-
Notifications
You must be signed in to change notification settings - Fork 17
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Sanskar Sharma <[email protected]>
- Loading branch information
1 parent
e69ffad
commit e1afe0b
Showing
2 changed files
with
92 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| apiVersion: kyverno.io/v1 | ||
| kind: ClusterPolicy | ||
| metadata: | ||
| name: enforce-unique-gateway-tls | ||
| annotations: | ||
| policies.kyverno.io/title: Enforce Unique Gateway TLS Credentials | ||
| policies.kyverno.io/category: Istio Best Practices | ||
| policies.kyverno.io/severity: medium | ||
| policies.kyverno.io/subject: Gateway | ||
| policies.kyverno.io/description: >- | ||
| Ensures that the same TLS credentialName is not reused across multiple Gateways | ||
| in the same namespace to prevent 404 errors when clients reuse HTTP2 connections. | ||
| spec: | ||
| validationFailureAction: Enforce | ||
| rules: | ||
| - name: enforce-unique-gateway-tls | ||
| match: | ||
| any: | ||
| - resources: | ||
| kinds: | ||
| - Gateway | ||
| operations: | ||
| - CREATE | ||
| - UPDATE | ||
| context: | ||
| - name: manifestNamespace | ||
| variable: | ||
| value: "{{ request.object.metadata.namespace }}" | ||
| - name: manifestTLS | ||
| variable: | ||
| jmesPath: "request.object.spec.servers[].tls.credentialName | [?@ != null] | [*]" | ||
| - name: existingTLS | ||
| apiCall: | ||
| urlPath: "/apis/networking.istio.io/v1/namespaces/{{ manifestNamespace }}/gateways" | ||
| jmesPath: "items[].spec.servers[].tls.credentialName | [?@ != null] | [*]" | ||
| validate: | ||
| message: "TLS credentials are being reused across Gateways in namespace '{{ manifestNamespace }}'. This may cause 404 errors when clients reuse HTTP2 connections. TLS used in manifest: {{ manifestTLS }}, existingTLS: {{ existingTLS }}" | ||
| deny: | ||
| conditions: | ||
| all: | ||
| - key: "{{ manifestTLS }}" | ||
| operator: AnyIn | ||
| value: "{{ existingTLS }}" | ||
| - key: "{{ existingTLS }}" | ||
| operator: AnyIn | ||
| value: "{{ manifestTLS }}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| apiVersion: networking.istio.io/v1beta1 | ||
| kind: Gateway | ||
| metadata: | ||
| name: good-resource-1 | ||
| namespace: test | ||
| spec: | ||
| selector: | ||
| istio: ingressgateway | ||
| servers: | ||
| - port: | ||
| number: 443 | ||
| name: https | ||
| protocol: HTTPS | ||
| hosts: | ||
| - "example.com" | ||
| tls: | ||
| mode: SIMPLE | ||
| credentialName: example-cert-2 | ||
| --- | ||
| apiVersion: networking.istio.io/v1beta1 | ||
| kind: Gateway | ||
| metadata: | ||
| name: bad-resource-1 | ||
| namespace: test | ||
| spec: | ||
| selector: | ||
| istio: ingressgateway | ||
| servers: | ||
| - port: | ||
| number: 443 | ||
| name: https | ||
| protocol: HTTPS | ||
| hosts: | ||
| - "example.com" | ||
| tls: | ||
| mode: SIMPLE | ||
| credentialName: example-cert-1 | ||
| - port: | ||
| number: 443 | ||
| name: https | ||
| protocol: HTTPS | ||
| hosts: | ||
| - "example.com" | ||
| tls: | ||
| mode: SIMPLE | ||
| credentialName: example-cert-3 |