-
Notifications
You must be signed in to change notification settings - Fork 474
/
disabled_namespacewide_mtls_checker.go
48 lines (41 loc) · 1.81 KB
/
disabled_namespacewide_mtls_checker.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
package destinationrules
import (
"github.com/kiali/kiali/kubernetes"
"github.com/kiali/kiali/models"
)
type DisabledNamespaceWideMTLSChecker struct {
DestinationRule kubernetes.IstioObject
MTLSDetails kubernetes.MTLSDetails
}
// Check if a the PeerAuthn is allows non-mtls traffic when DestinationRule explicitly disables mTLS ns-wide
func (m DisabledNamespaceWideMTLSChecker) Check() ([]*models.IstioCheck, bool) {
validations := make([]*models.IstioCheck, 0)
// Stop validation if DestinationRule doesn't explicitly disables mTLS
if _, mode := kubernetes.DestinationRuleHasNamespaceWideMTLSEnabled(m.DestinationRule.GetObjectMeta().Namespace, m.DestinationRule); mode != "DISABLE" {
return validations, true
}
// otherwise, check among PeerAuthentications for a rule enabling mTLS
for _, mp := range m.MTLSDetails.PeerAuthentications {
if enabled, mode := kubernetes.PeerAuthnHasMTLSEnabled(mp); enabled {
// If PeerAuthn has mTLS enabled in STRICT mode
// traffic going through DestinationRule won't work
if mode == "STRICT" {
check := models.Build("destinationrules.mtls.policymtlsenabled", "spec/trafficPolicy/tls/mode")
return append(validations, &check), false
} else {
// If PeerAuthn has mTLS enabled in PERMISSIVE mode
// traffic going through DestinationRule will work
// no need for further analysis in MeshPeerAuthentications
return validations, true
}
}
}
// In case any PeerAuthn enables mTLS, check among MeshPeerAuthentications for a rule enabling it
for _, mp := range m.MTLSDetails.MeshPeerAuthentications {
if strictMode := kubernetes.PeerAuthnHasStrictMTLS(mp); strictMode {
check := models.Build("destinationrules.mtls.meshpolicymtlsenabled", "spec/trafficPolicy/tls/mode")
return append(validations, &check), false
}
}
return validations, true
}