[secrets-injector]: adds network-policy #9729
Conversation
abhijith-darshan
requested review from
Nuckal777,
SuperSandro2000,
VoigtS,
majewsky and
wagnerd3
as code owners
abhijith-darshan
force-pushed
the
feat/si_net_policy
branch
from
a1425f7 to
dc0e245
Compare
|
Did you had a chance to test this? It might be the vault connection also needs to be allowed. Also, egress traffic should likely be constrained as well. |
Yes this was tested in one of the gh clusters ✅ Will bring this to @uwe-mayer and open another PR for egress rules 👍 |
Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com> (chore): adds network-policy default values Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com> (chore): bump chart version Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com> (chore): set ingress rules to empty Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com> (chore): render policy rules with toYaml Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com> (chore): bump chart version to 1.1.20 Signed-off-by: abhijith-darshan <abhijith.darshan@hotmail.com>
abhijith-darshan
force-pushed
the
feat/si_net_policy
branch
from
dc0e245 to
2b4c953
Compare
abhijith-darshan
requested review from
IvoGoman,
SchwarzM,
defo89,
goerangudat and
videlov
as code owners
There was a problem hiding this comment.
👍
@Nuckal777 We will try this out on our GH QA cluster again. Only then we will update the secrets-injector pluginDefinition.
Egress rules will come in a separate PR, agree?
|
From reading the manifest the communication path to the vault instance should be blocked, because only the connection to the apiserver is enabled. In case the communication works, it would good to understand why. |
Only Ingress is denied by default not egress. |
Add optional network policies for secrets-injector webhook