From d117481a5b4140dd821334326cbe2c6384ef9ac0 Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Sat, 14 Oct 2023 10:59:33 +0200 Subject: [PATCH] Documented Section Readme for: - 08-AuthorizationPolicy Also, (speed) documented its examples. --- .../01-Namespace.yaml} | 0 .../AuthorizationPolicy.yaml} | 0 .../Deployments.yaml} | 32 +++++++++----- .../Gateway.yaml} | 0 .../README.md | 11 ++--- .../Services.yaml | 30 +++++++++++++ .../01-Namespace.yaml} | 0 .../01-Service_Accounts.yaml} | 0 .../AuthorizationPolicy.yaml} | 0 .../Deployments.yaml} | 42 ++++++++++++------- .../README.md | 16 ++++--- .../Services.yaml | 30 +++++++++++++ .../gateway.yaml | 0 .../01-Namespace.yaml} | 0 .../AuthorizationPolicy.yaml} | 0 .../Deployments.yaml} | 32 +++++++++----- .../Gateway.yaml} | 0 .../README.md | 19 ++++++--- .../Services.yaml | 30 +++++++++++++ .../03-target-deployments/deployment.yaml | 40 ------------------ .../03-target-deployments/deployment_2.yaml | 42 ------------------- 08-AuthorizationPolicy/README.md | 26 ++++-------- 22 files changed, 193 insertions(+), 157 deletions(-) rename 08-AuthorizationPolicy/{01-target-namespaces/01-namespace.yaml => 01-AuthorizationPolicy-Target-Namespaces/01-Namespace.yaml} (100%) rename 08-AuthorizationPolicy/{01-target-namespaces/authentication.yaml => 01-AuthorizationPolicy-Target-Namespaces/AuthorizationPolicy.yaml} (100%) rename 08-AuthorizationPolicy/{02-target-service-accounts/deployment_2.yaml => 01-AuthorizationPolicy-Target-Namespaces/Deployments.yaml} (54%) rename 08-AuthorizationPolicy/{01-target-namespaces/gateway.yaml => 01-AuthorizationPolicy-Target-Namespaces/Gateway.yaml} (100%) rename 08-AuthorizationPolicy/{01-target-namespaces => 01-AuthorizationPolicy-Target-Namespaces}/README.md (96%) create mode 100644 08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/Services.yaml rename 08-AuthorizationPolicy/{02-target-service-accounts/01-namespace.yaml => 02-AuthorizationPolicy-Target-Service-Accounts/01-Namespace.yaml} (100%) rename 08-AuthorizationPolicy/{02-target-service-accounts/01-service-accounts.yaml => 02-AuthorizationPolicy-Target-Service-Accounts/01-Service_Accounts.yaml} (100%) rename 08-AuthorizationPolicy/{02-target-service-accounts/authentication.yaml => 02-AuthorizationPolicy-Target-Service-Accounts/AuthorizationPolicy.yaml} (100%) rename 08-AuthorizationPolicy/{02-target-service-accounts/deployment.yaml => 02-AuthorizationPolicy-Target-Service-Accounts/Deployments.yaml} (55%) rename 08-AuthorizationPolicy/{02-target-service-accounts => 02-AuthorizationPolicy-Target-Service-Accounts}/README.md (96%) create mode 100644 08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/Services.yaml rename 08-AuthorizationPolicy/{02-target-service-accounts => 02-AuthorizationPolicy-Target-Service-Accounts}/gateway.yaml (100%) rename 08-AuthorizationPolicy/{03-target-deployments/01-namespace.yaml => 03-AuthorizationPolicy-Target-Deployments/01-Namespace.yaml} (100%) rename 08-AuthorizationPolicy/{03-target-deployments/authentication.yaml => 03-AuthorizationPolicy-Target-Deployments/AuthorizationPolicy.yaml} (100%) rename 08-AuthorizationPolicy/{01-target-namespaces/deployment_2.yaml => 03-AuthorizationPolicy-Target-Deployments/Deployments.yaml} (54%) rename 08-AuthorizationPolicy/{03-target-deployments/gateway.yaml => 03-AuthorizationPolicy-Target-Deployments/Gateway.yaml} (100%) rename 08-AuthorizationPolicy/{03-target-deployments => 03-AuthorizationPolicy-Target-Deployments}/README.md (94%) create mode 100644 08-AuthorizationPolicy/03-AuthorizationPolicy-Target-Deployments/Services.yaml delete mode 100755 08-AuthorizationPolicy/03-target-deployments/deployment.yaml delete mode 100755 08-AuthorizationPolicy/03-target-deployments/deployment_2.yaml diff --git a/08-AuthorizationPolicy/01-target-namespaces/01-namespace.yaml b/08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/01-Namespace.yaml similarity