Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ClusterPolicy for enforcing securityStandard Istio Authorization Policies #582

Closed
2 tasks done
nischay30 opened this issue Apr 20, 2023 · 4 comments
Closed
2 tasks done

ClusterPolicy for enforcing securityStandard Istio Authorization Policies #582

nischay30 opened this issue Apr 20, 2023 · 4 comments
Labels
sample Sample policy

Comments

@nischay30
Copy link

Problem Statement

A ClusterPolicy to deny any bad IstioAuthorization Policies in the Kubernetes Cluster.

Solution Description

Cluster Policy should meet the below criteria:

  • Each Policy should have a from block
  • Each Policy should have a to block
  • Each policy should have a port defined in the to block
  • Each policy should only use requestPrincipals and principals in the source block.
  • Wildcards * should never be allowed as a value to any of the field in the AuthorizationPolicy

Example "Good" Resource

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: httpbin
  namespace: foo
spec:
  action: ALLOW
  rules:
  - from:
    - source:
        principals: ["cluster.local/ns/default/sa/sleep"]
    - source:
       requestPrincipals: ["cluster.local/ns/sleep"]
    to:
    - operation:
        methods: ["GET"]
        paths: ["/data"]
        ports: ["8080"]

Example "Bad" Resource

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: badpolicy1
spec:
  action: ALLOW
  rules:
  - from:
    - source:
        principals: ["*"]
    - source:
       requestPrincipals: ["cluster.local/ns/sleep"]
    to:
    - operation:
        methods: ["GET"]
        paths: ["/data"]
        ports: ["8080"]


---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: badpolicy2
spec:
  action: ALLOW
  rules:
  - from:
    - source:
        principals: ["cluster.local/ns/sleep"]
    - source:
       requestPrincipals: ["*"]
    to:
    - operation:
        methods: ["GET"]
        paths: ["/data"]
        ports: ["8080"]

---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: badpolicy3
spec:
  action: ALLOW
  rules:
  - from:
    - source:
        principals: ["cluster.local/ns/sleep"]
    - source:
       requestPrincipals: ["*"]
    to:
    - operation:
        methods: ["GET"]
        paths: ["/data"]
        ports: ["8080"]

---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: badpolicy4
spec:
  action: ALLOW
  rules:
  - from:
    - source:
        notNamespaces: ["test"]
    to:
    - operation:
        methods: ["GET"]
        paths: ["/data"]
        ports: ["*"]

Other Comments

No response

Slack discussion

No response

Troubleshooting
@nischay30 nischay30 added the sample Sample policy label Apr 20, 2023
@nischay30 nischay30 mentioned this issue Apr 20, 2023
Closed
@chipzoller
Copy link
Member

This passes all tests.

apiVersion: kyverno.io/v2beta1
kind: ClusterPolicy
metadata:
  name: istio-authorization-policy
  annotations:
    pod-policies.kyverno.io/autogen-controllers: none
spec:
  background: false
  validationFailureAction: Enforce
  rules:
    - name: one-require-from
      match:
        any:
        - resources:
            kinds:
            - security.istio.io/v1beta1/AuthorizationPolicy
      validate:
        message: The from field is required.
        pattern:
          spec:
            rules:
            - from: "*"
    - name: two-require-to
      match:
        any:
        - resources:
            kinds:
            - security.istio.io/v1beta1/AuthorizationPolicy
      validate:
        message: The to field is required.
        pattern:
          spec:
            rules:
            - to: "*"
    - name: three-require-port-in-to
      match:
        any:
        - resources:
            kinds:
            - security.istio.io/v1beta1/AuthorizationPolicy
      validate:
        message: The to field must have the port field defined.
        pattern:
          spec:
            rules:
            - to:
              - operation:
                  ports: "*"
    - name: four-from-source-only-requestprincipals-and-principals
      match:
        any:
        - resources:
            kinds:
            - security.istio.io/v1beta1/AuthorizationPolicy
      validate:
        message: The from field in source may only have requestPrincipals and principals fields defined.
        deny:
          conditions:
            all:
            - key: "{{ request.object.spec.rules[].from[].source.keys(@)[] }}"
              operator: AnyNotIn
              value:
              - principals
              - requestPrincipals
    - name: five-no-wildcards
      match:
        any:
        - resources:
            kinds:
            - security.istio.io/v1beta1/AuthorizationPolicy
      validate:
        message: Wildcards may not be used.
        deny:
          conditions:
            all:
            - key: "{{ to_string(request.object.spec) | contains(@, '*') }}"
              operator: Equals
              value: true

@chipzoller
Copy link
Member

Any feedback, @nischay30 ?

@nischay30
Copy link
Author

Hi @chipzoller , Policies looks good and I have tested it. Thanks

@chipzoller
Copy link
Member

Thank you for the confirmation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
sample Sample policy
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nischay30 @chipzoller