elastisys
diff --git a/‎changelog/0.49.md‎
Lines changed: 103 additions & 0 deletions b/‎changelog/0.49.md‎
Lines changed: 103 additions & 0 deletions
diff --git a/‎helmfile.d/charts/cilium-default-deny/templates/clusterwidenetworkpolicy.yaml‎
Lines changed: 0 additions & 1 deletion b/‎helmfile.d/charts/cilium-default-deny/templates/clusterwidenetworkpolicy.yaml‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎helmfile.d/charts/grafana-dashboards/dashboards/cilium-networkpolicy-dashboard.json‎
Lines changed: 36 additions & 4 deletions b/‎helmfile.d/charts/grafana-dashboards/dashboards/cilium-networkpolicy-dashboard.json‎
Lines changed: 36 additions & 4 deletions
@@ -0,0 +1,103 @@
+# v0.49.0
+
+Released 2025-09-18
+<!-- -->
+> [!IMPORTANT]
+> **Platform Administrator Notice(s)**
+> - New alerts must now include a group label.
+> - Prometheus by default overwrites the namespace label for metrics that already has a namespace label, to the namespace of the pod that was scraped for metrics. This is now changed for the instances that were currently affected. The namespace label will now keep the original information, usually the namespace of the object it is referring to, e.g. for cert-manager this is usually the namespace where a certificate exists instead of the cert-manager namespace.<br>Prometheus added a exported_namespace label when it was overwriting the namespace label, with the original value of the namespace label. This is kept for now, but it is deprecated and will be removed in a later version, likely v0.52.
+> - Node local DNS will now log non successful DNS requests
+> - An initContainer running for OpenSearch which used to set the vm.max_map_count has been removed as new versions of Ubuntu sets it to a sufficiently high value by default. Environments running versions of Ubuntu older than 24 has to set this variable manually in some way.
+<!-- -->
+> [!NOTE]
+> **Application Developer Notice(s)**
+> - Prometheus by default overwrites the namespace label for metrics that already has a namespace label, to the namespace of the pod that was scraped for metrics. This is now changed for the instances that were currently affected. The namespace label will now keep the original information, usually the namespace of the object it is referring to, e.g. for cert-manager this is usually the namespace where a certificate exists instead of the cert-manager namespace.<br>Prometheus added a exported_namespace label when it was overwriting the namespace label, with the original value of the namespace label. This is kept for now, but it is deprecated and will be removed in a later version, likely v0.52.
+> - Fixed a bug where the fields were not properly parsed from the authlog causing some fields to get lost
+
+## Changes by kind
+
+### Feature(s)
+
+- [#2584](https://github.com/elastisys/compliantkubernetes-apps/pull/2584) - add command to set resource group/storage account on azure [@Ajarmar](https://github.com/Ajarmar)
+- [#2621](https://github.com/elastisys/compliantkubernetes-apps/pull/2621) - Typecheck cypress [@rarescosma](https://github.com/rarescosma) [@simonklb](https://github.com/simonklb)
+- [#2624](https://github.com/elastisys/compliantkubernetes-apps/pull/2624) - Add E2E tests for expected alertmanager alerts [@rarescosma](https://github.com/rarescosma)
+- [#2627](https://github.com/elastisys/compliantkubernetes-apps/pull/2627) - Add E2E tests for packets handled by network policies [@rarescosma](https://github.com/rarescosma)
+- [#2639](https://github.com/elastisys/compliantkubernetes-apps/pull/2639) - Add support for accessing Service Cluster components through kube proxy in Cypress tests [@rarescosma](https://github.com/rarescosma)
+- [#2641](https://github.com/elastisys/compliantkubernetes-apps/pull/2641) - qa: Add falco end-to-end tests [@HaoruiPeng](https://github.com/HaoruiPeng)
