60 files changed, 1280 insertions, 18 deletions

diff --git a/kubernetes/aai/values.yaml b/kubernetes/aai/values.yaml
index 87de5a3cba..c40dbe0d2d 100644
--- a/kubernetes/aai/values.yaml
+++ b/kubernetes/aai/values.yaml
@@ -41,6 +41,12 @@ global: # global defaults
 
     #Service Name of the cassandra cluster to connect to.
     #Override it to aai-cassandra if localCluster is enabled.
+    #in case of using k8ssandra-operator in the common cassandra installation
+    #the service name is:
+    #serviceName: cassandra-dc1-service
+    #in case of local k8ssandra-operator instance it is
+    #serviceName: aai-cassandra-dc1-service
+    #in case the older cassandra installation is used:
     serviceName: cassandra
 
     #This should be same as shared cassandra instance or if localCluster is enabled
@@ -350,6 +356,10 @@ cassandra:
   persistence:
     mountSubPath: aai/cassandra
     enabled: true
+  k8ssandraOperator:
+    enabled: false
+    config:
+      clusterName: aai-cassandra
 
 readiness:
   initialDelaySeconds: 10
diff --git a/kubernetes/common/cassandra/templates/backup/configmap.yaml b/kubernetes/common/cassandra/templates/backup/configmap.yaml
index 9bbc69ba04..b566b6107e 100644
--- a/kubernetes/common/cassandra/templates/backup/configmap.yaml
+++ b/kubernetes/common/cassandra/templates/backup/configmap.yaml
@@ -13,6 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 */}}
+{{- if not .Values.k8ssandraOperator.enabled }}
 {{- if .Values.backup.enabled }}
 apiVersion: v1
 kind: ConfigMap
@@ -28,3 +29,4 @@ data:
 {{ tpl (.Files.Glob "resources/restore.sh").AsConfig . | indent 2 }}
 {{ tpl (.Files.Glob "resources/exec.py").AsConfig . | indent 2 }}
 {{- end -}}
+{{- end -}}
diff --git a/kubernetes/common/cassandra/templates/backup/cronjob.yaml b/kubernetes/common/cassandra/templates/backup/cronjob.yaml
index 27f3cc690d..e2f675a384 100644
--- a/kubernetes/common/cassandra/templates/backup/cronjob.yaml
+++ b/kubernetes/common/cassandra/templates/backup/cronjob.yaml
@@ -14,6 +14,8 @@
 # limitations under the License.
 */}}
 {{- if .Values.backup.enabled }}
+{{- if .Values.k8ssandraOperator.enabled }}
+{{ else }}
 apiVersion: batch/v1beta1
 kind: CronJob
 metadata:
@@ -243,3 +245,4 @@ spec:
             persistentVolumeClaim:
               claimName: {{ include "common.fullname" . }}-backup-data
 {{- end -}}
+{{- end -}}
\ No newline at end of file
diff --git a/kubernetes/common/cassandra/templates/backup/pv.yaml b/kubernetes/common/cassandra/templates/backup/pv.yaml
index 10c310077b..23e4551c10 100644
--- a/kubernetes/common/cassandra/templates/backup/pv.yaml
+++ b/kubernetes/common/cassandra/templates/backup/pv.yaml
@@ -14,6 +14,8 @@
 # limitations under the License.
 */}}
 {{- if .Values.backup.enabled }}
+{{- if .Values.k8ssandraOperator.enabled }}
+{{ else }}
 {{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}}
 {{- if eq "True" (include "common.needPV" .) -}}
 ---
@@ -39,3 +41,4 @@ spec:
 {{- end -}}
 {{- end -}}
 {{- end -}}
+{{- end -}}
diff --git a/kubernetes/common/cassandra/templates/backup/pvc.yaml b/kubernetes/common/cassandra/templates/backup/pvc.yaml
index 6fd53618bc..e60a1db510 100644
--- a/kubernetes/common/cassandra/templates/backup/pvc.yaml
+++ b/kubernetes/common/cassandra/templates/backup/pvc.yaml
@@ -14,6 +14,8 @@
 # limitations under the License.
 */}}
 {{- if .Values.backup.enabled }}
+{{- if .Values.k8ssandraOperator.enabled }}
+{{ else }}
 {{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}}
 ---
 kind: PersistentVolumeClaim
@@ -39,3 +41,4 @@ spec:
   storageClassName: {{ include "common.storageClass" . }}
 {{- end -}}
 {{- end -}}
+{{- end -}}
diff --git a/kubernetes/common/cassandra/templates/cassOp.yaml b/kubernetes/common/cassandra/templates/cassOp.yaml
new file mode 100644
index 0000000000..cb6ce4adc5
--- /dev/null
+++ b/kubernetes/common/cassandra/templates/cassOp.yaml
@@ -0,0 +1,19 @@
+{{/*
+# Copyright © 2018 Amdocs, AT&T, Bell Canada
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{- if .Values.k8ssandraOperator.enabled }}
+{{ include "common.k8ssandraCluster" . }}
+{{- end }}
\ No newline at end of file
diff --git a/kubernetes/common/cassandra/templates/configmap.yaml b/kubernetes/common/cassandra/templates/configmap.yaml
index ab08c82fef..8f2b39e1a1 100644
--- a/kubernetes/common/cassandra/templates/configmap.yaml
+++ b/kubernetes/common/cassandra/templates/configmap.yaml
@@ -1,3 +1,4 @@
+{{- if not .Values.k8ssandraOperator.enabled }}
 {{- if .Values.configOverrides }}
 apiVersion: v1
 kind: ConfigMap
@@ -25,3 +26,4 @@ metadata:
     heritage: {{ .Release.Service }}
 data:
 {{ tpl (.Files.Glob "resources/config/docker-entrypoint.sh").AsConfig . | indent 2 }}
+{{- end }}
\ No newline at end of file
diff --git a/kubernetes/common/cassandra/templates/ingress.yaml b/kubernetes/common/cassandra/templates/ingress.yaml
new file mode 100644
index 0000000000..97d6155a09
--- /dev/null
+++ b/kubernetes/common/cassandra/templates/ingress.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright (C) 2023 Deutsche Telekom
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.ingress" . }}
diff --git a/kubernetes/common/cassandra/templates/pv.yaml b/kubernetes/common/cassandra/templates/pv.yaml
index a0d998cd07..8e2ad663c3 100644
--- a/kubernetes/common/cassandra/templates/pv.yaml
+++ b/kubernetes/common/cassandra/templates/pv.yaml
@@ -13,5 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 */}}
-
+{{- if not .Values.k8ssandraOperator.enabled }}
 {{ include "common.replicaPV" . }}
+{{- end }}
\ No newline at end of file
diff --git a/kubernetes/common/cassandra/templates/secrets.yaml b/kubernetes/common/cassandra/templates/secrets.yaml
new file mode 100644
index 0000000000..b776caf6b6
--- /dev/null
+++ b/kubernetes/common/cassandra/templates/secrets.yaml
@@ -0,0 +1,21 @@
+{{/*
+# Copyright © 2018 Amdocs, Bell Canada
+# Copyright © 2019 Samsung Electronics
+# Copyright © 2019-2020 Orange
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{- if .Values.k8ssandraOperator.enabled }}
+{{ include "common.secretFast" . }}
+{{- end }}
\ No newline at end of file
diff --git a/kubernetes/common/cassandra/templates/service.yaml b/kubernetes/common/cassandra/templates/service.yaml
index 8934d41c33..092c677812 100644
--- a/kubernetes/common/cassandra/templates/service.yaml
+++ b/kubernetes/common/cassandra/templates/service.yaml
@@ -14,4 +14,6 @@
 # limitations under the License.
 */}}
 
