aboutsummaryrefslogtreecommitdiffstats
path: root/kubernetes/sdnc/templates/authorizationpolicy.yaml
diff options
context:
space:
mode:
authorAndrewLamb <andrew.a.lamb@est.tech>2023-05-12 15:37:14 +0100
committerAndreas Geissler <andreas-geissler@telekom.de>2023-06-20 06:56:22 +0000
commit7709c1769692d893f88ea61cbe4e54e377b72829 (patch)
treeaf2d13d2dfb1a83b8d612010bcc2a36b6980c329 /kubernetes/sdnc/templates/authorizationpolicy.yaml
parent351be1d7603428a807d1e78073ce679b5d713419 (diff)
[SDNC] Create Authorization Policies for SDNC
Add initial authorized serviceaccounts for each SDNC service Issue-ID: OOM-3131 Change-Id: I56db8f5d16ec15400fdd240c5a0126e2381f7237 Signed-off-by: AndrewLamb <andrew.a.lamb@est.tech>
Diffstat (limited to 'kubernetes/sdnc/templates/authorizationpolicy.yaml')
-rw-r--r--kubernetes/sdnc/templates/authorizationpolicy.yaml61
1 files changed, 61 insertions, 0 deletions
diff --git a/kubernetes/sdnc/templates/authorizationpolicy.yaml b/kubernetes/sdnc/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000000..672ddf0b2f
--- /dev/null
+++ b/kubernetes/sdnc/templates/authorizationpolicy.yaml
@@ -0,0 +1,61 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsSdnHosts := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsSdnHosts -}}
+{{- $defaultOperationMethods := list "GET" "POST" "PUT" "PATCH" "DELETE" -}}
+{{- $relName := include "common.release" . -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: sdnhost-{{ include "common.servicename" . }}-authz
+ namespace: {{ include "common.namespace" . }}
+spec:
+ selector:
+ matchLabels:
+ app: sdnhost-{{ include "common.name" . }}
+ action: ALLOW
+ rules:
+{{- if $authorizedPrincipalsSdnHosts }}
+{{- range $principal := $authorizedPrincipalsSdnHosts }}
+ - from:
+ - source:
+ principals:
+{{- $namespace := default "onap" $principal.namespace -}}
+{{- if eq "onap" $namespace }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{- else }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{- end }}
+ to:
+ - operation:
+ methods:
+{{- if $principal.allowedOperationMethods }}
+{{- range $method := $principal.allowedOperationMethods }}
+ - {{ $method }}
+{{- end }}
+{{- else }}
+{{- range $method := $defaultOperationMethods }}
+ - {{ $method }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }} \ No newline at end of file