From 39a7c1245038aac0fc09186cd557ada6f9fe0b32 Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Wed, 26 Apr 2023 02:36:23 +0200 Subject: [PATCH] Directory renaming --- .../09-HTTPS-backend/README.md | 2 +- .../01-target-namespaces/01-namespace.yaml | 0 .../01-target-namespaces/README.md | 0 .../01-target-namespaces/authentication.yaml | 0 .../01-target-namespaces/deployment.yaml | 0 .../01-target-namespaces/deployment_2.yaml | 0 .../01-target-namespaces/gateway.yaml | 0 .../01-namespace.yaml | 0 .../01-service-accounts.yaml | 0 .../02-target-service-accounts/README.md | 0 .../authentication.yaml | 0 .../deployment.yaml | 0 .../deployment_2.yaml | 0 .../02-target-service-accounts/gateway.yaml | 0 .../06-AuthorizationPolicy/04-audit/README.md | 17 + .../04-audit/authentication.yaml | 45 +++ .../04-audit/deployment.yaml | 48 +++ .../04-audit/gateway.yaml} | 29 +- .../05-disable-mTLS}/authentication.yaml | 0 .../05-disable-mTLS}/deployment.yaml | 0 .../05-disable-mTLS}/gateway.yaml | 0 .../README.md | 12 +- Istio/__bookshelf/README.md | 1 - Istio/__bookshelf/bookinfo.yaml | 343 ------------------ 24 files changed, 128 insertions(+), 369 deletions(-) rename Istio/{06-Internal-Authentication => 06-AuthorizationPolicy}/01-target-namespaces/01-namespace.yaml (100%) rename Istio/{06-Internal-Authentication => 06-AuthorizationPolicy}/01-target-namespaces/README.md (100%) rename Istio/{06-Internal-Authentication => 06-AuthorizationPolicy}/01-target-namespaces/authentication.yaml (100%) rename Istio/{06-Internal-Authentication => 06-AuthorizationPolicy}/01-target-namespaces/deployment.yaml (100%) rename Istio/{06-Internal-Authentication => 06-AuthorizationPolicy}/01-target-namespaces/deployment_2.yaml (100%) rename Istio/{06-Internal-Authentication => 06-AuthorizationPolicy}/01-target-namespaces/gateway.yaml (100%) rename Istio/{06-Internal-Authentication => 06-AuthorizationPolicy}/02-target-service-accounts/01-namespace.yaml (100%) rename Istio/{06-Internal-Authentication => 06-AuthorizationPolicy}/02-target-service-accounts/01-service-accounts.yaml (100%) rename Istio/{06-Internal-Authentication => 06-AuthorizationPolicy}/02-target-service-accounts/README.md (100%) rename Istio/{06-Internal-Authentication => 06-AuthorizationPolicy}/02-target-service-accounts/authentication.yaml (100%) rename Istio/{06-Internal-Authentication => 06-AuthorizationPolicy}/02-target-service-accounts/deployment.yaml (100%) rename Istio/{06-Internal-Authentication => 06-AuthorizationPolicy}/02-target-service-accounts/deployment_2.yaml (100%) rename Istio/{06-Internal-Authentication => 06-AuthorizationPolicy}/02-target-service-accounts/gateway.yaml (100%) create mode 100755 Istio/06-AuthorizationPolicy/04-audit/README.md create mode 100644 Istio/06-AuthorizationPolicy/04-audit/authentication.yaml create mode 100755 Istio/06-AuthorizationPolicy/04-audit/deployment.yaml rename Istio/{__bookshelf/bookinfo-gateway.yaml => 06-AuthorizationPolicy/04-audit/gateway.yaml} (50%) rename Istio/{06-Internal-Authentication/03-disable-mTLS => 06-AuthorizationPolicy/05-disable-mTLS}/authentication.yaml (100%) rename Istio/{06-Internal-Authentication/03-disable-mTLS => 06-AuthorizationPolicy/05-disable-mTLS}/deployment.yaml (100%) rename Istio/{06-Internal-Authentication/03-disable-mTLS => 06-AuthorizationPolicy/05-disable-mTLS}/gateway.yaml (100%) rename Istio/{06-Internal-Authentication => 06-AuthorizationPolicy}/README.md (67%) delete mode 100755 Istio/__bookshelf/README.md delete mode 100755 Istio/__bookshelf/bookinfo.yaml diff --git a/Istio/02-Traffic_management/09-HTTPS-backend/README.md b/Istio/02-Traffic_management/09-HTTPS-backend/README.md index 76d945b..c236283 100644 --- a/Istio/02-Traffic_management/09-HTTPS-backend/README.md +++ b/Istio/02-Traffic_management/09-HTTPS-backend/README.md @@ -197,7 +197,7 @@ spec: ``` > **Note**:\ -> As this configuration is very board, and targets the whole namespace, I would strongly recommend referring to the following example [06-Internal-Authentication/02-target-service-accounts](../../06-Internal-Authentication/02-target-service-accounts), which shows how to target service accounts set to resources, limiting the scope of this rule set. +> As this configuration is very board, and targets the whole namespace, I would strongly recommend referring to the following example [06-Internal-Authentication/02-target-service-accounts](../../06-AuthorizationPolicy/02-target-service-accounts), which shows how to target service accounts set to resources, limiting the scope of this rule set. # Walkthrough diff --git a/Istio/06-Internal-Authentication/01-target-namespaces/01-namespace.yaml b/Istio/06-AuthorizationPolicy/01-target-namespaces/01-namespace.yaml similarity index 100% rename from Istio/06-Internal-Authentication/01-target-namespaces/01-namespace.yaml rename to Istio/06-AuthorizationPolicy/01-target-namespaces/01-namespace.yaml diff --git a/Istio/06-Internal-Authentication/01-target-namespaces/README.md b/Istio/06-AuthorizationPolicy/01-target-namespaces/README.md similarity index 100% rename from Istio/06-Internal-Authentication/01-target-namespaces/README.md rename to Istio/06-AuthorizationPolicy/01-target-namespaces/README.md diff --git a/Istio/06-Internal-Authentication/01-target-namespaces/authentication.yaml b/Istio/06-AuthorizationPolicy/01-target-namespaces/authentication.yaml similarity index 100% rename from Istio/06-Internal-Authentication/01-target-namespaces/authentication.yaml rename to Istio/06-AuthorizationPolicy/01-target-namespaces/authentication.yaml diff --git a/Istio/06-Internal-Authentication/01-target-namespaces/deployment.yaml b/Istio/06-AuthorizationPolicy/01-target-namespaces/deployment.yaml similarity index 100% rename from Istio/06-Internal-Authentication/01-target-namespaces/deployment.yaml rename to Istio/06-AuthorizationPolicy/01-target-namespaces/deployment.yaml diff --git a/Istio/06-Internal-Authentication/01-target-namespaces/deployment_2.yaml b/Istio/06-AuthorizationPolicy/01-target-namespaces/deployment_2.yaml similarity index 100% rename from Istio/06-Internal-Authentication/01-target-namespaces/deployment_2.yaml rename to Istio/06-AuthorizationPolicy/01-target-namespaces/deployment_2.yaml diff --git a/Istio/06-Internal-Authentication/01-target-namespaces/gateway.yaml b/Istio/06-AuthorizationPolicy/01-target-namespaces/gateway.yaml similarity index 100% rename from Istio/06-Internal-Authentication/01-target-namespaces/gateway.yaml rename to Istio/06-AuthorizationPolicy/01-target-namespaces/gateway.yaml diff --git a/Istio/06-Internal-Authentication/02-target-service-accounts/01-namespace.yaml b/Istio/06-AuthorizationPolicy/02-target-service-accounts/01-namespace.yaml similarity index 100% rename from Istio/06-Internal-Authentication/02-target-service-accounts/01-namespace.yaml rename to Istio/06-AuthorizationPolicy/02-target-service-accounts/01-namespace.yaml diff --git a/Istio/06-Internal-Authentication/02-target-service-accounts/01-service-accounts.yaml b/Istio/06-AuthorizationPolicy/02-target-service-accounts/01-service-accounts.yaml similarity index 