Uploaded image for project: 'OpenShift Service Mesh'
  1. OpenShift Service Mesh
  2. OSSM-409

[RFE] Include a flag in the SMCP resource to enable/disable the creation of istio-expose-route-basic NetworkPolicy in members

    XMLWordPrintable

Details

    • Story
    • Status: Closed
    • Major
    • Resolution: Duplicate
    • None
    • None
    • Maistra
    • None
    • False
    • False
    • Undefined
    • 5

    Description

      As soon as a project is added to a member roll the operator creates on the istio-expose-route-basic network policy to allow non-mesh services receive external traffic using routes, provided they have the label maistra.io/expose-route: "true".

       

      That behavior should be configurable from the SMMR resource to avoid/enable the creation of such network policy on demand, as it can be seen as a security concern because users can bypass the restrictions added by the Service Mesh by adding the label in their deployments and creating routes.

       

      Acceptance Criteria:

      • enable/disable switch added to SMCP
      • istio-operator test that verifies that the SMCP switch works
      • should be added to 1.1, 2.0, 2.1 streams
      • documentation PR that explains how to use the feature

      Attachments

        Issue Links

          Activity

            People

              sgarciam@redhat.com Sergio Garcia Martinez (Inactive)
              sgarciam@redhat.com Sergio Garcia Martinez (Inactive)
              Votes:
              4 Vote for this issue
              Watchers:
              10 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: