diff --git a/src/metrics-server/chart/templates/peerauthentication/metrics-api.yaml b/src/metrics-server/chart/templates/peerauthentication/metrics-api.yaml index f6c3a3bc0..18c5fdcbf 100644 --- a/src/metrics-server/chart/templates/peerauthentication/metrics-api.yaml +++ b/src/metrics-server/chart/templates/peerauthentication/metrics-api.yaml @@ -11,6 +11,7 @@ spec: matchLabels: app.kubernetes.io/name: metrics-server portLevelMtls: + # Allow api service calls to operate permissive since ingress originates from the nodes "10250": mode: PERMISSIVE {{- end }} diff --git a/src/neuvector/chart/templates/peerauthentication/neuvector-controller-pa.yaml b/src/neuvector/chart/templates/peerauthentication/neuvector-controller-pa.yaml index 71c2deb73..6e881bf73 100644 --- a/src/neuvector/chart/templates/peerauthentication/neuvector-controller-pa.yaml +++ b/src/neuvector/chart/templates/peerauthentication/neuvector-controller-pa.yaml @@ -13,4 +13,7 @@ spec: portLevelMtls: "18300": mode: PERMISSIVE -{{- end }} \ No newline at end of file + # Allow webhooks to operate permissive since ingress originates from the nodes + "30443": + mode: PERMISSIVE +{{- end }} diff --git a/src/neuvector/chart/templates/uds-package.yaml b/src/neuvector/chart/templates/uds-package.yaml index 631410e45..b44a25f73 100644 --- a/src/neuvector/chart/templates/uds-package.yaml +++ b/src/neuvector/chart/templates/uds-package.yaml @@ -31,6 +31,14 @@ spec: selector: app: neuvector-updater-pod + - direction: Ingress + # todo: evaluate a "KubeAPI" _ingress_ generated rule for webhook calls + remoteGenerated: Anywhere + selector: + app: neuvector-controller-pod + port: 30443 + description: "Webhook" + - direction: Ingress remoteNamespace: monitoring remoteSelector: diff --git a/src/prometheus-stack/chart/templates/peerauthentication/prometheus-operator-pa.yaml b/src/prometheus-stack/chart/templates/peerauthentication/prometheus-operator-pa.yaml new file mode 100644 index 000000000..eb1c14d0e --- /dev/null +++ b/src/prometheus-stack/chart/templates/peerauthentication/prometheus-operator-pa.yaml @@ -0,0 +1,17 @@ +{{- if .Capabilities.APIVersions.Has "security.istio.io/v1beta1" }} +apiVersion: "security.istio.io/v1beta1" +kind: PeerAuthentication +metadata: + name: prometheus-operator-webhook + namespace: {{ .Release.Namespace }} +spec: + selector: + matchLabels: + app: kube-prometheus-stack-operator + mtls: + mode: STRICT + portLevelMtls: + # Allow webhooks to operate permissive since ingress originates from the nodes + "10250": + mode: PERMISSIVE +{{- end }} diff --git a/src/prometheus-stack/chart/templates/uds-package.yaml b/src/prometheus-stack/chart/templates/uds-package.yaml index f021ddf01..5574573bc 100644 --- a/src/prometheus-stack/chart/templates/uds-package.yaml +++ b/src/prometheus-stack/chart/templates/uds-package.yaml @@ -33,6 +33,14 @@ spec: selector: app: kube-prometheus-stack-admission-patch + - direction: Ingress + # todo: evaluate a "KubeAPI" _ingress_ generated rule for webhook calls + remoteGenerated: Anywhere + selector: + app: kube-prometheus-stack-operator + port: 10250 + description: "Webhook" + # todo: lockdown egress to scrape targets - direction: Egress remoteNamespace: ""