+- [#2656](https://github.com/elastisys/compliantkubernetes-apps/pull/2656) - Adding files for new multipartUpload cleaner job [@elastisys-staffan](https://github.com/elastisys-staffan)
+- [#2659](https://github.com/elastisys/compliantkubernetes-apps/pull/2659) - Add fluentd and log-manager e2e tests [@simonklb](https://github.com/simonklb)
+- [#2677](https://github.com/elastisys/compliantkubernetes-apps/pull/2677) - apps: Add alert to notice failed volume mount [@shafi-elastisys](https://github.com/shafi-elastisys)
+- [#2678](https://github.com/elastisys/compliantkubernetes-apps/pull/2678) - Add fluentd client error metric and alert [@lunkan93](https://github.com/lunkan93)
+- [#2686](https://github.com/elastisys/compliantkubernetes-apps/pull/2686) - apps: adjust velero restore order [@Mlundm](https://github.com/Mlundm)
+- [#2704](https://github.com/elastisys/compliantkubernetes-apps/pull/2704) - Adding OpenSearch alert for total shards limit [@elastisys-staffan](https://github.com/elastisys-staffan)
+
+### Improvement(s)
+
+- [#2602](https://github.com/elastisys/compliantkubernetes-apps/pull/2602) - apps: added component specific objectstorage configuration and rclone changes [@shafi-elastisys](https://github.com/shafi-elastisys)
+- [#2622](https://github.com/elastisys/compliantkubernetes-apps/pull/2622) - Enable adding extra envs to Harbors' trivy [@vomba](https://github.com/vomba)
+- [#2646](https://github.com/elastisys/compliantkubernetes-apps/pull/2646) - Stop ignoring results of apps status tests [@rarescosma](https://github.com/rarescosma)
+- [#2647](https://github.com/elastisys/compliantkubernetes-apps/pull/2647) - Reliable socat popups for localhost:8000 during end-to-end-test runs [@rarescosma](https://github.com/rarescosma)
+- [#2648](https://github.com/elastisys/compliantkubernetes-apps/pull/2648) - qa: Add OpenSearch end-to-end tests [@Pavan-Gunda](https://github.com/Pavan-Gunda)
+- [#2649](https://github.com/elastisys/compliantkubernetes-apps/pull/2649) - apps sc: added networkpolicy dashboard for cilium [@davidumea](https://github.com/davidumea)
+- [#2654](https://github.com/elastisys/compliantkubernetes-apps/pull/2654) - apps: upgrade velero to 1.16.1, chart to 10.0.11 [@Eliastisys](https://github.com/Eliastisys)
+- [#2657](https://github.com/elastisys/compliantkubernetes-apps/pull/2657) - Add eslint for JS tests [@rarescosma](https://github.com/rarescosma)
+- [#2660](https://github.com/elastisys/compliantkubernetes-apps/pull/2660) - Enable audit logging in local clusters [@simonklb](https://github.com/simonklb)
+- [#2661](https://github.com/elastisys/compliantkubernetes-apps/pull/2661) - Add support for generating s3cfg for proxied minio [@simonklb](https://github.com/simonklb)
+- [#2665](https://github.com/elastisys/compliantkubernetes-apps/pull/2665) - netpol: allow CoreDNS egress to other CoreDNS pods [@rarescosma](https://github.com/rarescosma)
+- [#2666](https://github.com/elastisys/compliantkubernetes-apps/pull/2666) - apps: added group labels to alerts [@davidumea](https://github.com/davidumea)
+- [#2669](https://github.com/elastisys/compliantkubernetes-apps/pull/2669) - apps: make namespace label in metric refer to resource, not exporter [@viktor-f](https://github.com/viktor-f)
+- [#2670](https://github.com/elastisys/compliantkubernetes-apps/pull/2670) - bin: Do not block apply when version set to 'any' or git commit [@Zash](https://github.com/Zash)
+- [#2673](https://github.com/elastisys/compliantkubernetes-apps/pull/2673) - Test suite love (pt. 1) [@rarescosma](https://github.com/rarescosma)
+- [#2675](https://github.com/elastisys/compliantkubernetes-apps/pull/2675) - API-based opensearch snapshot check [@rarescosma](https://github.com/rarescosma)
+- [#2676](https://github.com/elastisys/compliantkubernetes-apps/pull/2676) - Velero: set assertions for excluded namespaces [@rarescosma](https://github.com/rarescosma)
+- [#2687](https://github.com/elastisys/compliantkubernetes-apps/pull/2687) - Fix install-requirements command to use repo root path [@anders-elastisys](https://github.com/anders-elastisys)
+- [#2691](https://github.com/elastisys/compliantkubernetes-apps/pull/2691) - Improve Grafana E2E test suite [@rarescosma](https://github.com/rarescosma)
+- [#2692](https://github.com/elastisys/compliantkubernetes-apps/pull/2692) - Improve Log Manager E2E suite [@rarescosma](https://github.com/rarescosma)
+- [#2694](https://github.com/elastisys/compliantkubernetes-apps/pull/2694) - Improve Network Policies E2E suite [@rarescosma](https://github.com/rarescosma)
+- [#2695](https://github.com/elastisys/compliantkubernetes-apps/pull/2695) - Improve Alertmanager E2E suite [@rarescosma](https://github.com/rarescosma)
+- [#2697](https://github.com/elastisys/compliantkubernetes-apps/pull/2697) - Mirror kubectl bitnami image [@Elias-elastisys](https://github.com/Elias-elastisys)
+- [#2700](https://github.com/elastisys/compliantkubernetes-apps/pull/2700) - Auto-approve tool checks [@rarescosma](https://github.com/rarescosma)
+- [#2703](https://github.com/elastisys/compliantkubernetes-apps/pull/2703) - upgrade opensearch to v2.19.3 [@vomba](https://github.com/vomba)
+- [#2705](https://github.com/elastisys/compliantkubernetes-apps/pull/2705) - tests: changed unit test dockerfile and schema bats [@shafi-elastisys](https://github.com/shafi-elastisys)
+- [#2718](https://github.com/elastisys/compliantkubernetes-apps/pull/2718) - apps both: Added logging for failing DNS requests [@Xartos](https://github.com/Xartos)
+- [#2720](https://github.com/elastisys/compliantkubernetes-apps/pull/2720) - Upgrade rclone to v1.70.3 [@Elias-elastisys](https://github.com/Elias-elastisys)
+- [#2730](https://github.com/elastisys/compliantkubernetes-apps/pull/2730) - Bump kured helm chart to v5.10.0 [@rarescosma](https://github.com/rarescosma)
+
+### Other(s)
+
+- [#2552](https://github.com/elastisys/compliantkubernetes-apps/pull/2552) - other: Add check_node_label unit test [@simonklb](https://github.com/simonklb)
+- [#2599](https://github.com/elastisys/compliantkubernetes-apps/pull/2599) - bug: Bump Helm to 3.18.4 [@Zash](https://github.com/Zash)
+- [#2603](https://github.com/elastisys/compliantkubernetes-apps/pull/2603) - bug: Fix dev grafana backup dashboard e2e test [@rarescosma](https://github.com/rarescosma)
+- [#2623](https://github.com/elastisys/compliantkubernetes-apps/pull/2623) - clean-up: E2E proxy tests cleanup [@rarescosma](https://github.com/rarescosma)
+- [#2629](https://github.com/elastisys/compliantkubernetes-apps/pull/2629) - bug: config: increase gatekeeper default memory limits [@Eliastisys](https://github.com/Eliastisys)
+- [#2633](https://github.com/elastisys/compliantkubernetes-apps/pull/2633) - other: Port 0.47.2 [@Ajarmar](https://github.com/Ajarmar)
+- [#2637](https://github.com/elastisys/compliantkubernetes-apps/pull/2637) - bug: Fix grafana demonte/promote test sequencing [@rarescosma](https://github.com/rarescosma)
+- [#2642](https://github.com/elastisys/compliantkubernetes-apps/pull/2642) - other: Allow ingress traffic from apiserver to alertmanager/prometheus [@HaoruiPeng](https://github.com/HaoruiPeng)
+- [#2650](https://github.com/elastisys/compliantkubernetes-apps/pull/2650) - other: Port 0.48.0 [@lunkan93](https://github.com/lunkan93)
+- [#2658](https://github.com/elastisys/compliantkubernetes-apps/pull/2658) - documentation: docs: Update path [@elastisys-staffan](https://github.com/elastisys-staffan)
+- [#2662](https://github.com/elastisys/compliantkubernetes-apps/pull/2662) - bug: Fix log-manager to not fail when there are empty dirs [@simonklb](https://github.com/simonklb)
+- [#2663](https://github.com/elastisys/compliantkubernetes-apps/pull/2663) - clean-up: Update common namespace helper functions and use them in falco tests [@simonklb](https://github.com/simonklb)
+- [#2667](https://github.com/elastisys/compliantkubernetes-apps/pull/2667) - bug: docs: Fix dot in command example [@Zash](https://github.com/Zash)
+- [#2668](https://github.com/elastisys/compliantkubernetes-apps/pull/2668) - bug: fix integration test runs [@rarescosma](https://github.com/rarescosma)
+- [#2671](https://github.com/elastisys/compliantkubernetes-apps/pull/2671) - bug: fix: remove extra fragments from MPU cleaner image [@rarescosma](https://github.com/rarescosma)
+- [#2672](https://github.com/elastisys/compliantkubernetes-apps/pull/2672) - other: scripts: added backup and restore script for QA [@AlbinB97](https://github.com/AlbinB97)
+- [#2674](https://github.com/elastisys/compliantkubernetes-apps/pull/2674) - other: Security policy nits [@rarescosma](https://github.com/rarescosma)
+- [#2681](https://github.com/elastisys/compliantkubernetes-apps/pull/2681) - bug: Re-run Harbor init job after restore to ensure OIDC secrets synced [@Zash](https://github.com/Zash)
+- [#2685](https://github.com/elastisys/compliantkubernetes-apps/pull/2685) - bug: External DNS: quote the dnsName so we can use wildcards [@rarescosma](https://github.com/rarescosma)
+- [#2688](https://github.com/elastisys/compliantkubernetes-apps/pull/2688) - documentation: docs: Add note on using same config with new names [@aarnq](https://github.com/aarnq)
+- [#2689](https://github.com/elastisys/compliantkubernetes-apps/pull/2689) - bug: fix: use standard unixy dir for the socat socket [@rarescosma](https://github.com/rarescosma)
+- [#2690](https://github.com/elastisys/compliantkubernetes-apps/pull/2690) - other: other: Updated kubectl version [@Xartos](https://github.com/Xartos)
+- [#2693](https://github.com/elastisys/compliantkubernetes-apps/pull/2693) - bug: Retry on network failure during access tests [@rarescosma](https://github.com/rarescosma)
+- [#2699](https://github.com/elastisys/compliantkubernetes-apps/pull/2699) - bug: bin: Add missing help text in dashboard update script [@Zash](https://github.com/Zash)
+- [#2706](https://github.com/elastisys/compliantkubernetes-apps/pull/2706) - other: URL encode names in PURLs in REQUIREMENTS [@simonklb](https://github.com/simonklb)
+- [#2710](https://github.com/elastisys/compliantkubernetes-apps/pull/2710) - documentation: docs: add indexPerNamespace notes in config/schema [@lunkan93](https://github.com/lunkan93)
+- [#2712](https://github.com/elastisys/compliantkubernetes-apps/pull/2712) - bug: fix: prevent cronjob name from ending in '-' [@rarescosma](https://github.com/rarescosma)
+- [#2713](https://github.com/elastisys/compliantkubernetes-apps/pull/2713) - bug: fix: global network policy compatibility with kubespray [@rarescosma](https://github.com/rarescosma)
+- [#2717](https://github.com/elastisys/compliantkubernetes-apps/pull/2717) - bug: apps both: Fix bug where fluentd is picking the wrong fields for authlog [@Xartos](https://github.com/Xartos)
+- [#2722](https://github.com/elastisys/compliantkubernetes-apps/pull/2722) - other: moved a misplaced comment in common-config.yaml [@AlbinB97](https://github.com/AlbinB97)
+- [#2723](https://github.com/elastisys/compliantkubernetes-apps/pull/2723) - clean-up: apps: Removal of previous work-around to increase vm.max_map_count for OpenSearch [@kcrwi](https://github.com/kcrwi)
+- [#2732](https://github.com/elastisys/compliantkubernetes-apps/pull/2732) - bug: apps: fixing quote issue in objectstorage config [@shafi-elastisys](https://github.com/shafi-elastisys)
+- [#2736](https://github.com/elastisys/compliantkubernetes-apps/pull/2736) - fix: revert removal of OpenSearch PSP release [@lunkan93]
+- [#2746](https://github.com/elastisys/compliantkubernetes-apps/pull/2746) - fix: Split network policies tests between Calico & Cilium [@rarescosma](https://github.com/rarescosma)
+- [#2763](https://github.com/elastisys/compliantkubernetes-apps/pull/2763) - bug: apps: remove doubled "spec" field [@rarescosma](https://github.com/rarescosma)
+- [#2764](https://github.com/elastisys/compliantkubernetes-apps/pull/2764) - fix: Cilium test fixes [@rarescosma](https://github.com/rarescosma)
@@ -2,7 +2,6 @@ apiVersion: "cilium.io/v2"
 kind: CiliumClusterwideNetworkPolicy
 metadata:
   name: deny-app-policy
-spec:
 spec:
   description: "Deny all ingress and egress traffic in the cluster"
   endpointSelector: {}
 
@@ -110,7 +110,7 @@
             "uid": "${datasource}"
           },
           "editorMode": "code",
-          "expr": "rate(hubble_flows_processed_total{type=\"PolicyVerdict\",verdict=\"FORWARDED\",traffic_direction=\"egress\",source_namespace=~\"$namespace\"}[1m])",
+          "expr": "rate(hubble_flows_processed_total{cluster=~\"$cluster\",type=\"PolicyVerdict\",verdict=\"FORWARDED\",traffic_direction=\"egress\",source_namespace=~\"$namespace\"}[1m])",
           "legendFormat": "{{source_pod}} - (to {{destination_pod}})",
           "range": true,
           "refId": "A"
@@ -208,7 +208,7 @@
             "uid": "${datasource}"
           },
           "editorMode": "code",
-          "expr": "rate(hubble_flows_processed_total{type=\"PolicyVerdict\",verdict=\"FORWARDED\",traffic_direction=\"ingress\",source_namespace=~\"$namespace\"}[1m])",
+          "expr": "rate(hubble_flows_processed_total{cluster=~\"$cluster\",type=\"PolicyVerdict\",verdict=\"FORWARDED\",traffic_direction=\"ingress\",source_namespace=~\"$namespace\"}[1m])",
           "legendFormat": "{{source_pod}} - (to {{destination_pod}})",
           "range": true,
           "refId": "A"
@@ -262,6 +262,7 @@
             }
           },
           "mappings": [],
+          "noValue": "missing",
           "thresholds": {
             "mode": "absolute",
             "steps": [
@@ -306,7 +307,7 @@
             "uid": "${datasource}"
           },
           "editorMode": "code",
-          "expr": "rate(hubble_drop_total{reason=\"POLICY_DENIED\",traffic_direction=\"egress\",source_namespace=~\"$namespace\"}[1m])",
+          "expr": "rate(hubble_drop_total{cluster=~\"$cluster\",reason=\"POLICY_DENIED\",traffic_direction=\"egress\",source_namespace=~\"$namespace\"}[1m])",
           "legendFormat": "{{source_pod}} - (to {{destination_pod}})",
           "range": true,
           "refId": "A"
@@ -360,6 +361,7 @@
             }
           },
           "mappings": [],
+          "noValue": "missing",
           "thresholds": {
             "mode": "absolute",
             "steps": [
@@ -406,7 +408,7 @@
             "uid": "${datasource}"
           },
           "editorMode": "code",
-          "expr": "rate(hubble_drop_total{reason=\"POLICY_DENIED\",traffic_direction=\"ingress\",source_namespace=~\"$namespace\"}[1m])",
+          "expr": "rate(hubble_drop_total{cluster=~\"$cluster\",reason=\"POLICY_DENIED\",traffic_direction=\"ingress\",source_namespace=~\"$namespace\"}[1m])",
           "format": "time_series",
           "legendFormat": "{{source_pod}} - (from {{destination_pod}})",
           "range": true,
@@ -437,6 +439,36 @@
         "regex": "",
         "type": "datasource"
       },
+      {
+        "current": {
+          "selected": false,
+          "text": "All",
+          "value": "$__all"
+        },
+        "datasource": {
+          "type": "prometheus",
+          "uid": "$datasource"
+        },
+        "definition": "label_values(hubble_flows_processed_total,cluster)",
+        "hide": 0,
+        "includeAll": true,
+        "label": "cluster",
+        "multi": true,
+        "name": "cluster",
+        "options": [],
+        "query": {
+          "query": "label_values(hubble_flows_processed_total,cluster)",
+          "refId": "Thanos All-cluster-Variable-Query"
+        },
+        "refresh": 2,
+        "regex": "",
+        "skipUrlSync": false,
+        "sort": 0,
+        "tagValuesQuery": "",
+        "tagsQuery": "",
+        "type": "query",
+        "useTags": false
+      },
       {
         "current": {
           "text": [