+{{- if not .Values.k8ssandraOperator.enabled }}
 {{ include "common.headlessService" . }}
+{{- end }}
\ No newline at end of file
diff --git a/kubernetes/common/cassandra/templates/servicemonitor.yaml b/kubernetes/common/cassandra/templates/servicemonitor.yaml
index 5297e692d2..759586fcdb 100644
--- a/kubernetes/common/cassandra/templates/servicemonitor.yaml
+++ b/kubernetes/common/cassandra/templates/servicemonitor.yaml
@@ -14,6 +14,8 @@
 # limitations under the License.
 */}}
 
+{{- if not .Values.k8ssandraOperator.enabled }}
 {{- if .Values.metrics.serviceMonitor.enabled }}
 {{  include "common.serviceMonitor" . }}
+{{- end }}
 {{- end }}
\ No newline at end of file
diff --git a/kubernetes/common/cassandra/templates/statefulset.yaml b/kubernetes/common/cassandra/templates/statefulset.yaml
index 43367ee542..2e73309bb7 100644
--- a/kubernetes/common/cassandra/templates/statefulset.yaml
+++ b/kubernetes/common/cassandra/templates/statefulset.yaml
@@ -14,6 +14,7 @@
 # limitations under the License.
 */}}
 
+{{- if not .Values.k8ssandraOperator.enabled }}
 apiVersion: apps/v1
 kind: StatefulSet
 metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
@@ -214,3 +215,4 @@ spec:
           requests:
             storage: {{ .Values.persistence.size | quote }}
   {{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/kubernetes/common/cassandra/values.yaml b/kubernetes/common/cassandra/values.yaml
index 43ff171abb..13137a182b 100644
--- a/kubernetes/common/cassandra/values.yaml
+++ b/kubernetes/common/cassandra/values.yaml
@@ -22,6 +22,53 @@ global: # global defaults
     backup:
       mountPath: /dockerdata-nfs/backup
 
+k8ssandraOperator:
+  enabled: false
+  cassandraVersion: 4.0.1
+  persistence:
+    storageClassName: default
+    size: 10Gi
+  config:
+    clusterName: cassandra
+    secretName: &secretName cassandra-default-user
+    superuserName: &superusername cassandra
+    superuserPassword: &superuserpassword cassandra
+    casOptions:
+      authorizer: AllowAllAuthorizer
+    jvmOptions:
+      heapSize: 512M
+    hostNetwork: false
+  datacenters:
+    - name: dc1
+      size: 3
+  stargate:
+    tag: v1.0.76
+    size: 1
+    jvmOptions:
+      heapSize: 384Mi
+
+#################################################################
+# Secrets metaconfig
+# used to store the default superuser for k8ssandra-operator
+#################################################################
+secrets:
+  - uid: *secretName
+    type: genericKV
+    externalSecret: '{{ tpl (default "" .Values.k8ssandraOperator.config.userCredentialsExternalSecret) . }}'
+    envs:
+      - name: username
+        value: *superusername
+      - name: password
+        value: *superuserpassword
+
+ingress:
+  enabled: false
+  service:
+    - baseaddr: "reaper-dc1"
+      path: "/webui"
+      name: "cassandra-dc1-reaper-service"
+      port: 8080
+
 # application image
 image: cassandra:3.11.4
 pullPolicy: Always
@@ -108,9 +155,6 @@ podManagementPolicy: OrderedReady
 updateStrategy:
   type: RollingUpdate
 
