From d9cb43a70cebc2749a888f58d4aa884111439090 Mon Sep 17 00:00:00 2001 From: Cecile Robert-Michon Date: Fri, 10 Sep 2021 17:25:38 -0700 Subject: [PATCH 1/2] Add calico GlobalNetworkPolicy to block traffic to 168.63.129.16 --- templates/addons/calico.yaml | 34 +++++++++++++++++++ .../ci/cluster-template-prow-ci-version.yaml | 10 +++++- .../ci/cluster-template-prow-custom-vnet.yaml | 10 +++++- ...template-prow-external-cloud-provider.yaml | 10 +++++- ...template-prow-machine-pool-ci-version.yaml | 10 +++++- .../cluster-template-prow-machine-pool.yaml | 10 +++++- .../ci/cluster-template-prow-nvidia-gpu.yaml | 10 +++++- .../ci/cluster-template-prow-private.yaml | 10 +++++- templates/test/ci/cluster-template-prow.yaml | 10 +++++- ...r-template-custom-builds-machine-pool.yaml | 10 +++++- .../dev/cluster-template-custom-builds.yaml | 10 +++++- 11 files changed, 124 insertions(+), 10 deletions(-) diff --git a/templates/addons/calico.yaml b/templates/addons/calico.yaml index 734c179e40b..32cce2eb279 100644 --- a/templates/addons/calico.yaml +++ b/templates/addons/calico.yaml @@ -4141,3 +4141,37 @@ spec: --- # Source: calico/templates/configure-canal.yaml + +--- +# This network policy explicitly ensures that container-originating TCP traffic bound for the reserved Azure IP endpoint is blocked +# to remediate https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27075. +apiVersion: crd.projectcalico.org/v1 +kind: GlobalNetworkPolicy +metadata: + name: deny-azure-internal +spec: + order: 0 + applyOnForward: true + types: + - Egress + egress: + - action: Deny + protocol: TCP + destination: + nets: + - 168.63.129.16/32 +--- +apiVersion: crd.projectcalico.org/v1 +kind: GlobalNetworkPolicy +metadata: + name: default-allow +spec: + order: 9999 + applyOnForward: true + types: + - Egress + - Ingress + egress: + - action: Allow + ingress: + - action: Allow diff --git a/templates/test/ci/cluster-template-prow-ci-version.yaml b/templates/test/ci/cluster-template-prow-ci-version.yaml index 7404bf56cb5..6bd3c36be18 100644 --- a/templates/test/ci/cluster-template-prow-ci-version.yaml +++ b/templates/test/ci/cluster-template-prow-ci-version.yaml @@ -2837,7 +2837,15 @@ data: \ name: calico-kube-controllers\n namespace: kube-system\n labels:\n k8s-app: calico-kube-controllers\nspec:\n maxUnavailable: 1\n selector:\n matchLabels:\n \ k8s-app: calico-kube-controllers\n---\n# Source: calico/templates/calico-etcd-secrets.yaml\n\n---\n# - Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n" + Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n\n---\n# + This network policy explicitly ensures that container-originating TCP traffic + bound for the reserved Azure IP endpoint is blocked\n# to remediate https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27075.\napiVersion: + crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n name: deny-azure-internal\nspec:\n + \ order: 0\n applyOnForward: true\n types:\n - Egress\n egress: \n - action: + Deny\n protocol: TCP\n destination:\n nets:\n - 168.63.129.16/32\n---\napiVersion: + crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n name: default-allow\nspec:\n + \ order: 9999\n applyOnForward: true\n types:\n - Egress\n - Ingress\n egress:\n + \ - action: Allow\n ingress:\n - action: Allow\n" kind: ConfigMap metadata: annotations: diff --git a/templates/test/ci/cluster-template-prow-custom-vnet.yaml b/templates/test/ci/cluster-template-prow-custom-vnet.yaml index a9e095002f7..dce73f390d3 100644 --- a/templates/test/ci/cluster-template-prow-custom-vnet.yaml +++ b/templates/test/ci/cluster-template-prow-custom-vnet.yaml @@ -2702,7 +2702,15 @@ data: \ name: calico-kube-controllers\n namespace: kube-system\n labels:\n k8s-app: calico-kube-controllers\nspec:\n maxUnavailable: 1\n selector:\n matchLabels:\n \ k8s-app: calico-kube-controllers\n---\n# Source: calico/templates/calico-etcd-secrets.yaml\n\n---\n# - Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n" + Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n\n---\n# + This network policy explicitly ensures that container-originating TCP traffic + bound for the reserved Azure IP endpoint is blocked\n# to remediate https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27075.\napiVersion: + crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n name: deny-azure-internal\nspec:\n + \ order: 0\n applyOnForward: true\n types:\n - Egress\n egress: \n - action: + Deny\n protocol: TCP\n destination:\n nets:\n - 168.63.129.16/32\n---\napiVersion: + crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n name: default-allow\nspec:\n + \ order: 9999\n applyOnForward: true\n types:\n - Egress\n - Ingress\n egress:\n + \ - action: Allow\n ingress:\n - action: Allow\n" kind: ConfigMap metadata: annotations: diff --git a/templates/test/ci/cluster-template-prow-external-cloud-provider.yaml b/templates/test/ci/cluster-template-prow-external-cloud-provider.yaml index 4138dbc5d09..db7e6533340 100644 --- a/templates/test/ci/cluster-template-prow-external-cloud-provider.yaml +++ b/templates/test/ci/cluster-template-prow-external-cloud-provider.yaml @@ -3009,7 +3009,15 @@ data: \ name: calico-kube-controllers\n namespace: kube-system\n labels:\n k8s-app: calico-kube-controllers\nspec:\n maxUnavailable: 1\n selector:\n matchLabels:\n \ k8s-app: calico-kube-controllers\n---\n# Source: calico/templates/calico-etcd-secrets.yaml\n\n---\n# - Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n" + Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n\n---\n# + This network policy explicitly ensures that container-originating TCP traffic + bound for the reserved Azure IP endpoint is blocked\n# to remediate https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27075.\napiVersion: + crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n name: deny-azure-internal\nspec:\n + \ order: 0\n applyOnForward: true\n types:\n - Egress\n egress: \n - action: + Deny\n protocol: TCP\n destination:\n nets:\n - 168.63.129.16/32\n---\napiVersion: + crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n name: default-allow\nspec:\n + \ order: 9999\n applyOnForward: true\n types:\n - Egress\n - Ingress\n egress:\n + \ - action: Allow\n ingress:\n - action: Allow\n" kind: ConfigMap metadata: annotations: diff --git a/templates/test/ci/cluster-template-prow-machine-pool-ci-version.yaml b/templates/test/ci/cluster-template-prow-machine-pool-ci-version.yaml index 4174976d60f..0e7f538aea6 100644 --- a/templates/test/ci/cluster-template-prow-machine-pool-ci-version.yaml +++ b/templates/test/ci/cluster-template-prow-machine-pool-ci-version.yaml @@ -2823,7 +2823,15 @@ data: \ name: calico-kube-controllers\n namespace: kube-system\n labels:\n k8s-app: calico-kube-controllers\nspec:\n maxUnavailable: 1\n selector:\n matchLabels:\n \ k8s-app: calico-kube-controllers\n---\n# Source: calico/templates/calico-etcd-secrets.yaml\n\n---\n# - Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n" + Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n\n---\n# + This network policy explicitly ensures that container-originating TCP traffic + bound for the reserved Azure IP endpoint is blocked\n# to remediate https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27075.\napiVersion: + crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n name: deny-azure-internal\nspec:\n + \ order: 0\n applyOnForward: true\n types:\n - Egress\n egress: \n - action: + Deny\n protocol: TCP\n destination:\n nets:\n - 168.63.129.16/32\n---\napiVersion: + crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n name: default-allow\nspec:\n + \ order: 9999\n applyOnForward: true\n types:\n - Egress\n - Ingress\n egress:\n + \ - action: Allow\n ingress:\n - action: Allow\n" kind: ConfigMap metadata: annotations: diff --git a/templates/test/ci/cluster-template-prow-machine-pool.yaml b/templates/test/ci/cluster-template-prow-machine-pool.yaml index 7536bc5de20..06a5a98532b 100644 --- a/templates/test/ci/cluster-template-prow-machine-pool.yaml +++ b/templates/test/ci/cluster-template-prow-machine-pool.yaml @@ -2676,7 +2676,15 @@ data: \ name: calico-kube-controllers\n namespace: kube-system\n labels:\n k8s-app: calico-kube-controllers\nspec:\n maxUnavailable: 1\n selector:\n matchLabels:\n \ k8s-app: calico-kube-controllers\n---\n# Source: calico/templates/calico-etcd-secrets.yaml\n\n---\n# - Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n" + Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n\n---\n# + This network policy explicitly ensures that container-originating TCP traffic + bound for the reserved Azure IP endpoint is blocked\n# to remediate https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27075.\napiVersion: + crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n name: deny-azure-internal\nspec:\n + \ order: 0\n applyOnForward: true\n types:\n - Egress\n egress: \n - action: + Deny\n protocol: TCP\n destination:\n nets:\n - 168.63.129.16/32\n---\napiVersion: + crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n name: default-allow\nspec:\n + \ order: 9999\n applyOnForward: true\n types:\n - Egress\n - Ingress\n egress:\n + \ - action: Allow\n ingress:\n - action: Allow\n" kind: ConfigMap metadata: annotations: diff --git a/templates/test/ci/cluster-template-prow-nvidia-gpu.yaml b/templates/test/ci/cluster-template-prow-nvidia-gpu.yaml index 1026a35eada..9d367d36a4a 100644 --- a/templates/test/ci/cluster-template-prow-nvidia-gpu.yaml +++ b/templates/test/ci/cluster-template-prow-nvidia-gpu.yaml @@ -9031,7 +9031,15 @@ data: \ name: calico-kube-controllers\n namespace: kube-system\n labels:\n k8s-app: calico-kube-controllers\nspec:\n maxUnavailable: 1\n selector:\n matchLabels:\n \ k8s-app: calico-kube-controllers\n---\n# Source: calico/templates/calico-etcd-secrets.yaml\n\n---\n# - Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n" + Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n\n---\n# + This network policy explicitly ensures that container-originating TCP traffic + bound for the reserved Azure IP endpoint is blocked\n# to remediate https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27075.\napiVersion: + crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n name: deny-azure-internal\nspec:\n + \ order: 0\n applyOnForward: true\n types:\n - Egress\n egress: \n - action: + Deny\n protocol: TCP\n destination:\n nets:\n - 168.63.129.16/32\n---\napiVersion: + crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n name: default-allow\nspec:\n + \ order: 9999\n applyOnForward: true\n types:\n - Egress\n - Ingress\n egress:\n + \ - action: Allow\n ingress:\n - action: Allow\n" kind: ConfigMap metadata: annotations: diff --git a/templates/test/ci/cluster-template-prow-private.yaml b/templates/test/ci/cluster-template-prow-private.yaml index 2efa78f0da6..dadb166fbe8 100644 --- a/templates/test/ci/cluster-template-prow-private.yaml +++ b/templates/test/ci/cluster-template-prow-private.yaml @@ -2705,7 +2705,15 @@ data: \ name: calico-kube-controllers\n namespace: kube-system\n labels:\n k8s-app: calico-kube-controllers\nspec:\n maxUnavailable: 1\n selector:\n matchLabels:\n \ k8s-app: calico-kube-controllers\n---\n# Source: calico/templates/calico-etcd-secrets.yaml\n\n---\n# - Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n" + Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n\n---\n# + This network policy explicitly ensures that container-originating TCP traffic + bound for the reserved Azure IP endpoint is blocked\n# to remediate https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27075.\napiVersion: + crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n name: deny-azure-internal\nspec:\n + \ order: 0\n applyOnForward: true\n types:\n - Egress\n egress: \n - action: + Deny\n protocol: TCP\n destination:\n nets:\n - 168.63.129.16/32\n---\napiVersion: + crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n name: default-allow\nspec:\n + \ order: 9999\n applyOnForward: true\n types:\n - Egress\n - Ingress\n egress:\n + \ - action: Allow\n ingress:\n - action: Allow\n" kind: ConfigMap metadata: annotations: diff --git a/templates/test/ci/cluster-template-prow.yaml b/templates/test/ci/cluster-template-prow.yaml index d1694d76e78..6c4d49c5822 100644 --- a/templates/test/ci/cluster-template-prow.yaml +++ b/templates/test/ci/cluster-template-prow.yaml @@ -2691,7 +2691,15 @@ data: \ name: calico-kube-controllers\n namespace: kube-system\n labels:\n k8s-app: calico-kube-controllers\nspec:\n maxUnavailable: 1\n selector:\n matchLabels:\n \ k8s-app: calico-kube-controllers\n---\n# Source: calico/templates/calico-etcd-secrets.yaml\n\n---\n# - Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n" + Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n\n---\n# + This network policy explicitly ensures that container-originating TCP traffic + bound for the reserved Azure IP endpoint is blocked\n# to remediate https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27075.\napiVersion: + crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n name: deny-azure-internal\nspec:\n + \ order: 0\n applyOnForward: true\n types:\n - Egress\n egress: \n - action: + Deny\n protocol: TCP\n destination:\n nets:\n - 168.63.129.16/32\n---\napiVersion: + crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n name: default-allow\nspec:\n + \ order: 9999\n applyOnForward: true\n types:\n - Egress\n - Ingress\n egress:\n + \ - action: Allow\n ingress:\n - action: Allow\n" kind: ConfigMap metadata: annotations: diff --git a/templates/test/dev/cluster-template-custom-builds-machine-pool.yaml b/templates/test/dev/cluster-template-custom-builds-machine-pool.yaml index e8f71856cf5..3d54f198b47 100644 --- a/templates/test/dev/cluster-template-custom-builds-machine-pool.yaml +++ b/templates/test/dev/cluster-template-custom-builds-machine-pool.yaml @@ -2766,7 +2766,15 @@ data: \ name: calico-kube-controllers\n namespace: kube-system\n labels:\n k8s-app: calico-kube-controllers\nspec:\n maxUnavailable: 1\n selector:\n matchLabels:\n \ k8s-app: calico-kube-controllers\n---\n# Source: calico/templates/calico-etcd-secrets.yaml\n\n---\n# - Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n" + Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n\n---\n# + This network policy explicitly ensures that container-originating TCP traffic + bound for the reserved Azure IP endpoint is blocked\n# to remediate https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27075.\napiVersion: + crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n name: deny-azure-internal\nspec:\n + \ order: 0\n applyOnForward: true\n types:\n - Egress\n egress: \n - action: + Deny\n protocol: TCP\n destination:\n nets:\n - 168.63.129.16/32\n---\napiVersion: + crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n name: default-allow\nspec:\n + \ order: 9999\n applyOnForward: true\n types:\n - Egress\n - Ingress\n egress:\n + \ - action: Allow\n ingress:\n - action: Allow\n" kind: ConfigMap metadata: annotations: diff --git a/templates/test/dev/cluster-template-custom-builds.yaml b/templates/test/dev/cluster-template-custom-builds.yaml index dbc8a0d7845..14fa6de9c5a 100644 --- a/templates/test/dev/cluster-template-custom-builds.yaml +++ b/templates/test/dev/cluster-template-custom-builds.yaml @@ -2780,7 +2780,15 @@ data: \ name: calico-kube-controllers\n namespace: kube-system\n labels:\n k8s-app: calico-kube-controllers\nspec:\n maxUnavailable: 1\n selector:\n matchLabels:\n \ k8s-app: calico-kube-controllers\n---\n# Source: calico/templates/calico-etcd-secrets.yaml\n\n---\n# - Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n" + Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n\n---\n# + This network policy explicitly ensures that container-originating TCP traffic + bound for the reserved Azure IP endpoint is blocked\n# to remediate https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27075.\napiVersion: + crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n name: deny-azure-internal\nspec:\n + \ order: 0\n applyOnForward: true\n types:\n - Egress\n egress: \n - action: + Deny\n protocol: TCP\n destination:\n nets:\n - 168.63.129.16/32\n---\napiVersion: + crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n name: default-allow\nspec:\n + \ order: 9999\n applyOnForward: true\n types:\n - Egress\n - Ingress\n egress:\n + \ - action: Allow\n ingress:\n - action: Allow\n" kind: ConfigMap metadata: annotations: From 98cb290565f371d733f2c9eb0080f288c0d872f3 Mon Sep 17 00:00:00 2001 From: Cecile Robert-Michon Date: Thu, 16 Sep 2021 10:36:41 -0700 Subject: [PATCH 2/2] remove order --- templates/addons/calico.yaml | 1 - templates/test/ci/cluster-template-prow-ci-version.yaml | 4 ++-- templates/test/ci/cluster-template-prow-custom-vnet.yaml | 4 ++-- .../ci/cluster-template-prow-external-cloud-provider.yaml | 4 ++-- .../ci/cluster-template-prow-machine-pool-ci-version.yaml | 4 ++-- templates/test/ci/cluster-template-prow-machine-pool.yaml | 4 ++-- templates/test/ci/cluster-template-prow-nvidia-gpu.yaml | 4 ++-- templates/test/ci/cluster-template-prow-private.yaml | 4 ++-- templates/test/ci/cluster-template-prow.yaml | 4 ++-- .../test/dev/cluster-template-custom-builds-machine-pool.yaml | 4 ++-- templates/test/dev/cluster-template-custom-builds.yaml | 4 ++-- 11 files changed, 20 insertions(+), 21 deletions(-) diff --git a/templates/addons/calico.yaml b/templates/addons/calico.yaml index 32cce2eb279..5ce5330e4a9 100644 --- a/templates/addons/calico.yaml +++ b/templates/addons/calico.yaml @@ -4166,7 +4166,6 @@ kind: GlobalNetworkPolicy metadata: name: default-allow spec: - order: 9999 applyOnForward: true types: - Egress diff --git a/templates/test/ci/cluster-template-prow-ci-version.yaml b/templates/test/ci/cluster-template-prow-ci-version.yaml index 6bd3c36be18..78cc5cbdeda 100644 --- a/templates/test/ci/cluster-template-prow-ci-version.yaml +++ b/templates/test/ci/cluster-template-prow-ci-version.yaml @@ -2844,8 +2844,8 @@ data: \ order: 0\n applyOnForward: true\n types:\n - Egress\n egress: \n - action: Deny\n protocol: TCP\n destination:\n nets:\n - 168.63.129.16/32\n---\napiVersion: crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n name: default-allow\nspec:\n - \ order: 9999\n applyOnForward: true\n types:\n - Egress\n - Ingress\n egress:\n - \ - action: Allow\n ingress:\n - action: Allow\n" + \ applyOnForward: true\n types:\n - Egress\n - Ingress\n egress:\n - action: + Allow\n ingress:\n - action: Allow\n" kind: ConfigMap metadata: annotations: diff --git a/templates/test/ci/cluster-template-prow-custom-vnet.yaml b/templates/test/ci/cluster-template-prow-custom-vnet.yaml index dce73f390d3..0db923c518b 100644 --- a/templates/test/ci/cluster-template-prow-custom-vnet.yaml +++ b/templates/test/ci/cluster-template-prow-custom-vnet.yaml @@ -2709,8 +2709,8 @@ data: \ order: 0\n applyOnForward: true\n types:\n - Egress\n egress: \n - action: Deny\n protocol: TCP\n destination:\n nets:\n - 168.63.129.16/32\n---\napiVersion: crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n name: default-allow\nspec:\n - \ order: 9999\n applyOnForward: true\n types:\n - Egress\n - Ingress\n egress:\n - \ - action: Allow\n ingress:\n - action: Allow\n" + \ applyOnForward: true\n types:\n - Egress\n - Ingress\n egress:\n - action: + Allow\n ingress:\n - action: Allow\n" kind: ConfigMap metadata: annotations: diff --git a/templates/test/ci/cluster-template-prow-external-cloud-provider.yaml b/templates/test/ci/cluster-template-prow-external-cloud-provider.yaml index db7e6533340..2c5f33f4459 100644 --- a/templates/test/ci/cluster-template-prow-external-cloud-provider.yaml +++ b/templates/test/ci/cluster-template-prow-external-cloud-provider.yaml @@ -3016,8 +3016,8 @@ data: \ order: 0\n applyOnForward: true\n types:\n - Egress\n egress: \n - action: Deny\n protocol: TCP\n destination:\n nets:\n - 168.63.129.16/32\n---\napiVersion: crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n name: default-allow\nspec:\n - \ order: 9999\n applyOnForward: true\n types:\n - Egress\n - Ingress\n egress:\n - \ - action: Allow\n ingress:\n - action: Allow\n" + \ applyOnForward: true\n types:\n - Egress\n - Ingress\n egress:\n - action: + Allow\n ingress:\n - action: Allow\n" kind: ConfigMap metadata: annotations: diff --git a/templates/test/ci/cluster-template-prow-machine-pool-ci-version.yaml b/templates/test/ci/cluster-template-prow-machine-pool-ci-version.yaml index 0e7f538aea6..fe3ee7565f9 100644 --- a/templates/test/ci/cluster-template-prow-machine-pool-ci-version.yaml +++ b/templates/test/ci/cluster-template-prow-machine-pool-ci-version.yaml @@ -2830,8 +2830,8 @@ data: \ order: 0\n applyOnForward: true\n types:\n - Egress\n egress: \n - action: Deny\n protocol: TCP\n destination:\n nets:\n - 168.63.129.16/32\n---\napiVersion: crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n name: default-allow\nspec:\n - \ order: 9999\n applyOnForward: true\n types:\n - Egress\n - Ingress\n egress:\n - \ - action: Allow\n ingress:\n - action: Allow\n" + \ applyOnForward: true\n types:\n - Egress\n - Ingress\n egress:\n - action: + Allow\n ingress:\n - action: Allow\n" kind: ConfigMap metadata: annotations: diff --git a/templates/test/ci/cluster-template-prow-machine-pool.yaml b/templates/test/ci/cluster-template-prow-machine-pool.yaml index 06a5a98532b..47d19e3023e 100644 --- a/templates/test/ci/cluster-template-prow-machine-pool.yaml +++ b/templates/test/ci/cluster-template-prow-machine-pool.yaml @@ -2683,8 +2683,8 @@ data: \ order: 0\n applyOnForward: true\n types:\n - Egress\n egress: \n - action: Deny\n protocol: TCP\n destination:\n nets:\n - 168.63.129.16/32\n---\napiVersion: crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n name: default-allow\nspec:\n - \ order: 9999\n applyOnForward: true\n types:\n - Egress\n - Ingress\n egress:\n - \ - action: Allow\n ingress:\n - action: Allow\n" + \ applyOnForward: true\n types:\n - Egress\n - Ingress\n egress:\n - action: + Allow\n ingress:\n - action: Allow\n" kind: ConfigMap metadata: annotations: diff --git a/templates/test/ci/cluster-template-prow-nvidia-gpu.yaml b/templates/test/ci/cluster-template-prow-nvidia-gpu.yaml index 9d367d36a4a..d9da103415e 100644 --- a/templates/test/ci/cluster-template-prow-nvidia-gpu.yaml +++ b/templates/test/ci/cluster-template-prow-nvidia-gpu.yaml @@ -9038,8 +9038,8 @@ data: \ order: 0\n applyOnForward: true\n types:\n - Egress\n egress: \n - action: Deny\n protocol: TCP\n destination:\n nets:\n - 168.63.129.16/32\n---\napiVersion: crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n name: default-allow\nspec:\n - \ order: 9999\n applyOnForward: true\n types:\n - Egress\n - Ingress\n egress:\n - \ - action: Allow\n ingress:\n - action: Allow\n" + \ applyOnForward: true\n types:\n - Egress\n - Ingress\n egress:\n - action: + Allow\n ingress:\n - action: Allow\n" kind: ConfigMap metadata: annotations: diff --git a/templates/test/ci/cluster-template-prow-private.yaml b/templates/test/ci/cluster-template-prow-private.yaml index dadb166fbe8..428758a0643 100644 --- a/templates/test/ci/cluster-template-prow-private.yaml +++ b/templates/test/ci/cluster-template-prow-private.yaml @@ -2712,8 +2712,8 @@ data: \ order: 0\n applyOnForward: true\n types:\n - Egress\n egress: \n - action: Deny\n protocol: TCP\n destination:\n nets:\n - 168.63.129.16/32\n---\napiVersion: crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n name: default-allow\nspec:\n - \ order: 9999\n applyOnForward: true\n types:\n - Egress\n - Ingress\n egress:\n - \ - action: Allow\n ingress:\n - action: Allow\n" + \ applyOnForward: true\n types:\n - Egress\n - Ingress\n egress:\n - action: + Allow\n ingress:\n - action: Allow\n" kind: ConfigMap metadata: annotations: diff --git a/templates/test/ci/cluster-template-prow.yaml b/templates/test/ci/cluster-template-prow.yaml index 6c4d49c5822..62adf759aeb 100644 --- a/templates/test/ci/cluster-template-prow.yaml +++ b/templates/test/ci/cluster-template-prow.yaml @@ -2698,8 +2698,8 @@ data: \ order: 0\n applyOnForward: true\n types:\n - Egress\n egress: \n - action: Deny\n protocol: TCP\n destination:\n nets:\n - 168.63.129.16/32\n---\napiVersion: crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n name: default-allow\nspec:\n - \ order: 9999\n applyOnForward: true\n types:\n - Egress\n - Ingress\n egress:\n - \ - action: Allow\n ingress:\n - action: Allow\n" + \ applyOnForward: true\n types:\n - Egress\n - Ingress\n egress:\n - action: + Allow\n ingress:\n - action: Allow\n" kind: ConfigMap metadata: annotations: diff --git a/templates/test/dev/cluster-template-custom-builds-machine-pool.yaml b/templates/test/dev/cluster-template-custom-builds-machine-pool.yaml index 3d54f198b47..faedf4a9cdb 100644 --- a/templates/test/dev/cluster-template-custom-builds-machine-pool.yaml +++ b/templates/test/dev/cluster-template-custom-builds-machine-pool.yaml @@ -2773,8 +2773,8 @@ data: \ order: 0\n applyOnForward: true\n types:\n - Egress\n egress: \n - action: Deny\n protocol: TCP\n destination:\n nets:\n - 168.63.129.16/32\n---\napiVersion: crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n name: default-allow\nspec:\n - \ order: 9999\n applyOnForward: true\n types:\n - Egress\n - Ingress\n egress:\n - \ - action: Allow\n ingress:\n - action: Allow\n" + \ applyOnForward: true\n types:\n - Egress\n - Ingress\n egress:\n - action: + Allow\n ingress:\n - action: Allow\n" kind: ConfigMap metadata: annotations: diff --git a/templates/test/dev/cluster-template-custom-builds.yaml b/templates/test/dev/cluster-template-custom-builds.yaml index 14fa6de9c5a..bc14d430a68 100644 --- a/templates/test/dev/cluster-template-custom-builds.yaml +++ b/templates/test/dev/cluster-template-custom-builds.yaml @@ -2787,8 +2787,8 @@ data: \ order: 0\n applyOnForward: true\n types:\n - Egress\n egress: \n - action: Deny\n protocol: TCP\n destination:\n nets:\n - 168.63.129.16/32\n---\napiVersion: crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n name: default-allow\nspec:\n - \ order: 9999\n applyOnForward: true\n types:\n - Egress\n - Ingress\n egress:\n - \ - action: Allow\n ingress:\n - action: Allow\n" + \ applyOnForward: true\n types:\n - Egress\n - Ingress\n egress:\n - action: + Allow\n ingress:\n - action: Allow\n" kind: ConfigMap metadata: annotations: