Extend Istio AuthorizationPolicy to allow access from notebook contro…

…ller port of kubeflow#5980
d2iq-archive · Aug 25, 2021 · b9fa8e5 · b9fa8e5
1 parent eb51869
commit b9fa8e5
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/components/profile-controller/controllers/profile_controller.go b/components/profile-controller/controllers/profile_controller.go
@@ -391,6 +391,24 @@ func (r *ProfileReconciler) getAuthorizationPolicy(profileIns *profilev1.Profile
 					},
 				},
 			},
+			{
+				// allow the notebook-controller in the kubeflow namespace to access the api/status endpoint of the notebook servers.
+				From: []*istioSecurity.Rule_From{
+					{
+						Source: &istioSecurity.Source{
+							Principals: []string{"cluster.local/ns/kubeflow/sa/notebook-controller-service-account"},
+						},
+					},
+				},
+				To: []*istioSecurity.Rule_To{
+					{
+						Operation: &istioSecurity.Operation{
+							Methods: []string{"GET"},
+							Paths:   []string{"*/api/status"}, // wildcard for the name of the notebook server
+						},
+					},
+				},
+			},
 		},
 	}
 }