-ingress:
-  enabled: false
-
 persistence:
   enabled: true
 
diff --git a/kubernetes/common/common/templates/_cassOp.tpl b/kubernetes/common/common/templates/_cassOp.tpl
new file mode 100644
index 0000000000..f1fc75c5e5
--- /dev/null
+++ b/kubernetes/common/common/templates/_cassOp.tpl
@@ -0,0 +1,51 @@
+{{/* Cassandra Data Center. */}}
+{{- define "common.k8ssandraCluster" -}}
+{{- $global := .Values.global }}
+---
+apiVersion: k8ssandra.io/v1alpha1
+kind: K8ssandraCluster
+metadata:
+  name: {{ .Values.k8ssandraOperator.config.clusterName }}
+spec:
+  reaper:
+    containerImage:
+      registry: {{ include "repositoryGenerator.dockerHubRepository" . }}
+    heapSize: 512Mi
+    autoScheduling:
+      enabled: true
+  stargate:
+    containerImage:
+      registry: {{ include "repositoryGenerator.dockerHubRepository" . }}
+      tag: {{ .Values.k8ssandraOperator.stargate.tag }}
+    size: {{ .Values.k8ssandraOperator.stargate.size }}
+    heapSize: {{ .Values.k8ssandraOperator.stargate.jvmOptions.heapSize }}
+  cassandra:
+    serverVersion: {{ .Values.k8ssandraOperator.cassandraVersion }}
+    storageConfig:
+      cassandraDataVolumeClaimSpec:
+        storageClassName: {{ .Values.k8ssandraOperator.persistence.storageClassName }}
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: {{ .Values.k8ssandraOperator.persistence.size }}
+    superuserSecretRef:
+      name: {{ include "common.fullname" . }}-{{ .Values.k8ssandraOperator.config.secretName }}
+    config:
+      {{ if .Values.k8ssandraOperator.config.casOptions -}}
+      cassandraYaml:
+        {{ toYaml .Values.k8ssandraOperator.config.casOptions | nindent 8 }}
+      {{- end }}
+      {{ if .Values.k8ssandraOperator.config.jvmOptions -}}
+      jvmOptions:
+        {{ toYaml .Values.k8ssandraOperator.config.jvmOptions | nindent 8 }}
+      {{- end }}
+    networking:
+      hostNetwork: {{ .Values.k8ssandraOperator.config.hostNetwork }}
+    datacenters:
+      {{- range $datacenter := .Values.k8ssandraOperator.datacenters }}
+      - metadata:
+          name: {{ $datacenter.name }}
+        size: {{ $datacenter.size }}
+      {{- end }}
+{{ end }}
diff --git a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-datafile-collector/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000000..7158c0263f
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-datafile-collector/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
\ No newline at end of file
diff --git a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml
index 7c6b3e9649..ee21e10109 100644
--- a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml
@@ -125,6 +125,14 @@ ingress:
   config:
     ssl: "redirect"
 
+serviceMesh:
+  authorizationPolicy:
+    authorizedPrincipals:
+      - serviceAccount: dcae-pm-mapper-read
+      - serviceAccount: message-router-read
+      - serviceAccount: istio-ingress
+        namespace: istio-ingress
+
 # Data Router Publisher Credentials
 drPubscriberCreds:
   username: username
diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000000..7158c0263f
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
\ No newline at end of file
diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/values.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/values.yaml
index 06ff279207..31a24e82b9 100644
--- a/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/values.yaml
@@ -67,6 +67,10 @@ service:
       port: 8088
       port_protocol: http
 
+serviceMesh:
+  authorizationPolicy:
+    authorizedPrincipals: []
+
 # Initial Application Configuration
 applicationConfig:
   FEEDER_ADDR: dl-feeder
diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-des/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-des/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000000..7158c0263f
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-datalake-des/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
\ No newline at end of file
diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-des/values.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-des/values.yaml
index 9049e0a03c..12617e1405 100644
--- a/kubernetes/dcaegen2-services/components/dcae-datalake-des/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-datalake-des/values.yaml
@@ -78,6 +78,10 @@ service:
       port: 1681
       port_protocol: http
 
+serviceMesh:
+  authorizationPolicy:
+    authorizedPrincipals: []
+
 #postgres configuration
 postgres:
   config:
diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000000..30d173c2d8
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/templates/authorizationpolicy.yaml
@@ -0,0 +1,136 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: {{ $relName }}-{{ $postgresName }}-authz
+  namespace: {{ include "common.namespace" . }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ $postgresName }}
+  action: ALLOW
+  rules:
+{{-   if $authorizedPrincipalsPostgres }}
+{{-     range $principal := $authorizedPrincipalsPostgres }}
+  - from:
+    - source:
+        principals:
+{{-       $namespace := default "onap" $principal.namespace -}}
+{{-       if eq "onap" $namespace }}
+        - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{-       else }}
+        - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{-       end }}
+    to:
+    - operation:
+        ports:
+{{-       range $port := $defaultOperationPorts }}
+        - "{{ $port }}"
+{{-       end }}
+{{-     end }}
+{{-   end }}
+{{- end }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- $pgHost := "primary" -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz
+  namespace: {{ include "common.namespace" . }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ $postgresName }}-{{ $pgHost }}
+  action: ALLOW
+  rules:
+{{-   if $authorizedPrincipalsPostgres }}
+{{-     range $principal := $authorizedPrincipalsPostgres }}
+  - from:
+    - source:
+        principals:
+{{-       $namespace := default "onap" $principal.namespace -}}
+{{-       if eq "onap" $namespace }}
+        - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{-       else }}
+        - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{-       end }}
+    to:
+    - operation:
+        ports:
+{{-       range $port := $defaultOperationPorts }}
+        - "{{ $port }}"
+{{-       end }}
+{{-     end }}
+{{-   end }}
+{{- end }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- $pgHost := "replica" -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz
+  namespace: {{ include "common.namespace" . }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ $postgresName }}-{{ $pgHost }}
+  action: ALLOW
+  rules:
+{{-   if $authorizedPrincipalsPostgres }}
+{{-     range $principal := $authorizedPrincipalsPostgres }}
+  - from:
+    - source:
+        principals:
+{{-       $namespace := default "onap" $principal.namespace -}}
+{{-       if eq "onap" $namespace }}
+        - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{-       else }}
+        - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{-       end }}
+    to:
+    - operation:
+        ports:
+{{-       range $port := $defaultOperationPorts }}
+        - "{{ $port }}"
+{{-       end }}
+{{-     end }}
+{{-   end }}
+{{- end }}
\ No newline at end of file
diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/values.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/values.yaml
index 552e00cfbd..8c3fb48264 100644
--- a/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/values.yaml
@@ -80,6 +80,15 @@ service:
       port: 1680
       port_protocol: http
 
