-
Notifications
You must be signed in to change notification settings - Fork 39
feat!: implement operator authorization policy management #1384
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
Show all changes
19 commits
Select commit
Hold shift + click to select a range
c1526e2
feat: init authpol operator
chance-coleman 7c70bd4
feat: authpol operator changes
chance-coleman b5404cb
Merge branch 'main' into ambient-mesh-operator
chance-coleman d5372c7
feat: another interation of tests and refactors
chance-coleman 2d506c6
Merge branch 'main' into ambient-mesh-operator
chance-coleman 69cf560
fix: refactor naming and other fixes
chance-coleman cf78297
fix: for pr comments
chance-coleman 26353b1
fix: doc wording and passthrough gateway
chance-coleman 7827f41
Merge branch 'main' into ambient-mesh-operator
chance-coleman e2accb0
chore(docs): update auth service doc
chance-coleman c2b3ece
fix: missing authpol counter and prometheus principal
chance-coleman 557adcd
fix: tests for prometheus principal
chance-coleman 416e8fa
fix: prometheus principal, kubeapi, kubenode upgrade
chance-coleman fee8e76
Merge branch 'main' into ambient-mesh-operator
chance-coleman 63ba73e
fix: logging
chance-coleman d08e3e3
fix: tests
chance-coleman af0e39e
Merge branch 'main' into ambient-mesh-operator
mjnagel 502fc2a
chore(docs): update wording
chance-coleman d814310
Merge branch 'main' into ambient-mesh-operator
chance-coleman File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -32,3 +32,5 @@ uds-docs/** | |
| **.backup | ||
| **/.playwright/** | ||
| **/.playwright | ||
|
|
||
| coverage/** | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,251 @@ | ||
| ## Overview | ||
|
|
||
| This guide describes how Istio AuthorizationPolicies are generated from the UDSPackage CR by the UDS Operator. These **ALLOW** policies are primarily used to enable ingress security within an Istio Ambient Mesh environment. | ||
|
|
||
| The code responsible for generating these policies can be found [here](https://github.com/defenseunicorns/uds-core/blob/main/src/pepr/operator/controllers/network/authorizationPolicies.ts) and includes support for three rule types: | ||
| - `allow`: Direct ingress rules for services. | ||
| - `expose`: Gateway-based ingress exposure. | ||
| - `monitor`: Restricts access to metrics endpoints. | ||
|
|
||
| Each rule is processed individually to generate a single Istio AuthorizationPolicy. | ||
|
|
||
| --- | ||
|
|
||
| ## Policy Generation Flow | ||
|
|
||
| 1. **Input Collection** | ||
| - The operator reads the `spec.network.allow`, `spec.network.expose`, and `spec.monitor` fields from a UDSPackage. | ||
|
|
||
| 2. **Allow Rule Processing** | ||
| - Sources are computed based on `remoteGenerated`, `remoteNamespace`, and `remoteServiceAccount`. | ||
| - Port info is collected from `port` and `ports`. | ||
| - If `remoteServiceAccount` is present, a `principal` source is used, overriding namespace restrictions. | ||
|
|
||
| 3. **Expose Rule Processing** | ||
| - Uses `port` or `targetPort` for port resolution. | ||
| - Sources are determined by the selected gateway: | ||
| - Admin gateway → `cluster.local/ns/istio-admin-gateway/sa/admin-ingressgateway` | ||
| - Tenant gateway (default) → `cluster.local/ns/istio-tenant-gateway/sa/tenant-ingressgateway` | ||
|
|
||
| 4. **Monitor Rule Processing** | ||
| - Each monitor rule generates a policy allowing access from `monitoring` namespace to a specific port. | ||
|
|
||
| 5. **Policy Naming** | ||
| - All policies start with `protect-<pkgName>-<rule-derived-name>`. | ||
| - `allow` rules use either the `description` or a combination of selector and remote fields. | ||
| - `expose` rules follow `ingress-<port>-<selector>-istio-<gateway>-gateway`. | ||
|
|
||
| 6. **Policy Application** | ||
| - Policies are applied via `K8s(AuthorizationPolicy).Apply()` with force enabled. | ||
| - `purgeOrphans` removes outdated or unused policies from previous generations. | ||
|
|
||
| --- | ||
|
|
||
| ## Development Tips | ||
|
|
||
| - **Rule Deduplication**: Currently, even identical selectors in different rules generate separate policies. | ||
| - **Troubleshooting**: Enable debug logging to inspect which policy is generated and applied. | ||
| - **Testing**: Use test UDSPackages with different `remoteGenerated` and gateway values to validate behavior. | ||
| - **Best Practices**: | ||
| - Avoid overly broad allow rules (e.g., `remoteGenerated: Anywhere`) unless absolutely necessary. | ||
| - Prefer using `remoteServiceAccount` for precise identity-based access. | ||
|
|
||
| --- | ||
|
|
||
| ## Example Use Cases | ||
|
|
||
| ### Example 1: Allow Ingress from a Specific Namespace (No Selector) | ||
|
|
||
| ```yaml | ||
| spec: | ||
| network: | ||
| allow: | ||
| - direction: Ingress | ||
| remoteNamespace: "external-app" | ||
| port: 8080 | ||
| ``` | ||
|
|
||
| ```yaml | ||
| apiVersion: security.istio.io/v1beta1 | ||
| kind: AuthorizationPolicy | ||
| metadata: | ||
| name: protect-my-app-ingress-external-app | ||
| namespace: my-app-namespace | ||
| labels: | ||
| uds/package: my-app | ||
| uds/generation: "1" | ||
| spec: | ||
| action: ALLOW | ||
| rules: | ||
| - from: | ||
| - source: | ||
| namespaces: ["external-app"] | ||
| to: | ||
| - operation: | ||
| ports: ["8080"] | ||
| ``` | ||
|
|
||
| ### Example 2: Allow Ingress Only to a Specific Pod Selector | ||
|
|
||
| ```yaml | ||
| spec: | ||
| network: | ||
| allow: | ||
| - direction: Ingress | ||
| remoteNamespace: "external-app" | ||
| selector: | ||
| app: "frontend" | ||
| port: 8080 | ||
| ``` | ||
|
|
||
| ```yaml | ||
| apiVersion: security.istio.io/v1beta1 | ||
| kind: AuthorizationPolicy | ||
| metadata: | ||
| name: protect-my-app-ingress-frontend | ||
| namespace: my-app-namespace | ||
| labels: | ||
| uds/package: my-app | ||
| uds/generation: "1" | ||
| spec: | ||
| action: ALLOW | ||
| selector: | ||
| matchLabels: | ||
| app: "frontend" | ||
| rules: | ||
| - from: | ||
| - source: | ||
| namespaces: ["external-app"] | ||
| to: | ||
| - operation: | ||
| ports: ["8080"] | ||
| ``` | ||
|
|
||
| ### Example 3: Intra-Namespace Rule Without Port | ||
|
|
||
| ```yaml | ||
| spec: | ||
| network: | ||
| allow: | ||
| - direction: Ingress | ||
| remoteGenerated: IntraNamespace | ||
| ``` | ||
|
|
||
| ```yaml | ||
| apiVersion: security.istio.io/v1beta1 | ||
| kind: AuthorizationPolicy | ||
| metadata: | ||
| name: protect-loki-ingress-all | ||
| namespace: loki | ||
| labels: | ||
| uds/package: loki | ||
| uds/generation: "1" | ||
| spec: | ||
| action: ALLOW | ||
| rules: | ||
| - from: | ||
| - source: | ||
| namespaces: ["loki"] | ||
| ``` | ||
|
|
||
| ### Example 4: Allow Anywhere Rule (No Namespace Restriction) | ||
|
|
||
| ```yaml | ||
| spec: | ||
| network: | ||
| allow: | ||
| - direction: Ingress | ||
| remoteGenerated: Anywhere | ||
| port: 80 | ||
| ``` | ||
|
|
||
| ```yaml | ||
| apiVersion: security.istio.io/v1beta1 | ||
| kind: AuthorizationPolicy | ||
| metadata: | ||
| name: protect-myapp-ingress-all | ||
| namespace: my-namespace | ||
| labels: | ||
| uds/package: myapp | ||
| uds/generation: "1" | ||
| spec: | ||
| action: ALLOW | ||
| rules: | ||
| - from: [] | ||
| to: | ||
| - operation: | ||
| ports: ["80"] | ||
| ``` | ||
|
|
||
| ### Example 5: Expose Rule with Gateway Specification | ||
|
|
||
| ```yaml | ||
| spec: | ||
| network: | ||
| expose: | ||
| - port: 8080 | ||
| targetPort: 9090 | ||
| selector: | ||
| app: "backend" | ||
| gateway: Admin | ||
| ``` | ||
|
|
||
| ```yaml | ||
| apiVersion: security.istio.io/v1beta1 | ||
| kind: AuthorizationPolicy | ||
| metadata: | ||
| name: protect-my-app-ingress-9090-backend-istio-admin-gateway | ||
| namespace: my-app-namespace | ||
| labels: | ||
| uds/package: my-app | ||
| uds/generation: "1" | ||
| spec: | ||
| action: ALLOW | ||
| selector: | ||
| matchLabels: | ||
| app: "backend" | ||
| rules: | ||
| - from: | ||
| - source: | ||
| principals: ["cluster.local/ns/istio-admin-gateway/sa/admin-ingressgateway"] | ||
| to: | ||
| - operation: | ||
| ports: ["9090"] | ||
| ``` | ||
|
|
||
| ### Example 6: Monitor Rule for Securing a Metrics Endpoint | ||
|
|
||
| ```yaml | ||
| spec: | ||
| monitor: | ||
| - description: Metrics | ||
| podSelector: | ||
| app.kubernetes.io/name: grafana | ||
| portName: service | ||
| selector: | ||
| app.kubernetes.io/name: grafana | ||
| targetPort: 3000 | ||
| ``` | ||
|
|
||
| ```yaml | ||
| apiVersion: security.istio.io/v1beta1 | ||
| kind: AuthorizationPolicy | ||
| metadata: | ||
| name: protect-grafana-ingress-grafana-istio-tenant-gateway | ||
| namespace: grafana | ||
| labels: | ||
| uds/package: grafana | ||
| uds/generation: "1" | ||
| spec: | ||
| action: ALLOW | ||
| selector: | ||
| matchLabels: | ||
| app.kubernetes.io/name: grafana | ||
| rules: | ||
| - from: | ||
| - source: | ||
| namespaces: ["monitoring"] | ||
| to: | ||
| - operation: | ||
| ports: ["3000"] | ||
| ``` |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,99 @@ | ||
| --- | ||
| title: How Authorization Policies Protect Your Services | ||
| sidebar: | ||
| order: 3 | ||
| --- | ||
|
|
||
| In clusters running Istio Ambient Mesh, UDS‑Core enforces **ingress network security** using Istio **ALLOW** AuthorizationPolicies. These policies are automatically generated for each application package you define with a [UDS Package](https://uds.defenseunicorns.com/reference/configuration/uds-operator/package/) resource. | ||
|
|
||
|
noahpb marked this conversation as resolved.
|
||
| This document explains what this means for you as an application developer and how to take full advantage of the built-in security model. | ||
|
|
||
| --- | ||
|
|
||
| ## Key Takeaways | ||
|
|
||
| - **Ingress is denied by default.** UDS Core only allows what you explicitly configure using `allow` and `expose` rules. | ||
|
|
||
| - **AuthorizationPolicies are ALLOW-based**, which means you must write **DENY** rules separately if you want to restrict internal traffic further. | ||
|
|
||
| - **Use `remoteServiceAccount` wherever possible.** This provides the most secure and identity-based access control. | ||
|
|
||
| - **Expose rules use gateways** to control what traffic enters your application. You can choose between: | ||
| - **Tenant Gateway** (default) | ||
| - **Admin Gateway** (used only when absolutely necessary) | ||
|
|
||
| - **Monitoring ports are automatically secured** using rules that only allow the `monitoring` namespace to scrape metrics. | ||
|
|
||
| --- | ||
|
|
||
| ## Best Practices for Secure Configuration | ||
|
|
||
| ### 1. Lock Down Ingress With `allow` | ||
|
|
||
| ```yaml | ||
| spec: | ||
| network: | ||
| allow: | ||
| - direction: Ingress | ||
| remoteNamespace: "external-app" | ||
| remoteServiceAccount: "my-client" | ||
| port: 8080 | ||
| ``` | ||
|
|
||
| > This ensures that only a workload running as this specific service account in another namespace can access your service. | ||
|
|
||
| ### 2. Expose Your Service Safely | ||
|
|
||
| ```yaml | ||
| spec: | ||
| network: | ||
| expose: | ||
| - port: 80 | ||
| targetPort: 8080 | ||
| gateway: Tenant | ||
| ``` | ||
|
|
||
| > This exposes your service at port 80 through the tenant gateway and maps it to your app’s port 8080. | ||
|
|
||
| ### 3. Enable Safe Monitoring | ||
|
|
||
| ```yaml | ||
| spec: | ||
| monitor: | ||
| - targetPort: 3000 | ||
| selector: | ||
| app.kubernetes.io/name: grafana | ||
| ``` | ||
|
|
||
| > This creates a rule that allows only Prometheus (from the `monitoring` namespace) to scrape your service. | ||
|
|
||
| --- | ||
|
|
||
| ## Authservice Guidance | ||
|
|
||
| If you're using Authservice, be aware that it is **only appropriate for simple access scenarios**, such as: | ||
|
|
||
| - Protecting web UIs or dashboards | ||
| - Cases where access can be fully granted or denied with no granularity | ||
|
|
||
| --- | ||
|
|
||
| ## How Istio Evaluates Policies | ||
|
|
||
| Istio checks **DENY policies first**, then **ALLOW policies**. | ||
|
|
||
| - The operator creates ALLOW policies to admit approved ingress traffic. | ||
| - You should create your own DENY policies for more fine-grained control. | ||
|
|
||
| More info: [Istio Authorization Policy Evaluation](https://istio.io/latest/docs/concepts/security/#authorization-policy) | ||
|
|
||
| --- | ||
|
|
||
| ## Summary | ||
|
|
||
| - Ingress is denied by default. | ||
| - You allow ingress by defining `allow` or `expose` rules in your UDS Package resource definition. | ||
| - You can further tighten security using DENY policies. | ||
| - Use `remoteServiceAccount` for the strongest protection. | ||
| - Authservice is good for simple cases only—use stronger methods for complex needs. | ||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.