[GONRG-8048] Partition service hardening

466f0a11 · Oleksandr Kosse (EPAM) · 428bbd5e · 466f0a11 · 466f0a11 · 466f0a11
Commit 466f0a11 authored 1 year ago by Oleksandr Kosse (EPAM)
--- a/devops/gc/deploy/README.md
+++ b/devops/gc/deploy/README.md
@@ -152,6 +152,7 @@ First you need to set variables in **values.yaml** file using any code editor. S
 **istio.bootstrapProxyCPU** | CPU request for Envoy sidecars | string | 10m | yes
 **istio.bootstrapProxyCPULimit** | CPU limit for Envoy sidecars | string | 100m | yes
 **istio.sidecarInject** | whether Istio sidecar will be injected. Setting to "false" reduces security, because disables authorization policy. | boolean | true | yes
+**istio.partitionEditors** | list of users who can edit partitions. If it is empty, the service allows all external GET requests and POST/PUT/PATCH for bootstrap k8s service account. It accepts gc accounts only | list | - | no

 ### Install the helm chart


--- a/devops/gc/deploy/templates/authorization-policy.yaml
+++ b/devops/gc/deploy/templates/authorization-policy.yaml
@@ -9,12 +9,32 @@ spec:
      app: {{ .Values.conf.appName | quote }}
  action: ALLOW
  rules:
+  {{- if .Values.istio.partitionEditors }}
+  - from:
+    - source:
+        principals:
+        - cluster.local/ns/{{ .Release.Namespace }}/sa/*
+    to:
+    - operation:
+        methods:
+        - GET
+        paths:
+        - /api/partition/v1/*
+  - to:
+    - operation:
+        methods:
+        - GET
+        paths:
+        - /api/partition/v1/info
+  {{- else }}
  - to:
    - operation:
        methods:
        - GET
        paths:
        - /api/partition/v1/*
+  {{- end }}
+
 ---
 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
@@ -35,3 +55,12 @@ spec:
    - operation:
        paths:
        - /api/partition/v1/*
+  {{- if .Values.istio.partitionEditors }}
+  - to:
+    - operation:
+        paths:
+        - /api/partition/v1/*
+    when:
+    - key: request.auth.claims[email]
+      values: {{ .Values.istio.partitionEditors | toYaml | nindent 6}}
+  {{- end }}
--- a/devops/gc/deploy/templates/request-authentication.yaml
+++ b/devops/gc/deploy/templates/request-authentication.yaml
+{{- if .Values.istio.partitionEditors }}
+apiVersion: security.istio.io/v1beta1
+kind: RequestAuthentication
+metadata:
+  name: {{ printf "%s-jwt-policy" .Values.conf.appName | quote }}
+  namespace: {{ .Release.Namespace | quote }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ .Values.conf.appName | quote }}
+  jwtRules:
+  - issuer: https://accounts.google.com
+    jwksUri: https://www.googleapis.com/oauth2/v3/certs
+{{- end }}
--- a/devops/gc/deploy/values.yaml
+++ b/devops/gc/deploy/values.yaml
@@ -48,3 +48,4 @@ istio:
  bootstrapProxyCPU: "5m"
  bootstrapProxyCPULimit: "100m"
  sidecarInject: "true"
+  partitionEditors: []