+serviceMesh:
+  authorizationPolicy:
+    authorizedPrincipals:
+      - serviceAccount: dcae-datalake-admin-ui-read
+      - serviceAccount: dcae-datalake-des-read
+    authorizedPrincipalsPostgres:
+      - serviceAccount: dcae-datalake-des-read
+      - serviceAccount: dcae-datalake-feeder-read
+
 credentials:
 - name: PG_USER
   uid:  *pgUserCredsSecretUid
diff --git a/kubernetes/dcaegen2-services/components/dcae-heartbeat/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-heartbeat/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000000..30d173c2d8
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-heartbeat/templates/authorizationpolicy.yaml
@@ -0,0 +1,136 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: {{ $relName }}-{{ $postgresName }}-authz
+  namespace: {{ include "common.namespace" . }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ $postgresName }}
+  action: ALLOW
+  rules:
+{{-   if $authorizedPrincipalsPostgres }}
+{{-     range $principal := $authorizedPrincipalsPostgres }}
+  - from:
+    - source:
+        principals:
+{{-       $namespace := default "onap" $principal.namespace -}}
+{{-       if eq "onap" $namespace }}
+        - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{-       else }}
+        - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{-       end }}
+    to:
+    - operation:
+        ports:
+{{-       range $port := $defaultOperationPorts }}
+        - "{{ $port }}"
+{{-       end }}
+{{-     end }}
+{{-   end }}
+{{- end }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- $pgHost := "primary" -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz
+  namespace: {{ include "common.namespace" . }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ $postgresName }}-{{ $pgHost }}
+  action: ALLOW
+  rules:
+{{-   if $authorizedPrincipalsPostgres }}
+{{-     range $principal := $authorizedPrincipalsPostgres }}
+  - from:
+    - source:
+        principals:
+{{-       $namespace := default "onap" $principal.namespace -}}
+{{-       if eq "onap" $namespace }}
+        - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{-       else }}
+        - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{-       end }}
+    to:
+    - operation:
+        ports:
+{{-       range $port := $defaultOperationPorts }}
+        - "{{ $port }}"
+{{-       end }}
+{{-     end }}
+{{-   end }}
+{{- end }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- $pgHost := "replica" -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz
+  namespace: {{ include "common.namespace" . }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ $postgresName }}-{{ $pgHost }}
+  action: ALLOW
+  rules:
+{{-   if $authorizedPrincipalsPostgres }}
+{{-     range $principal := $authorizedPrincipalsPostgres }}
+  - from:
+    - source:
+        principals:
+{{-       $namespace := default "onap" $principal.namespace -}}
+{{-       if eq "onap" $namespace }}
+        - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{-       else }}
+        - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{-       end }}
+    to:
+    - operation:
+        ports:
+{{-       range $port := $defaultOperationPorts }}
+        - "{{ $port }}"
+{{-       end }}
+{{-     end }}
+{{-   end }}
+{{- end }}
\ No newline at end of file
diff --git a/kubernetes/dcaegen2-services/components/dcae-heartbeat/values.yaml b/kubernetes/dcaegen2-services/components/dcae-heartbeat/values.yaml
index cc33dd144b..b7b6fe0562 100644
--- a/kubernetes/dcaegen2-services/components/dcae-heartbeat/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-heartbeat/values.yaml
@@ -81,6 +81,13 @@ service:
       port: 10002
       port_protocol: http
 
+serviceMesh:
+  authorizationPolicy:
+    authorizedPrincipals:
+      - serviceAccount: message-router-read
+    authorizedPrincipalsPostgres:
+      - serviceAccount: dcae-heartbeat-read
+
 credentials:
 - name: HEARTBEAT_PG_USERNAME
   uid: *pgUserCredsSecretUid
diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000000..5a9baa822f
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml
index ab6d3f247c..9e123e1298 100644
--- a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml
@@ -115,6 +115,12 @@ ingress:
   config:
     ssl: "redirect"
 
+serviceMesh:
+  authorizationPolicy:
+    authorizedPrincipals:
+      - serviceAccount: istio-ingress
+        namespace: istio-ingress
+
 # initial application configuration
 applicationConfig:
   logLevel: INFO
diff --git a/kubernetes/dcaegen2-services/components/dcae-kpi-ms/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-kpi-ms/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000000..5a9baa822f
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-kpi-ms/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/dcaegen2-services/components/dcae-kpi-ms/values.yaml b/kubernetes/dcaegen2-services/components/dcae-kpi-ms/values.yaml
index ec05caaab3..a0a6fb9611 100644
--- a/kubernetes/dcaegen2-services/components/dcae-kpi-ms/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-kpi-ms/values.yaml
@@ -76,6 +76,11 @@ service:
       port: 8080
       port_protocol: http
 
+serviceMesh:
+  authorizationPolicy:
+    authorizedPrincipals:
+      - serviceAccount: message-router-read
+
 # Initial Application Configuration
 applicationConfig:
   trust_store_path: '/opt/app/kpims/etc/cert/trust.jks'
diff --git a/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000000..5a9baa822f
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/values.yaml b/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/values.yaml
index 3b47e7f70e..71a2d95eb0 100644
--- a/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/values.yaml
@@ -31,6 +31,10 @@ service:
     - port: 8080
       name: http
 
