From 3a63e2ab4efe15566fe8544a846cdce196454f94 Mon Sep 17 00:00:00 2001 From: Rob Ferguson Date: Tue, 26 Mar 2024 10:55:11 -0500 Subject: [PATCH] fix: add kubeapi egress for neuvector enforcer (#291) ## Description Give Neuvector enforcer kubeapi access. I noticed enforcer logs indicating it was attempting to get the K8s version on startup. ``` 2024-03-26T14:03:31.003|ERRO|AGT|orchestration.GetK8sVersion: Get Version fail - error=Get "https://kubernetes.default/version": read tcp 10.42.0.36:36332->10.43.0.1:443: read: connection reset by peer 2024-03-26T14:03:31.005|ERRO|AGT|orchestration.GetK8sVersion: Get Version fail - error=Get "https://kubernetes.default/apis/config.openshift.io/v1/clusteroperators/openshift-apiserver": read tcp 10.42.0.36:36354->10.43.0.1:443: read: connection reset by peer ``` ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide Steps](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)(https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md#submitting-a-pull-request) followed Co-authored-by: Micah Nagel --- src/neuvector/chart/templates/uds-package.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/neuvector/chart/templates/uds-package.yaml b/src/neuvector/chart/templates/uds-package.yaml index b44a25f73..f488e6777 100644 --- a/src/neuvector/chart/templates/uds-package.yaml +++ b/src/neuvector/chart/templates/uds-package.yaml @@ -31,6 +31,11 @@ spec: selector: app: neuvector-updater-pod + - direction: Egress + remoteGenerated: KubeAPI + selector: + app: neuvector-enforcer-pod + - direction: Ingress # todo: evaluate a "KubeAPI" _ingress_ generated rule for webhook calls remoteGenerated: Anywhere