diff --git a/common/istio-1-16/istio-install/base/kustomization.yaml b/common/istio-1-16/istio-install/base/kustomization.yaml index 647755c6a2..b5d1c7a8e0 100644 --- a/common/istio-1-16/istio-install/base/kustomization.yaml +++ b/common/istio-1-16/istio-install/base/kustomization.yaml @@ -14,7 +14,4 @@ patchesStrategicMerge: - patches/service.yaml - patches/istio-configmap-disable-tracing.yaml - patches/disable-debugging.yaml -# Disable this patch until we upgrade to kustomize to v4+ -# see https://github.com/kubeflow/manifests/issues/2325#issuecomment-1323909056 -# - patches/remove-pdb.yaml - +- patches/remove-pdb.yaml diff --git a/common/istio-cni-1-16/kustomization.yaml b/common/istio-cni-1-16/kustomization.yaml index 85035b0a36..2de912c22e 100644 --- a/common/istio-cni-1-16/kustomization.yaml +++ b/common/istio-cni-1-16/kustomization.yaml @@ -7,41 +7,8 @@ #tar xzf istio.tar.gz #istio-${ISTIO_TAG}/bin/istioctl manifest generate --set values.pilot.autoscaleMin=1 --set values.gateways.istio-ingressgateway.autoscaleMin=1 --set components.cni.enabled=true --set components.cni.namespace=kube-system --set components.cni.tag=${ISTIO_TAG} --set values.global.proxy.resources.requests.cpu=10m --set tag=${ISTIO_TAG} > istio.yaml #rm -rf istio-${ISTIO_TAG} istio.tar.gz - -# sadly there is a bug such that the busybox image is not configurable in a proper way - apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization - resources: - namespace.yaml -- istio.yaml - -patchesStrategicMerge: -# Pentest enahncement: check port 15010 & 8080 in istiod: According to https://istio.io/latest/docs/ops/best-practices/security/#control-plane port 15010 is not that problematic (only resource discovery). Other parts of the documentation also say | 15010 | GRPC | XDS and CA services (Plaintext, only for secure networks) | We have a secure network layer and only XDS is served. Port 8080 is not listed in the service and even if it would be somehow reachable by IP it only "offers read access". Nevertheless we set ENABLE_DEBUG_ON_HTTP=false do disable it entirely. -- |- - apiVersion: apps/v1 - kind: Deployment - metadata: - name: istiod - namespace: istio-system - spec: - template: - spec: - containers: - - name: discovery - env: - - name: ENABLE_DEBUG_ON_HTTP - value: 'false' -# https://github.com/kubeflow/manifests/issues/2285 -- |- - apiVersion: v1 - kind: Service - metadata: - name: istio-ingressgateway - namespace: istio-system - spec: - type: ClusterIP - - - +- istio.yaml \ No newline at end of file diff --git a/common/podsecuritypolicies/kustomization.yaml b/common/podsecuritypolicies/kustomization.yaml index c28e178293..c596eed590 100644 --- a/common/podsecuritypolicies/kustomization.yaml +++ b/common/podsecuritypolicies/kustomization.yaml @@ -6,4 +6,3 @@ resources: - restricted/kubeflow-restricted-psp.yaml - restricted/kubeflow-restricted-clusterrole.yaml - restricted/kubeflow-restricted-clusterrole-rolebinding.yaml -