+serviceMesh:
+  authorizationPolicy:
+    authorizedPrincipals: []
+
 # Label on DCAE microservice deployments
 # (Used by healthcheck code to find deployments
 # created after initial DCAE installation)
diff --git a/kubernetes/dcaegen2-services/components/dcae-pm-mapper/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-pm-mapper/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000000..5a9baa822f
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-pm-mapper/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml b/kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml
index 0c90e3ae87..6081d354db 100644
--- a/kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml
@@ -86,6 +86,11 @@ service:
       plain_port: 8081
       port_protocol: http
 
+serviceMesh:
+  authorizationPolicy:
+    authorizedPrincipals:
+      - serviceAccount: message-router-read
+
 # Data Router Subscriber Credentials
 drSubscriberCreds:
   username: username
diff --git a/kubernetes/dcaegen2-services/components/dcae-pmsh/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-pmsh/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000000..30d173c2d8
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-pmsh/templates/authorizationpolicy.yaml
@@ -0,0 +1,136 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: {{ $relName }}-{{ $postgresName }}-authz
+  namespace: {{ include "common.namespace" . }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ $postgresName }}
+  action: ALLOW
+  rules:
+{{-   if $authorizedPrincipalsPostgres }}
+{{-     range $principal := $authorizedPrincipalsPostgres }}
+  - from:
+    - source:
+        principals:
+{{-       $namespace := default "onap" $principal.namespace -}}
+{{-       if eq "onap" $namespace }}
+        - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{-       else }}
+        - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{-       end }}
+    to:
+    - operation:
+        ports:
+{{-       range $port := $defaultOperationPorts }}
+        - "{{ $port }}"
+{{-       end }}
+{{-     end }}
+{{-   end }}
+{{- end }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- $pgHost := "primary" -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz
+  namespace: {{ include "common.namespace" . }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ $postgresName }}-{{ $pgHost }}
+  action: ALLOW
+  rules:
+{{-   if $authorizedPrincipalsPostgres }}
+{{-     range $principal := $authorizedPrincipalsPostgres }}
+  - from:
+    - source:
+        principals:
+{{-       $namespace := default "onap" $principal.namespace -}}
+{{-       if eq "onap" $namespace }}
+        - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{-       else }}
+        - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{-       end }}
+    to:
+    - operation:
+        ports:
+{{-       range $port := $defaultOperationPorts }}
+        - "{{ $port }}"
+{{-       end }}
+{{-     end }}
+{{-   end }}
+{{- end }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- $pgHost := "replica" -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz
+  namespace: {{ include "common.namespace" . }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ $postgresName }}-{{ $pgHost }}
+  action: ALLOW
+  rules:
+{{-   if $authorizedPrincipalsPostgres }}
+{{-     range $principal := $authorizedPrincipalsPostgres }}
+  - from:
+    - source:
+        principals:
+{{-       $namespace := default "onap" $principal.namespace -}}
+{{-       if eq "onap" $namespace }}
+        - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{-       else }}
+        - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{-       end }}
+    to:
+    - operation:
+        ports:
+{{-       range $port := $defaultOperationPorts }}
+        - "{{ $port }}"
+{{-       end }}
+{{-     end }}
+{{-   end }}
+{{- end }}
\ No newline at end of file
diff --git a/kubernetes/dcaegen2-services/components/dcae-pmsh/values.yaml b/kubernetes/dcaegen2-services/components/dcae-pmsh/values.yaml
index f6782db6c6..90d7e16485 100644
--- a/kubernetes/dcaegen2-services/components/dcae-pmsh/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-pmsh/values.yaml
@@ -82,6 +82,13 @@ service:
       plain_port: 8080
       port_protocol: http
 
+serviceMesh:
+  authorizationPolicy:
+    authorizedPrincipals:
+      - serviceAccount: message-router-read
+    authorizedPrincipalsPostgres:
+      - serviceAccount: dcae-pmsh-read
+
 # Initial Application Configuration
 applicationConfig:
   enable_tls: false
diff --git a/kubernetes/dcaegen2-services/components/dcae-prh/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-prh/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000000..5a9baa822f
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-prh/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml b/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml
index 9a274153f2..a2cce37529 100644
--- a/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml
@@ -73,6 +73,11 @@ service:
     - port: 8100
       name: http
 
+serviceMesh:
+  authorizationPolicy:
+    authorizedPrincipals:
+      - serviceAccount: message-router-read
+
 aaiCreds:
   user: AAI
   password: AAI
diff --git a/kubernetes/dcaegen2-services/components/dcae-restconf-collector/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-restconf-collector/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000000..5a9baa822f
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-restconf-collector/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/dcaegen2-services/components/dcae-restconf-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-restconf-collector/values.yaml
index bed8f9cb3d..0a9203b908 100644
--- a/kubernetes/dcaegen2-services/components/dcae-restconf-collector/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-restconf-collector/values.yaml
@@ -93,6 +93,12 @@ ingress:
   config:
     ssl: "redirect"
 
+serviceMesh:
+  authorizationPolicy:
+    authorizedPrincipals:
+      - serviceAccount: istio-ingress
+        namespace: istio-ingress
+
 # AAF Credentials
 controllerCreds:
   username: access
diff --git a/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000000..30d173c2d8
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/templates/authorizationpolicy.yaml
@@ -0,0 +1,136 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: {{ $relName }}-{{ $postgresName }}-authz
+  namespace: {{ include "common.namespace" . }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ $postgresName }}
+  action: ALLOW
+  rules:
+{{-   if $authorizedPrincipalsPostgres }}
+{{-     range $principal := $authorizedPrincipalsPostgres }}
+  - from:
+    - source:
+        principals:
+{{-       $namespace := default "onap" $principal.namespace -}}
+{{-       if eq "onap" $namespace }}
+        - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{-       else }}
+        - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{-       end }}
+    to:
+    - operation:
+        ports:
+{{-       range $port := $defaultOperationPorts }}
+        - "{{ $port }}"
+{{-       end }}
+{{-     end }}
+{{-   end }}
+{{- end }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- $pgHost := "primary" -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz
+  namespace: {{ include "common.namespace" . }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ $postgresName }}-{{ $pgHost }}
+  action: ALLOW
+  rules:
+{{-   if $authorizedPrincipalsPostgres }}
+{{-     range $principal := $authorizedPrincipalsPostgres }}
+  - from:
+    - source:
+        principals:
+{{-       $namespace := default "onap" $principal.namespace -}}
+{{-       if eq "onap" $namespace }}
+        - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{-       else }}
+        - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{-       end }}
+    to:
+    - operation:
+        ports:
+{{-       range $port := $defaultOperationPorts }}
+        - "{{ $port }}"
+{{-       end }}
+{{-     end }}
+{{-   end }}
+{{- end }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- $pgHost := "replica" -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz
+  namespace: {{ include "common.namespace" . }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ $postgresName }}-{{ $pgHost }}
+  action: ALLOW
+  rules:
+{{-   if $authorizedPrincipalsPostgres }}
+{{-     range $principal := $authorizedPrincipalsPostgres }}
+  - from:
+    - source:
+        principals:
+{{-       $namespace := default "onap" $principal.namespace -}}
+{{-       if eq "onap" $namespace }}
+        - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{-       else }}
+        - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{-       end }}
+    to:
+    - operation:
+        ports:
+{{-       range $port := $defaultOperationPorts }}
+        - "{{ $port }}"
+{{-       end }}
+{{-     end }}
+{{-   end }}
+{{- end }}
\ No newline at end of file
diff --git a/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml b/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml
index 065c19b222..6eda4836e6 100644
--- a/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml
@@ -100,6 +100,13 @@ service:
       port: 8080
       port_protocol: http
 
+serviceMesh:
+  authorizationPolicy:
+    authorizedPrincipals:
+      - serviceAccount: message-router-read
+    authorizedPrincipalsPostgres:
+      - serviceAccount: dcae-slice-analysis-ms-read
+
 credentials:
 - name: PG_USERNAME
   uid:  *pgUserCredsSecretUid
diff --git a/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000000..5a9baa822f
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/values.yaml
index 5c888db790..01d4316d46 100644
--- a/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/values.yaml
@@ -69,6 +69,10 @@ service:
       nodePort: 70
       useNodePortExt: true
 
+serviceMesh:
+  authorizationPolicy:
+    authorizedPrincipals: []
+
 # Initial Application Configuration
 applicationConfig:
   StormWatchPolicy: ''
diff --git a/kubernetes/dcaegen2-services/components/dcae-son-handler/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-son-handler/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000000..30d173c2d8
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-son-handler/templates/authorizationpolicy.yaml
@@ -0,0 +1,136 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: {{ $relName }}-{{ $postgresName }}-authz
+  namespace: {{ include "common.namespace" . }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ $postgresName }}
+  action: ALLOW
+  rules:
+{{-   if $authorizedPrincipalsPostgres }}
+{{-     range $principal := $authorizedPrincipalsPostgres }}
+  - from:
+    - source:
+        principals:
+{{-       $namespace := default "onap" $principal.namespace -}}
+{{-       if eq "onap" $namespace }}
+        - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{-       else }}
+        - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{-       end }}
+    to:
+    - operation:
+        ports:
+{{-       range $port := $defaultOperationPorts }}
+        - "{{ $port }}"
+{{-       end }}
+{{-     end }}
+{{-   end }}
+{{- end }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- $pgHost := "primary" -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz
+  namespace: {{ include "common.namespace" . }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ $postgresName }}-{{ $pgHost }}
+  action: ALLOW
+  rules:
+{{-   if $authorizedPrincipalsPostgres }}
+{{-     range $principal := $authorizedPrincipalsPostgres }}
+  - from:
+    - source:
+        principals:
+{{-       $namespace := default "onap" $principal.namespace -}}
+{{-       if eq "onap" $namespace }}
+        - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{-       else }}
+        - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{-       end }}
+    to:
+    - operation:
+        ports:
+{{-       range $port := $defaultOperationPorts }}
+        - "{{ $port }}"
+{{-       end }}
+{{-     end }}
+{{-   end }}
+{{- end }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- $pgHost := "replica" -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz
+  namespace: {{ include "common.namespace" . }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ $postgresName }}-{{ $pgHost }}
+  action: ALLOW
+  rules:
+{{-   if $authorizedPrincipalsPostgres }}
+{{-     range $principal := $authorizedPrincipalsPostgres }}
+  - from:
+    - source:
+        principals:
+{{-       $namespace := default "onap" $principal.namespace -}}
+{{-       if eq "onap" $namespace }}
+        - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{-       else }}
+        - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{-       end }}
+    to:
+    - operation:
+        ports:
+{{-       range $port := $defaultOperationPorts }}
+        - "{{ $port }}"
+{{-       end }}
+{{-     end }}
+{{-   end }}
+{{- end }}
\ No newline at end of file
diff --git a/kubernetes/dcaegen2-services/components/dcae-son-handler/values.yaml b/kubernetes/dcaegen2-services/components/dcae-son-handler/values.yaml
index 037c5866e2..8eb55b4ed1 100644
--- a/kubernetes/dcaegen2-services/components/dcae-son-handler/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-son-handler/values.yaml
@@ -94,6 +94,13 @@ service:
       port: 8080
       port_protocol: http
 
+serviceMesh:
+  authorizationPolicy:
+    authorizedPrincipals:
+      - serviceAccount: message-router-read
+    authorizedPrincipalsPostgres:
+      - serviceAccount: dcae-son-handler-read
+
 # Credentials
 cpsCreds:
   identity: cps
diff --git a/kubernetes/dcaegen2-services/components/dcae-tcagen2/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-tcagen2/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000000..5a9baa822f
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-tcagen2/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml b/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml
index fcdcb525c5..191a5b1a7d 100644
--- a/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml
@@ -74,6 +74,11 @@ service:
     - port: 9091
       name: http
 
+serviceMesh:
+  authorizationPolicy:
+    authorizedPrincipals:
+      - serviceAccount: message-router-read
+
 # mongoDB overrides
 mongo:
   nameOverride: dcae-mongo
diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000000..5a9baa822f
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml
index 526d75077c..06eaba67fa 100644
--- a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml
@@ -111,6 +111,12 @@ ingress:
   config:
     ssl: "redirect"
 
+serviceMesh:
+  authorizationPolicy:
+    authorizedPrincipals:
+      - serviceAccount: istio-ingress
+        namespace: istio-ingress
+
 # application environments
 applicationEnv:
   CBS_CLIENT_CONFIG_PATH: '/app-config-input/application_config.yaml'
diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-mapper/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-mapper/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000000..5a9baa822f
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-ves-mapper/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-mapper/values.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-mapper/values.yaml
index ff1f7481e0..79581ad3fb 100644
--- a/kubernetes/dcaegen2-services/components/dcae-ves-mapper/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-ves-mapper/values.yaml
@@ -60,6 +60,11 @@ service:
       port: 80
       port_protocol: http
 
+serviceMesh:
+  authorizationPolicy:
+    authorizedPrincipals:
+      - serviceAccount: message-router-read
+
 # application environments
 applicationEnv:
   LOG4J_FORMAT_MSG_NO_LOOKUPS: 'true'
diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000000..5a9baa822f
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/values.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/values.yaml
index 2327ac310b..7a80433a70 100644
--- a/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/values.yaml
@@ -27,6 +27,10 @@ service:
     - name: &port http
       port: *svc_port
 
+serviceMesh:
+  authorizationPolicy:
+    authorizedPrincipals: []
+
 schemaMap:
   filename: "schema-map.json"
   directory: "/app/mappings"
diff --git a/kubernetes/sdc/components/sdc-cs/templates/job.yaml b/kubernetes/sdc/components/sdc-cs/templates/job.yaml
index 31ab047c7a..e8f8700616 100644
--- a/kubernetes/sdc/components/sdc-cs/templates/job.yaml
+++ b/kubernetes/sdc/components/sdc-cs/templates/job.yaml
@@ -64,6 +64,8 @@ spec:
           mountPath: /home/sdc/chef-solo/environments/
         - name: {{ include "common.fullname" . }}-chef-cache
           mountPath: /home/sdc/chef-solo/cache
+        - name: {{ include "common.fullname" . }}-cqlshrc
+          mountPath: /home/sdc/.cassandra
         env:
         - name: ENVNAME
           value: {{ .Values.env.name }}
@@ -98,6 +100,9 @@ spec:
           defaultMode: 0755
       - name: {{ include "common.fullname" . }}-chef-cache
         emptyDir: {}
+      - name: {{ include "common.fullname" . }}-cqlshrc
+        configMap:
+          name: {{ include "common.release" . }}-sdc-cqlshrc
       imagePullSecrets:
       - name: "{{ include "common.namespace" . }}-docker-registry-key"
       restartPolicy: Never
diff --git a/kubernetes/sdc/components/sdc-cs/values.yaml b/kubernetes/sdc/components/sdc-cs/values.yaml
index f58fca7a07..2f943d7c52 100644
--- a/kubernetes/sdc/components/sdc-cs/values.yaml
+++ b/kubernetes/sdc/components/sdc-cs/values.yaml
@@ -26,12 +26,22 @@ global:
     #should be sdc-cs if this flag is enabled
     localCluster: false
     #The cassandra service name to connect to (default: shared cassandra service)
+    #in case of using k8ssandra-operator in the common cassandra installation
+    #the service name is:
+    #serviceName: cassandra-dc1-service
+    #in case of local k8ssandra-operator instance it is
+    #serviceName: sdc-cs-dc1-service
+    #in case the older cassandra installation is used:
     serviceName: cassandra
+
     #Shared cassandra cluster replicaCount, should be changed if localCluster is enabled
     #to match with its own cluster replica
     replicaCount: 3
     clusterName: cassandra
+    #datacenter name (use "dc1" in case of k8ssandra-operator, otherwise "Pod")
     dataCenter: Pod
+    #cqlVersion for cassandra 3.11.* must be "3.4.4" and cassandra 4.* must be "3.4.5"
+    cqlVersion: "3.4.4"
 
 #################################################################
 # Application configuration defaults.
@@ -48,6 +58,10 @@ cassandra:
   persistence:
     mountSubPath: sdc/sdc-cs/CS
     enabled: true
+  k8ssandraOperator:
+    enabled: false
+    config:
+      clusterName: sdc-cs
 
