policy in the default namespace

Network policies implement following rules:

  • Allow ingress within namespace
  • Allow egress within namespace

fmichaelobrien
fmichaelobrien previously approved these changes Mar 1, 2024
View reviewed changes
Copy link
Contributor

@fmichaelobrien fmichaelobrien left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lgtm

@fmichaelobrien
Copy link
Contributor

Doing a deeper review around general 800-53 later tonight

alaincormier-ssc
alaincormier-ssc reviewed Mar 8, 2024
View reviewed changes
Copy link
Collaborator

@alaincormier-ssc alaincormier-ssc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added a few minor comments

solutions/gke/kubernetes/cluster-defaults/admin-namespaces/networkpolicy.yaml Show resolved Hide resolved
solutions/gke/kubernetes/cluster-defaults/admin-namespaces/networkpolicy.yaml Outdated Show resolved Hide resolved
solutions/gke/kubernetes/cluster-defaults/admin-namespaces/networkpolicy.yaml Outdated Show resolved Hide resolved
@davelanglois-ssc davelanglois-ssc mentioned this pull request Mar 13, 2024
Merged
fmichaelobrien
fmichaelobrien approved these changes Mar 13, 2024
View reviewed changes
Copy link
Contributor

@fmichaelobrien fmichaelobrien left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@borkodjurkovic-ssc borkodjurkovic-ssc changed the title Update cluster defaults package with network policies feat: Update cluster defaults package with network policies Mar 13, 2024
@borkodjurkovic-ssc borkodjurkovic-ssc merged commit 2bfcd83 into main Mar 13, 2024
3 checks passed
@borkodjurkovic-ssc borkodjurkovic-ssc deleted the update-cluster-defaults-package branch March 13, 2024 15:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alaincormier-ssc alaincormier-ssc alaincormier-ssc approved these changes

@fmichaelobrien fmichaelobrien fmichaelobrien approved these changes

@davelanglois-ssc davelanglois-ssc davelanglois-ssc approved these changes

@tackaberry tackaberry Awaiting requested review from tackaberry tackaberry is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@borkodjurkovic-ssc @fmichaelobrien @davelanglois-ssc @alaincormier-ssc