index 100% rename from 08-AuthorizationPolicy/01-target-namespaces/01-namespace.yaml rename to 08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/01-Namespace.yaml diff --git a/08-AuthorizationPolicy/01-target-namespaces/authentication.yaml b/08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/AuthorizationPolicy.yaml similarity index 100% rename from 08-AuthorizationPolicy/01-target-namespaces/authentication.yaml rename to 08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/AuthorizationPolicy.yaml diff --git a/08-AuthorizationPolicy/02-target-service-accounts/deployment_2.yaml b/08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/Deployments.yaml similarity index 54% rename from 08-AuthorizationPolicy/02-target-service-accounts/deployment_2.yaml rename to 08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/Deployments.yaml index 69a8412..660a57e 100755 --- a/08-AuthorizationPolicy/02-target-service-accounts/deployment_2.yaml +++ b/08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/Deployments.yaml @@ -1,18 +1,28 @@ -apiVersion: v1 -kind: Service +apiVersion: apps/v1 +kind: Deployment metadata: - name: byeworld + name: helloworld-nginx labels: - app: byeworld - service: byeworld - namespace: foo + app: helloworld spec: - ports: - - port: 9090 - name: http - targetPort: 80 + replicas: 1 selector: - app: byeworld + matchLabels: + app: helloworld + template: + metadata: + labels: + app: helloworld + spec: + containers: + - name: helloworld + image: nginx + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 80 --- apiVersion: apps/v1 kind: Deployment diff --git a/08-AuthorizationPolicy/01-target-namespaces/gateway.yaml b/08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/Gateway.yaml similarity index 100% rename from 08-AuthorizationPolicy/01-target-namespaces/gateway.yaml rename to 08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/Gateway.yaml diff --git a/08-AuthorizationPolicy/01-target-namespaces/README.md b/08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/README.md similarity index 96% rename from 08-AuthorizationPolicy/01-target-namespaces/README.md rename to 08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/README.md index bf57e99..d169a17 100755 --- a/08-AuthorizationPolicy/01-target-namespaces/README.md +++ b/08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/README.md @@ -3,15 +3,16 @@ gitea: none include_toc: true --- -# Continues from -- [06-mTLS](../../10-mTLS_PeerAuthentication/06-mTLS) +# Description -## Description +On this example we will be deploying an `AuthorizationPolicy` object to control the traffic that the `envoy-proxy` will manage on deployment created. -Bla bla bla +As well, we will configure the `AuthorizationPolicy` object to be applied at a "namespace" level. -Configuration targeting namespaces +# Based on + +- [10-mTLS_PeerAuthentication/01-mTLS](../../10-mTLS_PeerAuthentication/01-mTLS) # Configuration diff --git a/08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/Services.yaml b/08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/Services.yaml new file mode 100644 index 0000000..4ec62d4 --- /dev/null +++ b/08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/Services.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - port: 8080 + name: http + targetPort: 80 + selector: + app: helloworld +--- +apiVersion: v1 +kind: Service +metadata: + name: byeworld + labels: + app: byeworld + service: byeworld + namespace: foo +spec: + ports: + - port: 9090 + name: http + targetPort: 80 + selector: + app: byeworld \ No newline at end of file diff --git a/08-AuthorizationPolicy/02-target-service-accounts/01-namespace.yaml b/08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/01-Namespace.yaml similarity index 100% rename from 08-AuthorizationPolicy/02-target-service-accounts/01-namespace.yaml rename to 08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/01-Namespace.yaml