kubernetes-sigs · CecileRobertMichon · Sep 11, 2021 · Sep 16, 2021
diff --git a/templates/addons/calico.yaml b/templates/addons/calico.yaml
@@ -4141,3 +4141,36 @@ spec:
 
 ---
 # Source: calico/templates/configure-canal.yaml
+
+---
+# This network policy explicitly ensures that container-originating TCP traffic bound for the reserved Azure IP endpoint is blocked
+# to remediate https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27075.
+apiVersion: crd.projectcalico.org/v1
+kind: GlobalNetworkPolicy
+metadata:
+    name: deny-azure-internal
+spec:
+  order: 0
+  applyOnForward: true
+  types:
+    - Egress
+  egress: 
+  - action: Deny
+    protocol: TCP
+    destination:
+      nets:
+      - 168.63.129.16/32
+---
+apiVersion: crd.projectcalico.org/v1
+kind: GlobalNetworkPolicy
+metadata:
+  name: default-allow
+spec:
+  applyOnForward: true
+  types:
+  - Egress
+  - Ingress
+  egress:
+  - action: Allow
+  ingress:
+  - action: Allow
diff --git a/templates/test/ci/cluster-template-prow-ci-version.yaml b/templates/test/ci/cluster-template-prow-ci-version.yaml
@@ -2837,7 +2837,15 @@ data:
     \ name: calico-kube-controllers\n  namespace: kube-system\n  labels:\n    k8s-app:
     calico-kube-controllers\nspec:\n  maxUnavailable: 1\n  selector:\n    matchLabels:\n
     \     k8s-app: calico-kube-controllers\n---\n# Source: calico/templates/calico-etcd-secrets.yaml\n\n---\n#
-    Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n"
+    Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n\n---\n#
+    This network policy explicitly ensures that container-originating TCP traffic
+    bound for the reserved Azure IP endpoint is blocked\n# to remediate https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27075.\napiVersion:
+    crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n    name: deny-azure-internal\nspec:\n
+    \ order: 0\n  applyOnForward: true\n  types:\n    - Egress\n  egress: \n  - action:
+    Deny\n    protocol: TCP\n    destination:\n      nets:\n      - 168.63.129.16/32\n---\napiVersion:
+    crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n  name: default-allow\nspec:\n
+    \ applyOnForward: true\n  types:\n  - Egress\n  - Ingress\n  egress:\n  - action:
+    Allow\n  ingress:\n  - action: Allow\n"
 kind: ConfigMap
 metadata:
   annotations:

diff --git a/templates/test/ci/cluster-template-prow-custom-vnet.yaml b/templates/test/ci/cluster-template-prow-custom-vnet.yaml
@@ -2702,7 +2702,15 @@ data:
     \ name: calico-kube-controllers\n  namespace: kube-system\n  labels:\n    k8s-app:
     calico-kube-controllers\nspec:\n  maxUnavailable: 1\n  selector:\n    matchLabels:\n
     \     k8s-app: calico-kube-controllers\n---\n# Source: calico/templates/calico-etcd-secrets.yaml\n\n---\n#
-    Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n"
+    Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n\n---\n#
+    This network policy explicitly ensures that container-originating TCP traffic
+    bound for the reserved Azure IP endpoint is blocked\n# to remediate https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27075.\napiVersion:
+    crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n    name: deny-azure-internal\nspec:\n
+    \ order: 0\n  applyOnForward: true\n  types:\n    - Egress\n  egress: \n  - action:
+    Deny\n    protocol: TCP\n    destination:\n      nets:\n      - 168.63.129.16/32\n---\napiVersion:
+    crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n  name: default-allow\nspec:\n
+    \ applyOnForward: true\n  types:\n  - Egress\n  - Ingress\n  egress:\n  - action:
+    Allow\n  ingress:\n  - action: Allow\n"
 kind: ConfigMap
 metadata:
   annotations:

diff --git a/templates/test/ci/cluster-template-prow-external-cloud-provider.yaml b/templates/test/ci/cluster-template-prow-external-cloud-provider.yaml
@@ -3009,7 +3009,15 @@ data:
     \ name: calico-kube-controllers\n  namespace: kube-system\n  labels:\n    k8s-app:
     calico-kube-controllers\nspec:\n  maxUnavailable: 1\n  selector:\n    matchLabels:\n
     \     k8s-app: calico-kube-controllers\n---\n# Source: calico/templates/calico-etcd-secrets.yaml\n\n---\n#
-    Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n"
+    Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n\n---\n#
+    This network policy explicitly ensures that container-originating TCP traffic
+    bound for the reserved Azure IP endpoint is blocked\n# to remediate https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27075.\napiVersion:
+    crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n    name: deny-azure-internal\nspec:\n
+    \ order: 0\n  applyOnForward: true\n  types:\n    - Egress\n  egress: \n  - action:
+    Deny\n    protocol: TCP\n    destination:\n      nets:\n      - 168.63.129.16/32\n---\napiVersion:
+    crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n  name: default-allow\nspec:\n
+    \ applyOnForward: true\n  types:\n  - Egress\n  - Ingress\n  egress:\n  - action:
+    Allow\n  ingress:\n  - action: Allow\n"
 kind: ConfigMap
 metadata:
   annotations:

diff --git a/templates/test/ci/cluster-template-prow-machine-pool-ci-version.yaml b/templates/test/ci/cluster-template-prow-machine-pool-ci-version.yaml
@@ -2823,7 +2823,15 @@ data:
     \ name: calico-kube-controllers\n  namespace: kube-system\n  labels:\n    k8s-app:
     calico-kube-controllers\nspec:\n  maxUnavailable: 1\n  selector:\n    matchLabels:\n
     \     k8s-app: calico-kube-controllers\n---\n# Source: calico/templates/calico-etcd-secrets.yaml\n\n---\n#
-    Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n"
+    Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n\n---\n#
+    This network policy explicitly ensures that container-originating TCP traffic
+    bound for the reserved Azure IP endpoint is blocked\n# to remediate https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27075.\napiVersion:
+    crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n    name: deny-azure-internal\nspec:\n
+    \ order: 0\n  applyOnForward: true\n  types:\n    - Egress\n  egress: \n  - action:
+    Deny\n    protocol: TCP\n    destination:\n      nets:\n      - 168.63.129.16/32\n---\napiVersion:
+    crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n  name: default-allow\nspec:\n
+    \ applyOnForward: true\n  types:\n  - Egress\n  - Ingress\n  egress:\n  - action:
+    Allow\n  ingress:\n  - action: Allow\n"
 kind: ConfigMap
 metadata:
   annotations:

diff --git a/templates/test/ci/cluster-template-prow-machine-pool.yaml b/templates/test/ci/cluster-template-prow-machine-pool.yaml
@@ -2676,7 +2676,15 @@ data:
     \ name: calico-kube-controllers\n  namespace: kube-system\n  labels:\n    k8s-app:
     calico-kube-controllers\nspec:\n  maxUnavailable: 1\n  selector:\n    matchLabels:\n
     \     k8s-app: calico-kube-controllers\n---\n# Source: calico/templates/calico-etcd-secrets.yaml\n\n---\n#
-    Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n"
+    Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n\n---\n#
+    This network policy explicitly ensures that container-originating TCP traffic
+    bound for the reserved Azure IP endpoint is blocked\n# to remediate https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27075.\napiVersion:
+    crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n    name: deny-azure-internal\nspec:\n
+    \ order: 0\n  applyOnForward: true\n  types:\n    - Egress\n  egress: \n  - action:
+    Deny\n    protocol: TCP\n    destination:\n      nets:\n      - 168.63.129.16/32\n---\napiVersion:
+    crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n  name: default-allow\nspec:\n
+    \ applyOnForward: true\n  types:\n  - Egress\n  - Ingress\n  egress:\n  - action:
+    Allow\n  ingress:\n  - action: Allow\n"
 kind: ConfigMap
 metadata:
   annotations:

diff --git a/templates/test/ci/cluster-template-prow-nvidia-gpu.yaml b/templates/test/ci/cluster-template-prow-nvidia-gpu.yaml
@@ -9031,7 +9031,15 @@ data:
     \ name: calico-kube-controllers\n  namespace: kube-system\n  labels:\n    k8s-app:
     calico-kube-controllers\nspec:\n  maxUnavailable: 1\n  selector:\n    matchLabels:\n
     \     k8s-app: calico-kube-controllers\n---\n# Source: calico/templates/calico-etcd-secrets.yaml\n\n---\n#
-    Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n"
+    Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n\n---\n#
+    This network policy explicitly ensures that container-originating TCP traffic
+    bound for the reserved Azure IP endpoint is blocked\n# to remediate https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27075.\napiVersion:
+    crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n    name: deny-azure-internal\nspec:\n
+    \ order: 0\n  applyOnForward: true\n  types:\n    - Egress\n  egress: \n  - action:
+    Deny\n    protocol: TCP\n    destination:\n      nets:\n      - 168.63.129.16/32\n---\napiVersion:
+    crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n  name: default-allow\nspec:\n
+    \ applyOnForward: true\n  types:\n  - Egress\n  - Ingress\n  egress:\n  - action:
+    Allow\n  ingress:\n  - action: Allow\n"
 kind: ConfigMap
 metadata:
   annotations:

diff --git a/templates/test/ci/cluster-template-prow-private.yaml b/templates/test/ci/cluster-template-prow-private.yaml
@@ -2705,7 +2705,15 @@ data:
     \ name: calico-kube-controllers\n  namespace: kube-system\n  labels:\n    k8s-app:
     calico-kube-controllers\nspec:\n  maxUnavailable: 1\n  selector:\n    matchLabels:\n
     \     k8s-app: calico-kube-controllers\n---\n# Source: calico/templates/calico-etcd-secrets.yaml\n\n---\n#
-    Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n"
+    Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n\n---\n#
+    This network policy explicitly ensures that container-originating TCP traffic
+    bound for the reserved Azure IP endpoint is blocked\n# to remediate https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27075.\napiVersion:
+    crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n    name: deny-azure-internal\nspec:\n
+    \ order: 0\n  applyOnForward: true\n  types:\n    - Egress\n  egress: \n  - action:
+    Deny\n    protocol: TCP\n    destination:\n      nets:\n      - 168.63.129.16/32\n---\napiVersion:
+    crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n  name: default-allow\nspec:\n
+    \ applyOnForward: true\n  types:\n  - Egress\n  - Ingress\n  egress:\n  - action:
+    Allow\n  ingress:\n  - action: Allow\n"
 kind: ConfigMap
 metadata:
   annotations:

diff --git a/templates/test/ci/cluster-template-prow.yaml b/templates/test/ci/cluster-template-prow.yaml
@@ -2691,7 +2691,15 @@ data:
     \ name: calico-kube-controllers\n  namespace: kube-system\n  labels:\n    k8s-app:
     calico-kube-controllers\nspec:\n  maxUnavailable: 1\n  selector:\n    matchLabels:\n
     \     k8s-app: calico-kube-controllers\n---\n# Source: calico/templates/calico-etcd-secrets.yaml\n\n---\n#
-    Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n"
+    Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n\n---\n#
+    This network policy explicitly ensures that container-originating TCP traffic
+    bound for the reserved Azure IP endpoint is blocked\n# to remediate https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27075.\napiVersion:
+    crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n    name: deny-azure-internal\nspec:\n
+    \ order: 0\n  applyOnForward: true\n  types:\n    - Egress\n  egress: \n  - action:
+    Deny\n    protocol: TCP\n    destination:\n      nets:\n      - 168.63.129.16/32\n---\napiVersion:
+    crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n  name: default-allow\nspec:\n
+    \ applyOnForward: true\n  types:\n  - Egress\n  - Ingress\n  egress:\n  - action:
+    Allow\n  ingress:\n  - action: Allow\n"
 kind: ConfigMap
 metadata:
   annotations:

diff --git a/templates/test/dev/cluster-template-custom-builds-machine-pool.yaml b/templates/test/dev/cluster-template-custom-builds-machine-pool.yaml
@@ -2766,7 +2766,15 @@ data:
     \ name: calico-kube-controllers\n  namespace: kube-system\n  labels:\n    k8s-app:
     calico-kube-controllers\nspec:\n  maxUnavailable: 1\n  selector:\n    matchLabels:\n
     \     k8s-app: calico-kube-controllers\n---\n# Source: calico/templates/calico-etcd-secrets.yaml\n\n---\n#
-    Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n"
+    Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n\n---\n#
+    This network policy explicitly ensures that container-originating TCP traffic
+    bound for the reserved Azure IP endpoint is blocked\n# to remediate https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27075.\napiVersion:
+    crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n    name: deny-azure-internal\nspec:\n
+    \ order: 0\n  applyOnForward: true\n  types:\n    - Egress\n  egress: \n  - action:
+    Deny\n    protocol: TCP\n    destination:\n      nets:\n      - 168.63.129.16/32\n---\napiVersion:
+    crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n  name: default-allow\nspec:\n
+    \ applyOnForward: true\n  types:\n  - Egress\n  - Ingress\n  egress:\n  - action:
+    Allow\n  ingress:\n  - action: Allow\n"
 kind: ConfigMap
 metadata:
   annotations:

diff --git a/templates/test/dev/cluster-template-custom-builds.yaml b/templates/test/dev/cluster-template-custom-builds.yaml
@@ -2780,7 +2780,15 @@ data:
     \ name: calico-kube-controllers\n  namespace: kube-system\n  labels:\n    k8s-app:
     calico-kube-controllers\nspec:\n  maxUnavailable: 1\n  selector:\n    matchLabels:\n
     \     k8s-app: calico-kube-controllers\n---\n# Source: calico/templates/calico-etcd-secrets.yaml\n\n---\n#
-    Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n"
+    Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n\n---\n#
+    This network policy explicitly ensures that container-originating TCP traffic
+    bound for the reserved Azure IP endpoint is blocked\n# to remediate https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27075.\napiVersion:
+    crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n    name: deny-azure-internal\nspec:\n
+    \ order: 0\n  applyOnForward: true\n  types:\n    - Egress\n  egress: \n  - action:
+    Deny\n    protocol: TCP\n    destination:\n      nets:\n      - 168.63.129.16/32\n---\napiVersion:
+    crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n  name: default-allow\nspec:\n
+    \ applyOnForward: true\n  types:\n  - Egress\n  - Ingress\n  egress:\n  - action:
+    Allow\n  ingress:\n  - action: Allow\n"
 kind: ConfigMap
 metadata:
   annotations: