Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: experimental opt-in classification banner #1127

Merged
merged 13 commits into from
Dec 17, 2024
Merged

feat: experimental opt-in classification banner #1127

merged 13 commits into from
Dec 17, 2024

Conversation

mjnagel
Copy link
Contributor

@mjnagel mjnagel commented Dec 16, 2024

Description

This PR adds an experimental (opt-in) classification banner provided via an envoyfilter. This filter injects html/script code to add a top (and optionally bottom) banner with the desired classification level and the expected colors. This has primarily been validated against Keycloak and Grafana, other UIs may not display perfectly (part of why this is noted as experimental).

Related Issue

Fixes #1079

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Other (security config, docs update, etc)

Steps to Validate

  1. Modify the slim-dev bundle to add the below overrides:
    overrides:
      istio-controlplane:
        uds-global-istio-config:
          values:
            - path: classificationBanner.text
              value: "UNCLASSIFIED" # Possible values: UNCLASSIFIED, CUI, CONFIDENTIAL, SECRET, TOP SECRET, TOP SECRET//SCI, UNKNOWN
            - path: classificationBanner.addFooter
              value: true
            - path: classificationBanner.enabledHosts
              value:
                - keycloak.admin.{{ .Values.domain }}
                - sso.{{ .Values.domain }}
  1. Deploy slim-dev: uds run slim-dev --set flavor=unicorn
  2. Validate that the banner with the expected classification level appears on the Keycloak admin and tenant interfaces and does not overlap with any content.

Checklist before merging

@mjnagel mjnagel self-assigned this Dec 16, 2024
@mjnagel mjnagel requested a review from a team as a code owner December 16, 2024 22:21
UnicornChance
UnicornChance approved these changes Dec 17, 2024
View reviewed changes
Copy link
Contributor

@UnicornChance UnicornChance left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@mjnagel mjnagel merged commit d701067 into main Dec 17, 2024
25 checks passed
@mjnagel mjnagel deleted the classification-banner branch December 17, 2024 14:26
@github-actions github-actions bot mentioned this pull request Dec 17, 2024
Merged
mjnagel pushed a commit that referenced this pull request Dec 17, 2024
@github-actions
chore(main): release 0.33.0 (#1094)
63cfe1a 
🤖 I have created a release *beep* *boop*
---


##
[0.33.0](v0.32.1...v0.33.0)
(2024-12-17)


### Features

* configurable authentication flows
([#1102](#1102))
([498574c](498574c))
* experimental opt-in classification banner
([#1127](#1127))
([d701067](d701067))
* set Istio gateway TLS from Kubernetes secret
([#982](#982))
([2711209](2711209))


### Bug Fixes

* kubeapi netpol initialization / support for ingress policies
([#1097](#1097))
([620e6b2](620e6b2))
* retry logic for pepr store call
([#1109](#1109))
([e4c0f61](e4c0f61))


### Miscellaneous

* add additional step to pr request template
([#1104](#1104))
([7370ab1](7370ab1))
* allow separate configuration of admin domain name
([#1114](#1114))
([c331ec1](c331ec1))
* bump aks sku from free to standard to address API server perfo…
([#1121](#1121))
([bcb8848](bcb8848))
* **deps:** update curl to v8.11.1
([#1110](#1110))
([39a656c](39a656c))
* **deps:** update grafana
([#1126](#1126))
([056a6ee](056a6ee))
* **deps:** update grafana to 11.4.0
([#1053](#1053))
([77aa0b4](77aa0b4))
* **deps:** update identity-config to v0.9.0
([#1129](#1129))
([da720b2](da720b2))
* **deps:** update istio to v1.24.1
([#962](#962))
([8ecd5ff](8ecd5ff))
* **deps:** update loki to 3.3.1
([#1022](#1022))
([42d5bda](42d5bda))
* **deps:** update pepr to 0.42.0
(#1095)
([3ebae7b](3ebae7b))
* **deps:** update pepr to v0.42.1
([#1116](#1116))
([bde01da](bde01da))
* **deps:** update playwright to v1.49.1
([#1103](#1103))
([658ad0d](658ad0d))
* **deps:** update support-deps
([#1076](#1076))
([2fa010f](2fa010f))
* **deps:** update support-deps
([#1100](#1100))
([777387b](777387b))
* **deps:** update support-deps
([#1105](#1105))
([18472ea](18472ea))
* **deps:** update support-deps
([#1117](#1117))
([5b2e3a4](5b2e3a4))
* **deps:** update support-deps
([#1125](#1125))
([4a1bdfb](4a1bdfb))
* **deps:** update vector to 0.43.1
([#1107](#1107))
([2f6c8b5](2f6c8b5))
* **deps:** update velero kubectl to v1.31.4
([#1108](#1108))
([bd8ee0e](bd8ee0e))
* **deps:** update velero to v1.32.0
([#1128](#1128))
([669ebe5](669ebe5))
* **docs:** replace promtail reference with vector in prerequisites
([#1098](#1098))
([33cee59](33cee59))
* remove loki peerauth exception
([#1106](#1106))
([f87a96d](f87a96d))
* update arch diagrams
([#1120](#1120))
([e8a1beb](e8a1beb))
* update doc-gen output_dir
([#1123](#1123))
([496ea40](496ea40))
* update infra ci to run weekly and on release pr
([#1124](#1124))
([79534c9](79534c9))
* update README to explicitly indicate the need for a running co…
([#1113](#1113))
([6426c5a](6426c5a))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@UnicornChance UnicornChance UnicornChance approved these changes

Assignees

@mjnagel mjnagel

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Allow configuring a classification banner on all exposed user interfaces
2 participants
@mjnagel @UnicornChance