diff --git a/08-AuthorizationPolicy/02-target-service-accounts/01-service-accounts.yaml b/08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/01-Service_Accounts.yaml similarity index 100% rename from 08-AuthorizationPolicy/02-target-service-accounts/01-service-accounts.yaml rename to 08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/01-Service_Accounts.yaml diff --git a/08-AuthorizationPolicy/02-target-service-accounts/authentication.yaml b/08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/AuthorizationPolicy.yaml similarity index 100% rename from 08-AuthorizationPolicy/02-target-service-accounts/authentication.yaml rename to 08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/AuthorizationPolicy.yaml diff --git a/08-AuthorizationPolicy/02-target-service-accounts/deployment.yaml b/08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/Deployments.yaml similarity index 55% rename from 08-AuthorizationPolicy/02-target-service-accounts/deployment.yaml rename to 08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/Deployments.yaml index 2a3ac62..8f4e59d 100755 --- a/08-AuthorizationPolicy/02-target-service-accounts/deployment.yaml +++ b/08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/Deployments.yaml @@ -1,18 +1,3 @@ -apiVersion: v1 -kind: Service -metadata: - name: helloworld - labels: - app: helloworld - service: helloworld -spec: - ports: - - port: 8080 - name: http - targetPort: 80 - selector: - app: helloworld ---- apiVersion: apps/v1 kind: Deployment metadata: @@ -39,3 +24,30 @@ spec: imagePullPolicy: IfNotPresent ports: - containerPort: 80 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: byeworld-nginx + labels: + app: byeworld + namespace: foo +spec: + replicas: 1 + selector: + matchLabels: + app: byeworld + template: + metadata: + labels: + app: byeworld + spec: + containers: + - name: byeworld + image: nginx + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 80 diff --git a/08-AuthorizationPolicy/02-target-service-accounts/README.md b/08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/README.md similarity index 96% rename from 08-AuthorizationPolicy/02-target-service-accounts/README.md rename to 08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/README.md index 0018395..42548c2 100755 --- a/08-AuthorizationPolicy/02-target-service-accounts/README.md +++ b/08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/README.md @@ -3,21 +3,19 @@ gitea: none include_toc: true --- -# Continues from -[//]: # (- [01-hello_world_1_service_1_deployment](../../01-simple/01-hello_world_1_service_1_deployment)) -- [01-target-namespaces](../01-target-namespaces) +# Description + +On this example we will be deploying an `AuthorizationPolicy` object to control the traffic that the `envoy-proxy` will manage on deployment created. + +As well, we will configure the `AuthorizationPolicy` object will be applied to the deployments with the targeted `ServiceAccount`. > **Note:**\ > On this example there is minimal changes to the configuration to involve targeting service accounts. -## Description +# Based on -Bla bla bla - -Configuration targeting service accounts (among others) - -By default, when a pod is deployed, if a service account has not been specified, it will be given the service account `default` from that namespace. +- [01-AuthorizationPolicy-Target-Namespaces](../01-AuthorizationPolicy-Target-Namespaces) # Changelog diff --git a/08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/Services.yaml b/08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/Services.yaml new file mode 100644 index 0000000..4ec62d4 --- /dev/null +++ b/08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/Services.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - port: 8080 + name: http + targetPort: 80 + selector: + app: helloworld +--- +apiVersion: v1 +kind: Service +metadata: + name: byeworld + labels: + app: byeworld + service: byeworld + namespace: foo +spec: + ports: + - port: 9090 + name: http + targetPort: 80 + selector: + app: byeworld \ No newline at end of file diff --git a/08-AuthorizationPolicy/02-target-service-accounts/gateway.yaml b/08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/gateway.yaml similarity index 100% rename from 08-AuthorizationPolicy/02-target-service-accounts/gateway.yaml rename to 08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/gateway.yaml diff --git a/08-AuthorizationPolicy/03-target-deployments/01-namespace.yaml b/08-AuthorizationPolicy/03-AuthorizationPolicy-Target-Deployments/01-Namespace.yaml similarity index 100% rename from 08-AuthorizationPolicy/03-target-deployments/01-namespace.yaml rename to 08-AuthorizationPolicy/03-AuthorizationPolicy-Target-Deployments/01-Namespace.yaml diff --git a/08-AuthorizationPolicy/03-target-deployments/authentication.yaml b/08-AuthorizationPolicy/03-AuthorizationPolicy-Target-Deployments/AuthorizationPolicy.yaml similarity index 100% rename from 08-AuthorizationPolicy/03-target-deployments/authentication.yaml rename to 08-AuthorizationPolicy/03-AuthorizationPolicy-Target-Deployments/AuthorizationPolicy.yaml diff --git a/08-AuthorizationPolicy/01-target-namespaces/deployment_2.yaml b/08-AuthorizationPolicy/03-AuthorizationPolicy-Target-Deployments/Deployments.yaml similarity index 54% rename from 08-AuthorizationPolicy/01-target-namespaces/deployment_2.yaml rename to 08-AuthorizationPolicy/03-AuthorizationPolicy-Target-Deployments/Deployments.yaml index 69a8412..660a57e 100755 --- a/08-AuthorizationPolicy/01-target-namespaces/deployment_2.yaml +++ b/08-AuthorizationPolicy/03-AuthorizationPolicy-Target-Deployments/Deployments.yaml @@ -1,18 +1,28 @@ -apiVersion: v1 -kind: Service +apiVersion: apps/v1 +kind: Deployment metadata: - name: byeworld + name: helloworld-nginx labels: - app: byeworld - service: byeworld - namespace: foo + app: helloworld spec: - ports: - - port: 9090 - name: http - targetPort: 80 + replicas: 1 selector: - app: byeworld + matchLabels: + app: helloworld + template: + metadata: + labels: + app: helloworld + spec: + containers: + - name: helloworld + image: nginx + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 80 --- apiVersion: apps/v1 kind: Deployment diff --git a/08-AuthorizationPolicy/03-target-deployments/gateway.yaml b/08-AuthorizationPolicy/03-AuthorizationPolicy-Target-Deployments/Gateway.yaml similarity index 100% rename from 08-AuthorizationPolicy/03-target-deployments/gateway.yaml rename to 08-AuthorizationPolicy/03-AuthorizationPolicy-Target-Deployments/Gateway.yaml diff --git a/08-AuthorizationPolicy/03-target-deployments/README.md b/08-AuthorizationPolicy/03-AuthorizationPolicy-Target-Deployments/README.md similarity index 94% rename from 08-AuthorizationPolicy/03-target-deployments/README.md rename to 08-AuthorizationPolicy/03-AuthorizationPolicy-Target-Deployments/README.md index 972ae00..70b944b 100755 --- a/08-AuthorizationPolicy/03-target-deployments/README.md +++ b/08-AuthorizationPolicy/03-AuthorizationPolicy-Target-Deployments/README.md @@ -3,18 +3,27 @@ gitea: none include_toc: true --- -# Continues from -- [01-target-namespaces](../01-target-namespaces) +# Description + +On this example we will be deploying an `AuthorizationPolicy` object to control the traffic that the `envoy-proxy` will manage on deployment created. + +As well, we will configure the `AuthorizationPolicy` object will be applied to the deployments with the targeted through the usage of labels to filter the resources affected. > **Note:**\ > On this example there is minimal changes to the configuration to involve targeting the deployment resources through label filtering. -## Description +# Based on -Bla bla bla +- [01-AuthorizationPolicy-Target-Namespaces](../01-AuthorizationPolicy-Target-Namespaces) -In this example we will be targeting the labels set to the deployments, while keeping part of the previous AuthorizationPolicy configuration to maintain its behavior. +[//]: # (## Description) + +[//]: # () +[//]: # (Bla bla bla) + +[//]: # () +[//]: # (In this example we will be targeting the labels set to the deployments, while keeping part of the previous AuthorizationPolicy configuration to maintain its behavior. ) [//]: # (For such, it's important to check the labels set in the Istio ingress that we will be using.) diff --git a/08-AuthorizationPolicy/03-AuthorizationPolicy-Target-Deployments/Services.yaml b/08-AuthorizationPolicy/03-AuthorizationPolicy-Target-Deployments/Services.yaml new file mode 100644 index 0000000..4ec62d4 --- /dev/null +++ b/08-AuthorizationPolicy/03-AuthorizationPolicy-Target-Deployments/Services.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - port: 8080 + name: http + targetPort: 80 + selector: + app: helloworld +--- +apiVersion: v1 +kind: Service +metadata: + name: byeworld + labels: + app: byeworld + service: byeworld + namespace: foo +spec: + ports: + - port: 9090 + name: http + targetPort: 80 + selector: + app: byeworld \ No newline at end of file diff --git a/08-AuthorizationPolicy/03-target-deployments/deployment.yaml b/08-AuthorizationPolicy/03-target-deployments/deployment.yaml deleted file mode 100755 index 0fb81b3..0000000 --- a/08-AuthorizationPolicy/03-target-deployments/deployment.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: helloworld - labels: - app: helloworld - service: helloworld -spec: - ports: - - port: 8080 - name: http - targetPort: 80 - selector: - app: helloworld ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: helloworld-nginx - labels: - app: helloworld -spec: - replicas: 1 - selector: - matchLabels: - app: helloworld - template: - metadata: - labels: - app: helloworld - spec: - containers: - - name: helloworld - image: nginx - resources: - requests: - cpu: "100m" - imagePullPolicy: IfNotPresent - ports: - - containerPort: 80 diff --git a/08-AuthorizationPolicy/03-target-deployments/deployment_2.yaml b/08-AuthorizationPolicy/03-target-deployments/deployment_2.yaml deleted file mode 100755 index 69a8412..0000000 --- a/08-AuthorizationPolicy/03-target-deployments/deployment_2.yaml +++ /dev/null @@ -1,42 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: byeworld - labels: - app: byeworld - service: byeworld - namespace: foo -spec: - ports: - - port: 9090 - name: http - targetPort: 80 - selector: - app: byeworld ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: byeworld-nginx - labels: - app: byeworld - namespace: foo -spec: - replicas: 1 - selector: - matchLabels: - app: byeworld - template: - metadata: - labels: - app: byeworld - spec: - containers: - - name: byeworld - image: nginx - resources: - requests: - cpu: "100m" - imagePullPolicy: IfNotPresent - ports: - - containerPort: 80 diff --git a/08-AuthorizationPolicy/README.md b/08-AuthorizationPolicy/README.md index c722a3c..6bf312a 100644 --- a/08-AuthorizationPolicy/README.md +++ b/08-AuthorizationPolicy/README.md @@ -1,24 +1,12 @@ -## Authentication -- Based on namespaces (done) - -- Based on method (somewhat done, so I will mark it as valid) +## Description -- Based on service account(s) (somewhat done) +Through the usage of `AuthorizationPolicies`, we are able to configure rules for access control, whether be (but not limited to) **Allowing** or **Denying** the request. -- Custom action (it's in alpha feature, should not focus on it for now) +On all the examples for simplicity it's been kept to the "Head" request. -- Audit / logs (should be the 3th) +## Examples -JWT seems important, refer to source.requestPrincipals - -https://istio.io/latest/docs/tasks/security/authentication/ - - - -Per deployment: -```yaml - selector: - matchLabels: - app: myapi -``` \ No newline at end of file +- 01-target-namespaces +- 02-target-service-accounts +- 03-target-deployments