 # application image
 repository: nexus3.onap.org:10001
diff --git a/kubernetes/sdc/components/sdc-onboarding-be/templates/job.yaml b/kubernetes/sdc/components/sdc-onboarding-be/templates/job.yaml
index 41996ff4cd..43a4902996 100644
--- a/kubernetes/sdc/components/sdc-onboarding-be/templates/job.yaml
+++ b/kubernetes/sdc/components/sdc-onboarding-be/templates/job.yaml
@@ -65,6 +65,8 @@ spec:
         volumeMounts:
         - name: {{ include "common.fullname" . }}-environments
           mountPath: /home/sdc/chef-solo/environments/
+        - name: {{ include "common.fullname" . }}-cqlshrc
+          mountPath: /home/sdc/.cassandra
         env:
         - name: ENVNAME
           value: {{ .Values.env.name }}
@@ -96,6 +98,9 @@ spec:
         configMap:
           name: {{ include "common.release" . }}-sdc-environments-configmap
           defaultMode: 0755
+      - name: {{ include "common.fullname" . }}-cqlshrc
+        configMap:
+          name: {{ include "common.release" . }}-sdc-cqlshrc
       imagePullSecrets:
       - name: "{{ include "common.namespace" . }}-docker-registry-key"
       restartPolicy: Never
diff --git a/kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml b/kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml
index 9ba05b8631..b9abef8462 100644
--- a/kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml
+++ b/kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml
@@ -65,6 +65,9 @@ spec:
         - /bin/sh
         - -c
         {{- end }}
+        volumeMounts:
+          - name: {{ include "common.fullname" . }}-cqlshrc
+            mountPath: /home/sdc/.cassandra
         env:
           - name: CS_HOST
             value: "{{ .Values.global.sdc_cassandra.serviceName }}"
@@ -78,6 +81,10 @@ spec:
             valueFrom: {secretKeyRef: {name: {{ include "common.release" . }}-sdc-cs-secrets, key: sdc_password}}
         resources: {{ include "common.resources" . | nindent 10 }}
       {{ include "common.waitForJobContainer" . | indent 6 | trim }}
+      volumes:
+        - name: {{ include "common.fullname" . }}-cqlshrc
+          configMap:
+            name: {{ include "common.release" . }}-sdc-cqlshrc
       imagePullSecrets:
         - name: "{{ include "common.namespace" . }}-docker-registry-key"
 {{ end }}
diff --git a/kubernetes/sdc/resources/config/cqlshrc b/kubernetes/sdc/resources/config/cqlshrc
new file mode 100644
index 0000000000..cb6df94880
--- /dev/null
+++ b/kubernetes/sdc/resources/config/cqlshrc
@@ -0,0 +1,2 @@
+[cql]
+version={{.Values.global.sdc_cassandra.cqlVersion}}
\ No newline at end of file
diff --git a/kubernetes/sdc/templates/configmap.yaml b/kubernetes/sdc/templates/configmap.yaml
index 712f2ecc61..dee73ba711 100644
--- a/kubernetes/sdc/templates/configmap.yaml
+++ b/kubernetes/sdc/templates/configmap.yaml
@@ -28,4 +28,17 @@ metadata:
 data:
 {{ tpl (.Files.Glob "resources/config/environments/*").AsConfig . | indent 2 }}
 ---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "common.release" . }}-sdc-cqlshrc
+  namespace: {{ include "common.namespace" . }}
+  labels:
+    app: {{ include "common.name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ include "common.release" . }}
+    heritage: {{ .Release.Service }}
+data:
+{{ tpl (.Files.Glob "resources/config/cqlshrc").AsConfig . | indent 2 }}
+---
 {{ include "common.log.configMap" . }}
diff --git a/kubernetes/sdc/values.yaml b/kubernetes/sdc/values.yaml
index cba33628c3..955ac4b46e 100644
--- a/kubernetes/sdc/values.yaml
+++ b/kubernetes/sdc/values.yaml
@@ -26,20 +26,28 @@ global:
     keystore_password: PyhrUCFZdXIhWyohWTUhRV5mKFpLYzMx
     wf_external_user_password: S3A4Yko0U1hzek0wV1hsaGFrM2VIbGNzZTJnQXc4NHZhb0dHbUp2VXkyVQ==
   sdc_cassandra:
-   #This flag allows SDC to instantiate its own cluster, serviceName
-   #should be "sdc-cs" if this flag is enabled
-   localCluster: false
-   #The cassandra service name to connect to (default: shared cassandra service)
-   serviceName: cassandra
-   #Shared cassandra cluster replicaCount, should be changed if localCluster is enabled
-   #to match with its own cluster replica
-   #see "cassandra: replicaCount" in file sdc-cs/values.yaml)
-   replicaCount: 3
-   dbCache: true
-   readConsistencyLevel: ONE
-   writeConsistencyLevel: ALL
-   clusterName: cassandra
-   dataCenter: Pod
+    #This flag allows SDC to instantiate its own cluster, serviceName
+    #should be "sdc-cs" if this flag is enabled
+    localCluster: false
+    #The cassandra service name to connect to (default: shared cassandra service)
+    #in case of using k8ssandra-operator in the common cassandra installation
+    #the service name is:
+    #serviceName: cassandra-dc1-service
+    #in case the older cassandra installation is used:
+    serviceName: cassandra
+    #Shared cassandra cluster replicaCount, should be changed if localCluster is enabled
+    #to match with its own cluster replica
+    #see "cassandra: replicaCount" in file sdc-cs/values.yaml)
+    replicaCount: 3
+    dbCache: true
+    readConsistencyLevel: ONE
+    writeConsistencyLevel: ALL
+    clusterName: cassandra
+    #datacenter name (use "dc1" in case of k8ssandra-operator, otherwise "Pod")
+    dataCenter: Pod
+    #cqlVersion for cassandra 3.11.* must be "3.4.4" and cassandra 4.* must be "3.4.5"
+    cqlVersion: "3.4.4"
+
   centralizedLoggingEnabled: true
   # global Kafka config passed to sdc-be chart
   kafka: