Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: restrict network policies closer to what is minimum required access #25

Closed
wants to merge 10 commits into from
Closed

fix: restrict network policies closer to what is minimum required access #25

wants to merge 10 commits into from

Conversation

JoeHCQ1
Copy link
Contributor

@JoeHCQ1 JoeHCQ1 commented Jul 31, 2024
edited
Loading

This restricts the network policies. It does not close #7 as the following changes are still required:

  1. Once clustering is enabled Enable Confluence Clustering by default #26, the network policy enabling clustering must be confirmed. If multicast is required to create the cluster (alternative is we hard-code to pod IPs) then the policies as-is are likely to require changes.
  2. As monitoring is shown to be working properly Must implement monitors for each application metrics endpoint using it's built-in chart monitors, the Package CR monitor key, or manual monitors in the config chart. #12, the policies related to Prometheus will need validated.
  3. Once Synchrony is enabled, like node clustering, the policies which enable these comms will need added and validated.
  4. Once restrictive egress is enabled in UDS core Lock down "egress anywhere" policies for known external services uds-core#558 the egress to postgresql needs restricted.

That said, for the capabilities which were known to exist before this work started, the network policies have been restricted.

@JoeHCQ1 JoeHCQ1 linked an issue Jul 31, 2024 that may be closed by this pull request
Should minimize network policies to specific selectors needed for Ingress/Egress traffic. #7
Open
@JoeHCQ1 JoeHCQ1 changed the title 7 should minimize network policies to specific selectors needed for ingressegress traffic fix: restrict network policies closer to what is minimum required access Jul 31, 2024
This was referenced Jul 31, 2024
Open
Merged
Closed
@JoeHCQ1 JoeHCQ1 force-pushed the 7-should-minimize-network-policies-to-specific-selectors-needed-for-ingressegress-traffic branch from 75c49d4 to 120fb15 Compare July 31, 2024 20:58
@JoeHCQ1 JoeHCQ1 force-pushed the 7-should-minimize-network-policies-to-specific-selectors-needed-for-ingressegress-traffic branch from 5ad7742 to 1548da8 Compare August 1, 2024 14:26
@JoeHCQ1 JoeHCQ1 self-assigned this Aug 1, 2024
@JoeHCQ1
Merge branch 'main' into 7-should-minimize-network-policies-to-specif…
4cd1f92 
…ic-selectors-needed-for-ingressegress-traffic
@JoeHCQ1
Copy link
Contributor Author

JoeHCQ1 commented Aug 2, 2024

Closing this for now. #34 made it largely irrelevant. I can still restrict the intra namespace policy but I don't want to do that until I have clustering working so I can confirm that my policies are not breaking anything.

@JoeHCQ1 JoeHCQ1 closed this Aug 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@JoeHCQ1 JoeHCQ1

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Should minimize network policies to specific selectors needed for Ingress/Egress traffic.
1 participant
@JoeHCQ1