diff options
-rw-r--r-- | kubernetes/common/common/templates/_serviceMesh.tpl | 81 | ||||
-rwxr-xr-x | kubernetes/onap/values.yaml | 5 | ||||
-rw-r--r-- | kubernetes/so/templates/authorizationpolicy.yaml | 17 | ||||
-rwxr-xr-x | kubernetes/so/values.yaml | 9 |
4 files changed, 112 insertions, 0 deletions
diff --git a/kubernetes/common/common/templates/_serviceMesh.tpl b/kubernetes/common/common/templates/_serviceMesh.tpl index a685a73627..fe2424cc85 100644 --- a/kubernetes/common/common/templates/_serviceMesh.tpl +++ b/kubernetes/common/common/templates/_serviceMesh.tpl @@ -1,5 +1,6 @@ {{/* # Copyright © 2020 Amdocs, Bell Canada, Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -66,3 +67,83 @@ exit "$RCODE" fieldPath: metadata.namespace {{- end }} {{- end }} + +{{/* + Use Authorization Policies or not. +*/}} +{{- define "common.useAuthorizationPolicies" -}} +{{- if (include "common.onServiceMesh" .) }} +{{- if .Values.global.authorizationPolicies -}} +{{- if (default false .Values.global.authorizationPolicies.enabled) -}} +true +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* + Create Authorization Policy template. + If common.useAuthorizationPolicies returns true: + Will create authorization policy, provided with array of authorized principals in .Values.serviceMesh.authorizationPolicy.authorizedPrincipals + in the format: + authorizedPrincipals: + - serviceAccount: <serviceaccount name> (Mandatory) + namespace: <namespace name> (Optional, will default to onap) + allowedOperationMethods: <list of allowed HTTP operations (Optional, will default to ["GET", "POST", "PUT", "PATCH", "DELETE"]) + + If no authorizedPrincipals provided, will default to denying all requests to the app matched under the + spec: + selector: + matchLabels: + app.kubernetes.io/name: <app-to-match> ("app.kubernetes.io/name" corresponds to key defined in "common.labels", which is included in "common.service") + + If common.useAuthorizationPolicies returns false: + Will create an authorization policy without rules, i.e., an allow-all policy +*/}} +{{- define "common.authorizationPolicy" -}} +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipals := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipals -}} +{{- $defaultOperationMethods := list "GET" "POST" "PUT" "PATCH" "DELETE" -}} +{{- $relName := include "common.release" . -}} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ include "common.fullname" (dict "suffix" "authz" "dot" . )}} + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app.kubernetes.io/name: {{ include "common.servicename" . }} + action: ALLOW + rules: +{{- if (include "common.useAuthorizationPolicies" .) }} +{{- if $authorizedPrincipals }} +{{- range $principal := $authorizedPrincipals }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + methods: +{{- if $principal.allowedOperationMethods }} +{{- range $method := $principal.allowedOperationMethods }} + - {{ $method }} +{{- end }} +{{- else }} +{{- range $method := $defaultOperationMethods }} + - {{ $method }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- else }} + - {} +{{- end }} +{{- end -}} diff --git a/kubernetes/onap/values.yaml b/kubernetes/onap/values.yaml index c7399b3f1b..40ac5edab6 100755 --- a/kubernetes/onap/values.yaml +++ b/kubernetes/onap/values.yaml @@ -1,6 +1,7 @@ # Copyright © 2019 Amdocs, Bell Canada # Copyright (c) 2020 Nordix Foundation, Modifications # Modifications Copyright © 2020-2021 Nokia +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -187,6 +188,10 @@ global: # be aware that linkerd is not well tested engine: "istio" # valid value: istio or linkerd + # Global Istio Authorization Policy configuration + authorizationPolicies: + enabled: false + # metrics part # If enabled, exporters (for prometheus) will be deployed # if custom resources set to yes, CRD from prometheus operartor will be diff --git a/kubernetes/so/templates/authorizationpolicy.yaml b/kubernetes/so/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }}
\ No newline at end of file diff --git a/kubernetes/so/values.yaml b/kubernetes/so/values.yaml index 014cbadbab..a35fe3274a 100755 --- a/kubernetes/so/values.yaml +++ b/kubernetes/so/values.yaml @@ -599,6 +599,15 @@ ingress: name: 'so' port: 8080 +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: consul-read + - serviceAccount: consul-server-read + - serviceAccount: nbi-read + - serviceAccount: istio-ingress + namespace: istio-ingress + mso: adapters: requestDb: |