Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add tetrate istio policies #190

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

add tetrate istio policies #190

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
cf7b472
add tetrate istio policies
anusha94 Feb 25, 2025
6e5b71e
add istio policies
anusha94 Feb 26, 2025
6641881
add istio policies
anusha94 Feb 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 43 additions & 0 deletions tetrate/tis0001/restrict-duplicate-peerauthentication.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
annotations:
policies.kyverno.io/category: Security
policies.kyverno.io/description: When multiple PeerAuthentication objects exist, they must have unique spec.selector.matchLabels to avoid conflicts in authentication policies.
policies.kyverno.io/severity: medium
policies.kyverno.io/title: Detect Duplicate PeerAuthentication
name: detect-duplicate-peer-authentication
spec:
background: true
rules:
- context:
- apiCall:
jmesPath: items
urlPath: /apis/security.istio.io/v1beta1/namespaces/{{request.namespace}}/peerauthentications
name: peerAuthList
match:
any:
- resources:
kinds:
- PeerAuthentication
name: detect-duplicate-peer-authentication
preconditions:
all:
- key: '{{ peerAuthList | length(@) }}'
operator: GreaterThan
value: 0
- key: "{{ request.operation || 'BACKGROUND' }}"
operator: NotEquals
value: DELETE
validate:
deny:
conditions:
any:
- key: "{{ request.object.spec.selector.matchLabels || 'null' }}"
operator: Equals
value: "null"
- key: "{{ request.object.spec.selector.matchLabels.app }}"
operator: AnyIn
value: "{{ peerAuthList[].spec.selector.matchLabels.app }}"
message: When multiple PeerAuthentication objects exist, they must have unique spec.selector.matchLabels
validationFailureAction: Enforce
43 changes: 43 additions & 0 deletions tetrate/tis0001/restrict-duplicate-requestauthentication.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
annotations:
policies.kyverno.io/category: Security
policies.kyverno.io/description: When multiple RequestAuthentication objects exist, they must have unique spec.selector.matchLabels to avoid conflicts in authentication policies.
policies.kyverno.io/severity: medium
policies.kyverno.io/title: Detect Duplicate RequestAuthentication
name: detect-duplicate-request-authentication
spec:
background: true
rules:
- context:
- apiCall:
jmesPath: items
urlPath: /apis/security.istio.io/v1beta1/namespaces/{{request.namespace}}/requestauthentications
name: requestAuthList
match:
any:
- resources:
kinds:
- RequestAuthentication
name: detect-duplicate-request-authentication
preconditions:
all:
- key: '{{ requestAuthList | length(@) }}'
operator: GreaterThan
value: 0
- key: "{{ request.operation || 'BACKGROUND' }}"
operator: NotEquals
value: DELETE
validate:
deny:
conditions:
any:
- key: "{{ request.object.spec.selector.matchLabels || 'null' }}"
operator: Equals
value: "null"
- key: "{{ request.object.spec.selector.matchLabels.app }}"
operator: AnyIn
value: "{{ requestAuthList[].spec.selector.matchLabels.app }}"
message: When multiple RequestAuthentication objects exist, they must have unique spec.selector.matchLabels
validationFailureAction: Enforce
43 changes: 43 additions & 0 deletions tetrate/tis0001/restrict-duplicate-telemetry.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
annotations:
policies.kyverno.io/category: Security
policies.kyverno.io/description: When multiple Telemetry objects exist, they must have unique spec.selector.matchLabels to avoid conflicts in authentication policies.
policies.kyverno.io/severity: medium
policies.kyverno.io/title: Detect Duplicate Telemetry
name: detect-duplicate-telemetry
spec:
background: true
rules:
- context:
- apiCall:
jmesPath: items
urlPath: /apis/telemetry.istio.io/v1alpha1/namespaces/{{request.namespace}}/telemetries
name: telemetryList
match:
any:
- resources:
kinds:
- Telemetry
name: detect-duplicate-telemetry
preconditions:
all:
- key: '{{ telemetryList | length(@) }}'
operator: GreaterThan
value: 0
- key: "{{ request.operation || 'BACKGROUND' }}"
operator: NotEquals
value: DELETE
validate:
deny:
conditions:
any:
- key: "{{ request.object.spec.selector.matchLabels || 'null' }}"
operator: Equals
value: "null"
- key: "{{ request.object.spec.selector.matchLabels.app }}"
operator: AnyIn
value: "{{ telemetryList[].spec.selector.matchLabels.app }}"
message: When multiple Telemetry objects exist, they must have unique spec.selector.matchLabels
validationFailureAction: Enforce
32 changes: 32 additions & 0 deletions tetrate/tis0003/validate-peerauthentication-app-exists.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
annotations:
policies.kyverno.io/category: Security
policies.kyverno.io/description: This policy ensures that the app specified in PeerAuthentication's selector exists as a Pod in the cluster.
policies.kyverno.io/severity: medium
policies.kyverno.io/title: Validate PeerAuthentication App Exists
name: validate-peer-auth-app-exists
spec:
background: true
rules:
- context:
- apiCall:
jmesPath: items[?metadata.labels.app=='{{request.object.spec.selector.matchLabels.app}}'] | length(@)
urlPath: /api/v1/namespaces/{{request.namespace}}/pods
name: pods
match:
any:
- resources:
kinds:
- PeerAuthentication
name: check-app-exists
validate:
deny:
conditions:
all:
- key: '{{ pods }}'
operator: Equals
value: 0
message: The app '{{request.object.spec.selector.matchLabels.app}}' specified in PeerAuthentication selector must exist as a Pod in the cluster
validationFailureAction: Enforce
32 changes: 32 additions & 0 deletions tetrate/tis0003/validate-requestauthentication-app-exists.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
annotations:
policies.kyverno.io/category: Security
policies.kyverno.io/description: This policy ensures that the app specified in RequestAuthentication's selector exists as a Pod in the cluster.
policies.kyverno.io/severity: medium
policies.kyverno.io/title: Validate RequestAuthentication App Exists
name: validate-request-auth-app-exists
spec:
background: true
rules:
- context:
- apiCall:
jmesPath: items[?metadata.labels.app=='{{request.object.spec.selector.matchLabels.app}}'] | length(@)
urlPath: /api/v1/namespaces/{{request.namespace}}/pods
name: pods
match:
any:
- resources:
kinds:
- RequestAuthentication
name: check-app-exists
validate:
deny:
conditions:
all:
- key: '{{ pods }}'
operator: Equals
value: 0
message: The app '{{request.object.spec.selector.matchLabels.app}}' specified in RequestAuthentication selector must exist as a Pod in the cluster
validationFailureAction: Enforce
32 changes: 32 additions & 0 deletions tetrate/tis0003/validate-telemetry-app-exists.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
annotations:
policies.kyverno.io/category: Security
policies.kyverno.io/description: This policy ensures that the app specified in Telemetry's selector exists as a Pod in the cluster.
policies.kyverno.io/severity: medium
policies.kyverno.io/title: Validate Telemetry App Exists
name: validate-telemetry-app-exists
spec:
background: true
rules:
- context:
- apiCall:
jmesPath: items[?metadata.labels.app=='{{request.object.spec.selector.matchLabels.app}}'] | length(@)
urlPath: /api/v1/namespaces/{{request.namespace}}/pods
name: pods
match:
any:
- resources:
kinds:
- Telemetry
name: check-app-exists
validate:
deny:
conditions:
all:
- key: '{{ pods }}'
operator: Equals
value: 0
message: The app '{{request.object.spec.selector.matchLabels.app}}' specified in Telemetry selector must exist as a Pod in the cluster
validationFailureAction: Enforce
35 changes: 35 additions & 0 deletions tetrate/tis0004/restrict-non-existent-namespace-for-authorization-policy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
apiVersion: kyverno.io/v2beta1
kind: ClusterPolicy
metadata:
annotations:
policies.kyverno.io/category: Pod Security
policies.kyverno.io/description: This policy ensures that any namespace specified in the source.namespace field of an AuthorizationPolicy's rules actually exists in the cluster.
