Add templating to provide more specific network policies

blancharda commented 4 months ago

Overview

The current network policy egress routes allow for remoteGenerated: Anywhere on almost all gitlab pods. We should enable more restrictive egress policies by adding helm values and corresponding templates to allow a user to customize more limited egress for their specific environment.

See more discussion here

Proposal

Identify points of egress (database, storage, redis... other?) and map them to each gitlab pod
Add individual egress rules for each mapping
By default, perhaps we continue to allow traffic anywhere so that network policies don't break an initial install
Template the destination to allow for a custom CIDR (once this is implemented) // pod selector + namespace // other destination?
Consider something like values.additionalNetworkAllows[] to allow a user to specify fully custom additional rules

blancharda commented 4 months ago

Duplicates #78

zachariahmiller commented 4 months ago

@blancharda Appreciate you!

defenseunicorns / uds-package-gitlab

Add templating to provide more specific network policies #82

Overview

Proposal