feat: tetrate policies

tetrate/TIS0303/check-duplicate-certificate-gateway.yaml

@@ -0,0 +1,46 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: enforce-unique-gateway-tls
+  annotations:
+    policies.kyverno.io/title: Enforce Unique Gateway TLS Credentials
+    policies.kyverno.io/category: Istio Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Gateway
+    policies.kyverno.io/description: >-
+      Ensures that the same TLS credentialName is not reused across multiple Gateways
+      in the same namespace to prevent 404 errors when clients reuse HTTP2 connections.
+spec:
+  validationFailureAction: Enforce
+  rules:
+    - name: enforce-unique-gateway-tls
+      match:
+        any:
+          - resources:
+              kinds:
+                - Gateway
+              operations:
+                - CREATE
+                - UPDATE
+      context:
+        - name: manifestNamespace
+          variable:
+            value: "{{ request.object.metadata.namespace }}"
+        - name: manifestTLS
+          variable:
+            jmesPath: "request.object.spec.servers[].tls.credentialName | [?@ != null] | [*]"
+        - name: existingTLS
+          apiCall:
+            urlPath: "/apis/networking.istio.io/v1/namespaces/{{ manifestNamespace }}/gateways"
+            jmesPath: "items[].spec.servers[].tls.credentialName | [?@ != null] | [*]"
+      validate:
+        message: "TLS credentials are being reused across Gateways in namespace '{{ manifestNamespace }}'. This may cause 404 errors when clients reuse HTTP2 connections. TLS used in manifest: {{ manifestTLS }}, existingTLS: {{ existingTLS }}"
+        deny:
+          conditions:
+            all:
+            - key: "{{ manifestTLS }}"
+              operator: AnyIn
+              value: "{{ existingTLS }}"
+            - key: "{{ existingTLS }}"
+              operator: AnyIn
+              value: "{{ manifestTLS }}"

tetrate/TIS0303/resource.yaml

@@ -0,0 +1,46 @@
+apiVersion: networking.istio.io/v1beta1
+kind: Gateway
+metadata:
+  name: good-resource-1
+  namespace: test
+spec:
+  selector:
+    istio: ingressgateway
+  servers:
+  - port:
+      number: 443
+      name: https
+      protocol: HTTPS
+    hosts:
+    - "example.com"
+    tls:
+      mode: SIMPLE
+      credentialName: example-cert-2
+---
+apiVersion: networking.istio.io/v1beta1
+kind: Gateway
+metadata:
+  name: bad-resource-1
+  namespace: test
+spec:
+  selector:
+    istio: ingressgateway
+  servers:
+  - port:
+      number: 443
+      name: https
+      protocol: HTTPS
+    hosts:
+    - "example.com"
+    tls:
+      mode: SIMPLE
+      credentialName: example-cert-1
+  - port:
+      number: 443
+      name: https
+      protocol: HTTPS
+    hosts:
+    - "example.com"
+    tls:
+      mode: SIMPLE
+      credentialName: example-cert-3

tetrate/TIS1402/enforce-valid-service-refs.yaml

@@ -0,0 +1,42 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: enforce-valid-service-refs
+  annotations:
+    policies.kyverno.io/title: Enforce Valid Service References
+    policies.kyverno.io/category: Istio Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: HTTPRoute
+    policies.kyverno.io/description: >-
+      Ensures that backendRefs in HTTPRoute point to existing services within the same namespace.
+spec:
+  validationFailureAction: Enforce
+  rules:
+    - name: enforce-valid-service-refs
+      match:
+        any:
+          - resources:
+              kinds:
+              - HTTPRoute
+              operations:
+              - CREATE
+              - UPDATE
+      context:
+        - name: namespace
+          variable:
+            value: "{{ request.object.metadata.namespace }}"
+        - name: serviceNames
+          variable:
+            jmesPath: "request.object.spec.rules[*].backendRefs[?kind=='Service' || kind==null].name | []"
+        - name: existingServices
+          apiCall:
+            urlPath: "/api/v1/namespaces/{{ namespace }}/services"
+            jmesPath: "items[*].metadata.name"
+      validate:
+        message: "One or more referenced services do not exist in namespace '{{ namespace }}'. Referenced: '{{ serviceNames }}', Existing: '{{ existingServices }}'."
+        deny:
+          conditions:
+            any:
+              - key: "{{ serviceNames }}"
+                operator: AnyNotIn
+                value: "{{ existingServices }}"

tetrate/TIS1402/resource.yaml

@@ -0,0 +1,45 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: good-resource-1
+  namespace: test
+spec:
+  parentRefs:
+  - group: gateway.networking.k8s.io
+    kind: Gateway
+    name: eg
+  rules:
+  - backendRefs:
+    - group: ""
+      kind: Service
+      name: existing-service  
+      namespace: test
+      port: 443
+      weight: 1
+    matches:
+    - path:
+        type: PathPrefix
+        value: /
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: bad-resource-1
+  namespace: test
+spec:
+  parentRefs:
+  - group: gateway.networking.k8s.io
+    kind: Gateway
+    name: eg
+  rules:
+  - backendRefs:
+    - group: ""
+      kind: Service
+      name: non-existing-service  
+      namespace: test
+      port: 443
+      weight: 1
+    matches:
+    - path:
+        type: PathPrefix
+        value: /