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: AuthorizationPolicy, Namespace
policies.kyverno.io/title: Check AuthorizationPolicy Source Namespaces Exist
name: check-authzpolicy-namespace-exists
spec:
background: true
rules:
- context:
- apiCall:
jmesPath: items[].metadata.name
urlPath: /api/v1/namespaces
name: namespaces
match:
any:
- resources:
kinds:
- AuthorizationPolicy
name: validate-source-namespaces
validate:
foreach:
- deny:
conditions:
all:
- key: '{{ element }}'
operator: AnyNotIn
value: '{{ namespaces }}'
list: request.object.spec.rules[].from[].source.namespaces[]
message: The namespace(s) specified in the source namespaces field must exist in the cluster.
validationFailureAction: Enforce
38 changes: 38 additions & 0 deletions tetrate/tis0004/restrict-non-existent-namespace-for-serviceentry.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
apiVersion: kyverno.io/v2beta1
kind: ClusterPolicy
metadata:
annotations:
policies.kyverno.io/category: Other
policies.kyverno.io/description: This policy ensures that any namespace specified in the spec.exportTo field of a ServiceEntry actually exists in the cluster.
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: ServiceEntry, Namespace
policies.kyverno.io/title: Check ServiceEntry ExportTo Namespace Exists
name: check-serviceentry-export-to-namespace-exists
spec:
background: true
rules:
- context:
- apiCall:
jmesPath: items[].metadata.name
urlPath: /api/v1/namespaces
name: namespaces
match:
any:
- resources:
kinds:
- ServiceEntry
name: validate-export-to-namespaces
validate:
foreach:
- deny:
conditions:
all:
- key: '{{ element }}'
operator: NotEquals
value: "."
- key: '{{ element }}'
operator: AnyNotIn
value: '{{ namespaces }}'
list: request.object.spec.exportTo[]
message: The namespace(s) specified in the exportTo field must exist in the cluster.
validationFailureAction: Enforce
38 changes: 38 additions & 0 deletions tetrate/tis0004/restrict-non-existent-namespace-for-virtual-service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
apiVersion: kyverno.io/v2beta1
kind: ClusterPolicy
metadata:
annotations:
policies.kyverno.io/category: Other
policies.kyverno.io/description: This policy ensures that any namespace specified in the spec.exportTo field of a VirtualService actually exists in the cluster.
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: VirtualService, Namespace
policies.kyverno.io/title: Check VirtualService ExportTo Namespace Exists
name: check-virtualservice-export-to-namespace-exists
spec:
background: true
rules:
- context:
- apiCall:
jmesPath: items[].metadata.name
urlPath: /api/v1/namespaces
name: namespaces
match:
any:
- resources:
kinds:
- VirtualService
name: validate-export-to-namespaces
validate:
foreach:
- deny:
conditions:
all:
- key: '{{ element }}'
operator: NotEquals
value: "."
- key: '{{ element }}'
operator: AnyNotIn
value: '{{ namespaces }}'
list: request.object.spec.exportTo[]
message: The namespace(s) specified in the exportTo field must exist in the cluster.
validationFailureAction: Enforce
32 changes: 32 additions & 0 deletions tetrate/tis0005/validate-root-ca-cert.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: validate-root-ca-cert
spec:
background: false
rules:
- match:
any:
- resources:
kinds:
- Secret
names:
- root-ca
namespaces:
- istio-system
name: validate-root-ca-cert
validate:
deny:
conditions:
any:
- key: "{{ request.object.data.\"ca-cert.pem\" | base64_decode(@) \n | parse_x509(\"notAfter\") | date_before(\"now\") }}"
operator: Equals
value: true
- key: "{{ request.object.data.\"ca-cert.pem\" | base64_decode(@) \n | parse_x509(\"subject\") | length(@) }}"
operator: Equals
value: 0
- key: "{{ request.object.data.\"ca-cert.pem\" | base64_decode(@) \n | parse_x509(\"san\") | length(@) }}"
operator: Equals
value: 0
message: The root CA certificate must be valid and properly formatted
validationFailureAction: Enforce
Loading