From 739c9a48e5769fe7db8a59c25d91adc73e573ecb Mon Sep 17 00:00:00 2001 From: Matias Charriere Date: Mon, 17 Feb 2025 11:18:11 +0100 Subject: [PATCH 1/3] Narrow egress rule down targeting DNS service only Signed-off-by: Matias Charriere --- CHANGELOG.md | 4 ++++ helm/trivy/templates/ciliumnetworkpolicy.yaml | 9 +++++++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f9e72d1..2996958 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Changed + +- Narrow down CiliumNetworkPolicy egress rule to match DNS service only. + ## [0.13.1] - 2024-11-05 ### Changed diff --git a/helm/trivy/templates/ciliumnetworkpolicy.yaml b/helm/trivy/templates/ciliumnetworkpolicy.yaml index acf365e..56dc419 100644 --- a/helm/trivy/templates/ciliumnetworkpolicy.yaml +++ b/helm/trivy/templates/ciliumnetworkpolicy.yaml @@ -14,8 +14,13 @@ spec: egress: - toEntities: - world - - toEntities: - - cluster + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: kube-system + k8s-app: coredns + - matchLabels: + io.kubernetes.pod.namespace: kube-system + k8s-app: k8s-dns-node-cache toPorts: - ports: - port: "1053" From f55b09c88ffe00636d080112da7696af20904fec Mon Sep 17 00:00:00 2001 From: Franco Date: Mon, 17 Feb 2025 09:25:59 -0300 Subject: [PATCH 2/3] Narrow down Ingress rule to only scanjobs --- CHANGELOG.md | 1 + helm/trivy/templates/ciliumnetworkpolicy.yaml | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2996958..33902c6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Changed - Narrow down CiliumNetworkPolicy egress rule to match DNS service only. +- Narrow down CiliumNetworkPolicy ingress rule to match `trivy-operator` only. ## [0.13.1] - 2024-11-05 diff --git a/helm/trivy/templates/ciliumnetworkpolicy.yaml b/helm/trivy/templates/ciliumnetworkpolicy.yaml index 56dc419..c318587 100644 --- a/helm/trivy/templates/ciliumnetworkpolicy.yaml +++ b/helm/trivy/templates/ciliumnetworkpolicy.yaml @@ -26,8 +26,9 @@ spec: - port: "1053" - port: "53" ingress: - - fromEntities: - - cluster + - fromEndpoints: + - matchLabels: + vulnerabilityreport.scanner: Trivy toPorts: - ports: - port: "{{ .Values.trivy.service.port | default 4954 }}" From 13dea826e5801650d9d23b445453074f35c01b65 Mon Sep 17 00:00:00 2001 From: Matias Charriere Date: Mon, 17 Feb 2025 17:35:46 +0100 Subject: [PATCH 3/3] switch to namespace Signed-off-by: Matias Charriere --- CHANGELOG.md | 2 +- helm/trivy/templates/ciliumnetworkpolicy.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 33902c6..7054703 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,7 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Changed - Narrow down CiliumNetworkPolicy egress rule to match DNS service only. -- Narrow down CiliumNetworkPolicy ingress rule to match `trivy-operator` only. +- Narrow down CiliumNetworkPolicy ingress rule to allow traffic from namespace. ## [0.13.1] - 2024-11-05 diff --git a/helm/trivy/templates/ciliumnetworkpolicy.yaml b/helm/trivy/templates/ciliumnetworkpolicy.yaml index c318587..a4ce208 100644 --- a/helm/trivy/templates/ciliumnetworkpolicy.yaml +++ b/helm/trivy/templates/ciliumnetworkpolicy.yaml @@ -28,7 +28,7 @@ spec: ingress: - fromEndpoints: - matchLabels: - vulnerabilityreport.scanner: Trivy + io.kubernetes.pod.namespace: {{ .Release.Namespace }} toPorts: - ports: - port: "{{ .Values.trivy.service.port | default 4954 }}"