Skip to content

[Prep for] Auto allow webhook traffic - restrict traffic from control plane IP based on configuration & support IPv6 for control plane#596

Merged
zohar7ch merged 3 commits intomainfrom
zohar7ch/auto-allow-webhooks-traffic-improvments
Jun 4, 2025
Merged

[Prep for] Auto allow webhook traffic - restrict traffic from control plane IP based on configuration & support IPv6 for control plane#596
zohar7ch merged 3 commits intomainfrom
zohar7ch/auto-allow-webhooks-traffic-improvments

Conversation

@zohar7ch
Copy link
Copy Markdown
Contributor

@zohar7ch zohar7ch commented Jun 3, 2025
edited
Loading

Description

Improvements for allow webhook traffic feature:

  1. Support IPv6 for control plane
  2. Get control plane CIDR prefix length from configuration
  3. Determine whether to restrict the network policy traffic source to the control plane IP based on configuration (by default - allow all)

Testing

Describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. If this library has unit and/or integration testing, tests should be added for new functionality and existing tests should complete without errors.

Please include any manual steps for testing end-to-end or functionality not covered by unit/integration tests.

Also include details of the environment this PR was developed in (language/platform/browser version).

  • This change adds test coverage for new/changed/fixed functionality

Checklist

  • I have added documentation for new/changed functionality in this PR and in github.com/otterize/docs

@zohar7ch zohar7ch requested a review from omris94 June 3, 2025 16:03
zohar7ch added 2 commits June 3, 2025 19:05
@zohar7ch
Support IPv6 for control plane
3b9702d 
We now use ClusterIPs and not just ClusterIP. ClusterIPs for service is
there to support dual-stack networking, so we want to support this as
well.
In case the IP address is IPv6, the CIDR would look different.
@zohar7ch
Determine webhook-traffic-netpol granulation based on configuration
fc051f4 
We want to determine whether the webhook-traffic-netpol rule will allow
network traffic with or without `From` section based on configuration.
When adding the `From` section, it means that the policy would be more
strict (Will allow traffic only from IPs recognized as control-plane
addresses).
@zohar7ch zohar7ch force-pushed the zohar7ch/auto-allow-webhooks-traffic-improvments branch from 65d6537 to fc051f4 Compare June 3, 2025 16:05
zohar7ch
zohar7ch commented Jun 3, 2025
View reviewed changes
@zohar7ch zohar7ch merged commit 9488551 into main Jun 4, 2025
22 checks passed
@zohar7ch zohar7ch deleted the zohar7ch/auto-allow-webhooks-traffic-improvments branch June 4, 2025 05:58
@github-actions github-actions bot locked and limited conversation to collaborators Jun 4, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@omris94 omris94 omris94 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@zohar7ch @omris94