diff options
author | AndrewLamb <andrew.a.lamb@est.tech> | 2023-03-09 11:03:31 +0000 |
---|---|---|
committer | AndrewLamb <andrew.a.lamb@est.tech> | 2023-03-21 14:57:05 +0000 |
commit | c58d4c29d0d55e0720145b1ef59f1d9dbc0a6e46 (patch) | |
tree | 0d9488785985253cf381c5e581db95d45e1f021c /kubernetes/common | |
parent | 38e014734e8e0309de6c35d370230aca7e335a27 (diff) |
[COMMON][SO] Create authorization policy template
Create template for istio authorization policies
Issue-ID: OOM-3148
Change-Id: I081288e8e9b0e8347ee6fd0d656398126826c273
Signed-off-by: AndrewLamb <andrew.a.lamb@est.tech>
Diffstat (limited to 'kubernetes/common')
-rw-r--r-- | kubernetes/common/common/templates/_serviceMesh.tpl | 81 |
1 files changed, 81 insertions, 0 deletions
diff --git a/kubernetes/common/common/templates/_serviceMesh.tpl b/kubernetes/common/common/templates/_serviceMesh.tpl index a685a73627..fe2424cc85 100644 --- a/kubernetes/common/common/templates/_serviceMesh.tpl +++ b/kubernetes/common/common/templates/_serviceMesh.tpl @@ -1,5 +1,6 @@ {{/* # Copyright © 2020 Amdocs, Bell Canada, Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -66,3 +67,83 @@ exit "$RCODE" fieldPath: metadata.namespace {{- end }} {{- end }} + +{{/* + Use Authorization Policies or not. +*/}} +{{- define "common.useAuthorizationPolicies" -}} +{{- if (include "common.onServiceMesh" .) }} +{{- if .Values.global.authorizationPolicies -}} +{{- if (default false .Values.global.authorizationPolicies.enabled) -}} +true +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* + Create Authorization Policy template. + If common.useAuthorizationPolicies returns true: + Will create authorization policy, provided with array of authorized principals in .Values.serviceMesh.authorizationPolicy.authorizedPrincipals + in the format: + authorizedPrincipals: + - serviceAccount: <serviceaccount name> (Mandatory) + namespace: <namespace name> (Optional, will default to onap) + allowedOperationMethods: <list of allowed HTTP operations (Optional, will default to ["GET", "POST", "PUT", "PATCH", "DELETE"]) + + If no authorizedPrincipals provided, will default to denying all requests to the app matched under the + spec: + selector: + matchLabels: + app.kubernetes.io/name: <app-to-match> ("app.kubernetes.io/name" corresponds to key defined in "common.labels", which is included in "common.service") + + If common.useAuthorizationPolicies returns false: + Will create an authorization policy without rules, i.e., an allow-all policy +*/}} +{{- define "common.authorizationPolicy" -}} +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipals := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipals -}} +{{- $defaultOperationMethods := list "GET" "POST" "PUT" "PATCH" "DELETE" -}} +{{- $relName := include "common.release" . -}} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ include "common.fullname" (dict "suffix" "authz" "dot" . )}} + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app.kubernetes.io/name: {{ include "common.servicename" . }} + action: ALLOW + rules: +{{- if (include "common.useAuthorizationPolicies" .) }} +{{- if $authorizedPrincipals }} +{{- range $principal := $authorizedPrincipals }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + methods: +{{- if $principal.allowedOperationMethods }} +{{- range $method := $principal.allowedOperationMethods }} + - {{ $method }} +{{- end }} +{{- else }} +{{- range $method := $defaultOperationMethods }} + - {{ $method }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- else }} + - {} +{{- end }} +{{- end -}} |