Skip to content
Snippets Groups Projects
Commit 4f72fd93 authored by Nastassia Rabeichykava (EPAM)'s avatar Nastassia Rabeichykava (EPAM) Committed by Oleksandr Kosse (EPAM)
Browse files

GONRG-4306: istio policy for partition

parent a35ec2c4
No related branches found
No related tags found
2 merge requests!229Merge branch 'dependency-upgrade' into 'master',!150GONRG-4306: istio policy for partition
Hide whitespace changes
Inline Side-by-side
devops/gcp/deploy/templates/partition-authorization-policy.yml 0 → 100644
+ 52
0
View file @ 4f72fd93
{{- if .Values.conf.on_prem_enabled }}
{{- range $key, $spec := .Values.authorizations }}
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: {{ (print $key "-default") | lower | quote }}
labels:
app.kubernetes.io/name: {{ $key | quote }}
app.kubernetes.io/managed-by: {{ $.Release.Service | quote }}
namespace: {{ $.Release.Namespace | quote }}
spec:
selector:
matchLabels:
{{- toYaml $spec.matchLabels | nindent 6 }}
action: ALLOW
rules:
{{- range $rule := $spec.rules }}
- from:
- source:
principals:
- cluster.local/ns/{{ $.Release.Namespace }}/sa/entitlements-k8s
- cluster.local/ns/{{ $.Release.Namespace }}/sa/search-k8s
- cluster.local/ns/{{ $.Release.Namespace }}/sa/storage-k8s
- cluster.local/ns/{{ $.Release.Namespace }}/sa/register-k8s
- cluster.local/ns/{{ $.Release.Namespace }}/sa/notification-k8s
- cluster.local/ns/{{ $.Release.Namespace }}/sa/indexer-k8s
- cluster.local/ns/{{ $.Release.Namespace }}/sa/indexer-queue-k8s
- cluster.local/ns/{{ $.Release.Namespace }}/sa/schema-k8s
- cluster.local/ns/{{ $.Release.Namespace }}/sa/legal-k8s
- cluster.local/ns/{{ $.Release.Namespace }}/sa/file-k8s
- cluster.local/ns/{{ $.Release.Namespace }}/sa/dataset-k8s
- cluster.local/ns/{{ $.Release.Namespace }}/sa/legal-k8s
to:
- operation:
methods:
- GET
paths:
- /api/partition/v1/*
- from:
- source:
principals:
- cluster.local/ns/{{ $rule.bootstrap_namespace }}/sa/workload-gke-bootstrap-sa
to:
- operation:
methods:
- POST
- PATCH
paths:
- /api/partition/v1/*
{{- end }}
{{- end }}
{{- end }}
devops/gcp/deploy/templates/partition-peer-authentication.yml 0 → 100644
+ 10
0
View file @ 4f72fd93
{{- if .Values.conf.on_prem_enabled }}
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: {{ (print .Release.Namespace "-peer-policy") | lower | quote }}
namespace: {{ .Release.Namespace | quote }}
spec:
mtls:
mode: {{ .Values.namespacePolicy.mtlsMode | quote }}
{{- end }}
devops/gcp/deploy/values.yaml
+ 11
0
View file @ 4f72fd93
......@@ -14,3 +14,14 @@ data:
conf:
configmap: "partition-config"
app_name: "partition"
on_prem_enabled: false
namespacePolicy:
mtlsMode: STRICT
authorizations:
partitionPolicy:
matchLabels:
app: partition
rules:
- bootstrap_namespace: config
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment