aboutsummaryrefslogtreecommitdiffstats
path: root/kubernetes/common
diff options
context:
space:
mode:
authorAndrewLamb <andrew.a.lamb@est.tech>2023-03-09 11:03:31 +0000
committerAndrewLamb <andrew.a.lamb@est.tech>2023-03-21 14:57:05 +0000
commitc58d4c29d0d55e0720145b1ef59f1d9dbc0a6e46 (patch)
tree0d9488785985253cf381c5e581db95d45e1f021c /kubernetes/common
parent38e014734e8e0309de6c35d370230aca7e335a27 (diff)
[COMMON][SO] Create authorization policy template
Create template for istio authorization policies Issue-ID: OOM-3148 Change-Id: I081288e8e9b0e8347ee6fd0d656398126826c273 Signed-off-by: AndrewLamb <andrew.a.lamb@est.tech>
Diffstat (limited to 'kubernetes/common')
-rw-r--r--kubernetes/common/common/templates/_serviceMesh.tpl81
1 files changed, 81 insertions, 0 deletions
diff --git a/kubernetes/common/common/templates/_serviceMesh.tpl b/kubernetes/common/common/templates/_serviceMesh.tpl
index a685a73627..fe2424cc85 100644
--- a/kubernetes/common/common/templates/_serviceMesh.tpl
+++ b/kubernetes/common/common/templates/_serviceMesh.tpl
@@ -1,5 +1,6 @@
{{/*
# Copyright © 2020 Amdocs, Bell Canada, Orange
+# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -66,3 +67,83 @@ exit "$RCODE"
fieldPath: metadata.namespace
{{- end }}
{{- end }}
+
+{{/*
+ Use Authorization Policies or not.
+*/}}
+{{- define "common.useAuthorizationPolicies" -}}
+{{- if (include "common.onServiceMesh" .) }}
+{{- if .Values.global.authorizationPolicies -}}
+{{- if (default false .Values.global.authorizationPolicies.enabled) -}}
+true
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+ Create Authorization Policy template.
+ If common.useAuthorizationPolicies returns true:
+ Will create authorization policy, provided with array of authorized principals in .Values.serviceMesh.authorizationPolicy.authorizedPrincipals
+ in the format:
+ authorizedPrincipals:
+ - serviceAccount: <serviceaccount name> (Mandatory)
+ namespace: <namespace name> (Optional, will default to onap)
+ allowedOperationMethods: <list of allowed HTTP operations (Optional, will default to ["GET", "POST", "PUT", "PATCH", "DELETE"])
+
+ If no authorizedPrincipals provided, will default to denying all requests to the app matched under the
+ spec:
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: <app-to-match> ("app.kubernetes.io/name" corresponds to key defined in "common.labels", which is included in "common.service")
+
+ If common.useAuthorizationPolicies returns false:
+ Will create an authorization policy without rules, i.e., an allow-all policy
+*/}}
+{{- define "common.authorizationPolicy" -}}
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipals := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipals -}}
+{{- $defaultOperationMethods := list "GET" "POST" "PUT" "PATCH" "DELETE" -}}
+{{- $relName := include "common.release" . -}}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: {{ include "common.fullname" (dict "suffix" "authz" "dot" . )}}
+ namespace: {{ include "common.namespace" . }}
+spec:
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: {{ include "common.servicename" . }}
+ action: ALLOW
+ rules:
+{{- if (include "common.useAuthorizationPolicies" .) }}
+{{- if $authorizedPrincipals }}
+{{- range $principal := $authorizedPrincipals }}
+ - from:
+ - source:
+ principals:
+{{- $namespace := default "onap" $principal.namespace -}}
+{{- if eq "onap" $namespace }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{- else }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{- end }}
+ to:
+ - operation:
+ methods:
+{{- if $principal.allowedOperationMethods }}
+{{- range $method := $principal.allowedOperationMethods }}
+ - {{ $method }}
+{{- end }}
+{{- else }}
+{{- range $method := $defaultOperationMethods }}
+ - {{ $method }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- else }}
+ - {}
+{{- end }}
+{{- end -}}