You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The BB level value of networkPolicies.controlPlaneCidr passes down to app netpols via default values per app in their respective BB template subdirectories, but gitlab-runner is missing this default value here.
This is easy to mitigate in the meantime with addons.gitlabRunner.values.networkPolicies.controlPlaneCidr, but still a minor bug:
Also, the associated network policy includes a rule to allow all traffic to the gitlab namespace, but all other applications have a dedicated kube-api egress and this one should as well, as the current multi-element rule allows all traffic to the gitlab namespace or the default cidr (0.0.0.0/0 if not configured directly in the gitlab runner values).
Suggested action is to fix the gitlab runner BB level values, break the netpol into its own dedicated kube api netpol and create a new netpol for gitlab-runner > gitlab communication. Below was tested and worked fine for us:
This policy enforces traffic to be destined to the gitlab namespace and pods with the app: webservice label which I believe is all gitlab-runner needs.
BigBang Version
2.19.2 but likely an issue since the migration of gitlab-runner to its own namespace.
The text was updated successfully, but these errors were encountered:
Bug
Description
The BB level value of networkPolicies.controlPlaneCidr passes down to app netpols via default values per app in their respective BB template subdirectories, but gitlab-runner is missing this default value here.
This is easy to mitigate in the meantime with addons.gitlabRunner.values.networkPolicies.controlPlaneCidr, but still a minor bug:
Also, the associated network policy includes a rule to allow all traffic to the gitlab namespace, but all other applications have a dedicated kube-api egress and this one should as well, as the current multi-element rule allows all traffic to the gitlab namespace or the default cidr (0.0.0.0/0 if not configured directly in the gitlab runner values).
Suggested action is to fix the gitlab runner BB level values, break the netpol into its own dedicated kube api netpol and create a new netpol for gitlab-runner > gitlab communication. Below was tested and worked fine for us:
This policy enforces traffic to be destined to the gitlab namespace and pods with the
app: webservice
label which I believe is all gitlab-runner needs.BigBang Version
2.19.2 but likely an issue since the migration of gitlab-runner to its own namespace.
The text was updated successfully, but these errors were encountered: