From 3909cb0f5a3d332d57cd295d25419d0412b2685a Mon Sep 17 00:00:00 2001 From: Amit Lichtenberg Date: Thu, 19 Sep 2024 13:20:21 +0300 Subject: [PATCH] Remove 'experimental' warning from allowExternalTraffic='always' option --- intents-operator/README.md | 44 +++++++++++++++++------------------ otterize-kubernetes/README.md | 26 ++++++++++----------- 2 files changed, 35 insertions(+), 35 deletions(-) diff --git a/intents-operator/README.md b/intents-operator/README.md index 60c9871e..98428c82 100644 --- a/intents-operator/README.md +++ b/intents-operator/README.md @@ -24,28 +24,28 @@ ## Operator parameters -| Key | Description | Default | -|----------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------| -| `operator.repository` | Intents Operator image repository. | `otterize` | -| `operator.image` | Intents Operator image. | `intents-operator` | -| `operator.tag` | Intents Operator image tag. | `(pinned to latest version as of this Helm chart version's publish)` | -| `operator.pullPolicy` | Intents Operator image pull policy. | `(none)` | -| `operator.containerSecurityContext` | Security context for the containers. | `(consult values.yaml)` | -| `operator.podSecurityContext` | Security context for the pod. | `(consult values.yaml)` | -| `operator.mode` | `defaultActive` or `defaultShadow`. When `defaultActive` is set, enforcement is enabled by default. When `defaultShadow` is set, enforcement is disabled by default, but can be enabled per-service using a ProtectedService resource. | `defaultActive` | -| `operator.enableEnforcement` | (deprecated, use mode instead) If set to false, enforcement is disabled globally (both for network policies and Kafka ACL). If true, you may use the other flags for more granular enforcement settings | `true` | -| `operator.enableNetworkPolicyCreation` | Whether the operator should create network policies according to ClientIntents | `true` | -| `operator.enableKafkaACLCreation` | Whether the operator should create Kafka ACL rules according to ClientIntents of type Kafka | `true` | -| `operator.enableIstioPolicyCreation` | Whether the operator should create Istio authorization policies according to ClientIntents | `true` | -| `operator.ingressControllerConfigs` | Restricts the automatically created external traffic network policies to only allow access to an ingress controller within the cluster. Only relevant if you use an in-cluster ingress controller, such as nginx or HAProxy. A list of objects with keys `name`, `namespace` and `kind`, such as `ingress-nginx-controller`, `nginx` and `Deployment`. | `(none)` | -| `operator.ingressControllerAWSALBExempt` | If set to true, the operator will allow all traffic if an Ingress is managed by the AWS ALB Ingress Controller. | `false` | -| `operator.allowExternalTraffic` | `ifBlockedByOtterize`, `off` or `always` (this option is **experimental**). Specify how the operator handles external traffic for Ingress/Service resources: `ifBlockedByOtterize` automatically create network policies to enable internet traffic for services that would be blocked by Otterize network policies when protecting a server. Choosing `off` may necessitate manual network policy creation to allow external traffic, while `always` automatically creates policies for all such resource that are visible to the operator. | `ifBlockedByOtterize` | -| `operator.resources` | Resources override. | | -| `operator.enableDatabasePolicyCreation` | Whether the operator should create database policies according to ClientIntents | `true` | -| `operator.enableEgressNetworkPolicyCreation` | **experimental** - Enables experimental support for egress network policies (coming soon!) | `false` | -| `watchedNamespaces` | List of namespaces the intents operator should watch. The operator will be blind to any namespace not in this list. | `(nil) meaning watch all` | -| `enforcedNamespaces` | When using "shadow enforcement" mode, namespaces in this list will be treated as if the enforcement were active. | `(nil)` | -| `operator.autoGenerateTLSUsingCredentialsOperator` | If set to true, adds the necessary pod annotations in order to integrate with credentials-operator, and get tls certificate. | `false` | +| Key | Description | Default | +|----------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------| +| `operator.repository` | Intents Operator image repository. | `otterize` | +| `operator.image` | Intents Operator image. | `intents-operator` | +| `operator.tag` | Intents Operator image tag. | `(pinned to latest version as of this Helm chart version's publish)` | +| `operator.pullPolicy` | Intents Operator image pull policy. | `(none)` | +| `operator.containerSecurityContext` | Security context for the containers. | `(consult values.yaml)` | +| `operator.podSecurityContext` | Security context for the pod. | `(consult values.yaml)` | +| `operator.mode` | `defaultActive` or `defaultShadow`. When `defaultActive` is set, enforcement is enabled by default. When `defaultShadow` is set, enforcement is disabled by default, but can be enabled per-service using a ProtectedService resource. | `defaultActive` | +| `operator.enableEnforcement` | (deprecated, use mode instead) If set to false, enforcement is disabled globally (both for network policies and Kafka ACL). If true, you may use the other flags for more granular enforcement settings | `true` | +| `operator.enableNetworkPolicyCreation` | Whether the operator should create network policies according to ClientIntents | `true` | +| `operator.enableKafkaACLCreation` | Whether the operator should create Kafka ACL rules according to ClientIntents of type Kafka | `true` | +| `operator.enableIstioPolicyCreation` | Whether the operator should create Istio authorization policies according to ClientIntents | `true` | +| `operator.ingressControllerConfigs` | Restricts the automatically created external traffic network policies to only allow access to an ingress controller within the cluster. Only relevant if you use an in-cluster ingress controller, such as nginx or HAProxy. A list of objects with keys `name`, `namespace` and `kind`, such as `ingress-nginx-controller`, `nginx` and `Deployment`. | `(none)` | +| `operator.ingressControllerAWSALBExempt` | If set to true, the operator will allow all traffic if an Ingress is managed by the AWS ALB Ingress Controller. | `false` | +| `operator.allowExternalTraffic` | `ifBlockedByOtterize`, `off` or `always`. Specify how the operator handles external traffic for Ingress/Service resources: `ifBlockedByOtterize` automatically create network policies to enable internet traffic for services that would be blocked by Otterize network policies when protecting a server. Choosing `off` may necessitate manual network policy creation to allow external traffic, while `always` automatically creates policies for all such resource that are visible to the operator. | `ifBlockedByOtterize` | +| `operator.resources` | Resources override. | | +| `operator.enableDatabasePolicyCreation` | Whether the operator should create database policies according to ClientIntents | `true` | +| `operator.enableEgressNetworkPolicyCreation` | **experimental** - Enables experimental support for egress network policies (coming soon!) | `false` | +| `watchedNamespaces` | List of namespaces the intents operator should watch. The operator will be blind to any namespace not in this list. | `(nil) meaning watch all` | +| `enforcedNamespaces` | When using "shadow enforcement" mode, namespaces in this list will be treated as if the enforcement were active. | `(nil)` | +| `operator.autoGenerateTLSUsingCredentialsOperator` | If set to true, adds the necessary pod annotations in order to integrate with credentials-operator, and get tls certificate. | `false` | ## Cloud parameters diff --git a/otterize-kubernetes/README.md b/otterize-kubernetes/README.md index 531ffc73..1b3a1b01 100644 --- a/otterize-kubernetes/README.md +++ b/otterize-kubernetes/README.md @@ -72,19 +72,19 @@ These parameters are used by multiple charts, and must be kept the same for the All configurable parameters of intents-operator can be configured under the alias `intentsOperator`. Further information about intents-operator parameters can be found [in the Intents Operator's helm chart](https://github.com/otterize/helm-charts/tree/main/intents-operator). -| Key | Description | Default | -|-----------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------| -| `intentsOperator.autoGenerateTLSUsingCredentialsOperator` | Use credentials-operator to create TLS cert for intents-operator. | `true` | -| `operator.mode` | `defaultActive` or `defaultShadow`. When `defaultActive` is set, enforcement is enabled by default. When `defaultShadow` is set, enforcement is disabled by default, but can be enabled per-service using a ProtectedService resource. | `defaultActive` | -| `intentsOperator.operator.enableEnforcement` | (deprecated, use mode instead) If set to false, enforcement is disabled globally (both for network policies and Kafka ACL). If true, you may use the other flags for more granular enforcement settings | `true` | -| `intentsOperator.operator.enableNetworkPolicyCreation` | Whether the operator should create network policies according to the ClientIntents | `true` | -| `intentsOperator.operator.enableKafkaACLCreation` | Whether the operator should create Kafka ACL rules according to the ClientIntents of type Kafka | `true` | -| `intentsOperator.operator.enableIstioPolicyCreation` | Whether the operator should create Istio authorization policies according to ClientIntents | `true` | -| `intentsOperator.operator.ingressControllerConfigs` | Restricts the automatically created external traffic network policies to only allow access to an ingress controller within the cluster. Only relevant if you use an in-cluster ingress controller, such as nginx or HAProxy. A list of objects with keys `name`, `namespace` and `kind`, such as `ingress-nginx-controller`, `nginx` and `Deployment`. | `(none)` | -| `intentsOperator.operator.ingressControllerAWSALBExempt` | If set to true, the operator will allow all traffic if an Ingress is managed by the AWS ALB Ingress Controller. | `false` | -| `intentsOperator.operator.allowExternalTraffic` | `ifBlockedByOtterize`, `off` or `always` (this option is **experimental**). Specify how the operator handles external traffic for Ingress/Service resources: `ifBlockedByOtterize` automatically create network policies to enable internet traffic for services that would be blocked by Otterize network policies when protecting a server. Choosing `off` may necessitate manual network policy creation to allow external traffic, while `always` automatically creates policies for all such resource that are visible to the operator. | `ifBlockedByOtterize` | -| `intentsOperator.watchedNamespaces` | List of namespaces the intents operator should watch. The operator will be blind to any namespace not in this list. | `(nil) meaning watch all` | -| `intentsOperator.enforcedNamespaces` | When using "shadow enforcement" mode, namespaces in this list will be treated as if the enforcement were active. | `(nil) means no namespace will be active on shadow mode` | +| Key | Description | Default | +|-----------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------| +| `intentsOperator.autoGenerateTLSUsingCredentialsOperator` | Use credentials-operator to create TLS cert for intents-operator. | `true` | +| `operator.mode` | `defaultActive` or `defaultShadow`. When `defaultActive` is set, enforcement is enabled by default. When `defaultShadow` is set, enforcement is disabled by default, but can be enabled per-service using a ProtectedService resource. | `defaultActive` | +| `intentsOperator.operator.enableEnforcement` | (deprecated, use mode instead) If set to false, enforcement is disabled globally (both for network policies and Kafka ACL). If true, you may use the other flags for more granular enforcement settings | `true` | +| `intentsOperator.operator.enableNetworkPolicyCreation` | Whether the operator should create network policies according to the ClientIntents | `true` | +| `intentsOperator.operator.enableKafkaACLCreation` | Whether the operator should create Kafka ACL rules according to the ClientIntents of type Kafka | `true` | +| `intentsOperator.operator.enableIstioPolicyCreation` | Whether the operator should create Istio authorization policies according to ClientIntents | `true` | +| `intentsOperator.operator.ingressControllerConfigs` | Restricts the automatically created external traffic network policies to only allow access to an ingress controller within the cluster. Only relevant if you use an in-cluster ingress controller, such as nginx or HAProxy. A list of objects with keys `name`, `namespace` and `kind`, such as `ingress-nginx-controller`, `nginx` and `Deployment`. | `(none)` | +| `intentsOperator.operator.ingressControllerAWSALBExempt` | If set to true, the operator will allow all traffic if an Ingress is managed by the AWS ALB Ingress Controller. | `false` | +| `intentsOperator.operator.allowExternalTraffic` | `ifBlockedByOtterize`, `off` or `always`. Specify how the operator handles external traffic for Ingress/Service resources: `ifBlockedByOtterize` automatically create network policies to enable internet traffic for services that would be blocked by Otterize network policies when protecting a server. Choosing `off` may necessitate manual network policy creation to allow external traffic, while `always` automatically creates policies for all such resource that are visible to the operator. | `ifBlockedByOtterize` | +| `intentsOperator.watchedNamespaces` | List of namespaces the intents operator should watch. The operator will be blind to any namespace not in this list. | `(nil) meaning watch all` | +| `intentsOperator.enforcedNamespaces` | When using "shadow enforcement" mode, namespaces in this list will be treated as if the enforcement were active. | `(nil) means no namespace will be active on shadow mode` | ## Telemetry