KFLUXINFRA-2558 - Add network policies to ESO (staging only) #9370
Conversation
This commit introduces NetworkPolicy resources to enhance the security posture of the external-secrets-operator component by implementing a zero-trust network model. The policies include: - Default deny-all policy as a security baseline - Allow egress to Kubernetes API server and DNS for operator functionality - Allow egress to external secret providers (AWS, Vault, etc.) - Allow webhook ingress from the API server for CRD validation - Allow metrics scraping from monitoring namespaces - Allow health check probes from kubelet - Allow intra-namespace communication between ESO components These policies were already tested in a OpenShift cluster but are currently deployed only to staging environments for additional validation before rolling out to production. Implements: KFLUXINFRA-2558 KFLUXINFRA-2559
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: oswcab The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
🤖 Gemini AI Assistant AvailableHi @oswcab! I'm here to help with your pull request. You can interact with me using the following commands: Available Commands
How to Use
PermissionsOnly OWNER, MEMBER, or COLLABORATOR users can trigger my responses. This ensures secure and appropriate usage. This message was automatically added to help you get started with the Gemini AI assistant. Feel free to delete this comment if you don't need assistance. |
|
🤖 Hi @oswcab, I've received your request, and I'm working on it now! You can track my progress in the logs for more details. |
| port: 443 | ||
| - protocol: TCP | ||
| port: 8200 # Vault default port | ||
| - ipBlock: |
There was a problem hiding this comment.
can you explain what is this CIDR and will this be the same for all clusters
There was a problem hiding this comment.
This CIDR contains the IP for the kubernetes default ClusterAPI service, kubernetes.default.svc.cluster.local, which IP is 172.30.0.1 by default, and other kubernetes pods. If no access is granted to this IP, we receive this error:
025-11-26T20:19:29.323452-0500 - "- -- -" - - failed to inject conversion webhook
CustomResourceDefinition: {"name":"clustersecretstores.external-secrets.io"}
error: Get "https://172.30.0.1:443/api/v1/namespaces/external-secrets/secrets/external-secrets-webhook": dial tcp 172.30.0.1
Now, we can consider restricting this to the IP of the default k8s service, 172.30.0.1/32, but we'd need to make sure no other issues arise from this.
There was a problem hiding this comment.
/hold
Just discovered another rule we need to make the health check work consistently
2 participants
This commit introduces NetworkPolicy resources to enhance the security posture of the external-secrets-operator component by implementing a zero-trust network model.
The policies include:
These policies were already tested in a OpenShift cluster but are currently deployed only to staging environments for additional validation before rolling out to production.
Implements:
KFLUXINFRA-2558
KFLUXINFRA-2559