100% rename from Istio/06-Internal-Authentication/02-target-service-accounts/01-service-accounts.yaml rename to Istio/06-AuthorizationPolicy/02-target-service-accounts/01-service-accounts.yaml diff --git a/Istio/06-Internal-Authentication/02-target-service-accounts/README.md b/Istio/06-AuthorizationPolicy/02-target-service-accounts/README.md similarity index 100% rename from Istio/06-Internal-Authentication/02-target-service-accounts/README.md rename to Istio/06-AuthorizationPolicy/02-target-service-accounts/README.md diff --git a/Istio/06-Internal-Authentication/02-target-service-accounts/authentication.yaml b/Istio/06-AuthorizationPolicy/02-target-service-accounts/authentication.yaml similarity index 100% rename from Istio/06-Internal-Authentication/02-target-service-accounts/authentication.yaml rename to Istio/06-AuthorizationPolicy/02-target-service-accounts/authentication.yaml diff --git a/Istio/06-Internal-Authentication/02-target-service-accounts/deployment.yaml b/Istio/06-AuthorizationPolicy/02-target-service-accounts/deployment.yaml similarity index 100% rename from Istio/06-Internal-Authentication/02-target-service-accounts/deployment.yaml rename to Istio/06-AuthorizationPolicy/02-target-service-accounts/deployment.yaml diff --git a/Istio/06-Internal-Authentication/02-target-service-accounts/deployment_2.yaml b/Istio/06-AuthorizationPolicy/02-target-service-accounts/deployment_2.yaml similarity index 100% rename from Istio/06-Internal-Authentication/02-target-service-accounts/deployment_2.yaml rename to Istio/06-AuthorizationPolicy/02-target-service-accounts/deployment_2.yaml diff --git a/Istio/06-Internal-Authentication/02-target-service-accounts/gateway.yaml b/Istio/06-AuthorizationPolicy/02-target-service-accounts/gateway.yaml similarity index 100% rename from Istio/06-Internal-Authentication/02-target-service-accounts/gateway.yaml rename to Istio/06-AuthorizationPolicy/02-target-service-accounts/gateway.yaml diff --git a/Istio/06-AuthorizationPolicy/04-audit/README.md b/Istio/06-AuthorizationPolicy/04-audit/README.md new file mode 100755 index 0000000..a0296bc --- /dev/null +++ b/Istio/06-AuthorizationPolicy/04-audit/README.md @@ -0,0 +1,17 @@ + +# Based on + +Resources: + +- [01-Simple/01-hello_world_1_service_1_deployment](../../01-Simple/01-hello_world_1_service_1_deployment) + +AuthorizationPolicies: + +- [01-target-namespaces](../01-target-namespaces) + +# Description + +This example aims to trigger Audit rules, and where to see these events. + + +https://istio.io/latest/docs/reference/config/security/authorization-policy/ \ No newline at end of file diff --git a/Istio/06-AuthorizationPolicy/04-audit/authentication.yaml b/Istio/06-AuthorizationPolicy/04-audit/authentication.yaml new file mode 100644 index 0000000..4f5c20a --- /dev/null +++ b/Istio/06-AuthorizationPolicy/04-audit/authentication.yaml @@ -0,0 +1,45 @@ +# Deny all requests to namespace foo +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-nothing + namespace: foo +spec: + {} +--- +# Deny all requests to namespace default +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-nothing + namespace: default +spec: + {} +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-from-istio-system + namespace: foo +spec: + action: ALLOW + rules: + - from: + - source: + namespaces: ["istio-system"] +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-head-from-default + namespace: foo +spec: + action: ALLOW + rules: + - from: + - source: + namespaces: ["default"] + to: + - operation: + methods: ["HEAD"] + notPaths: ["/secret*"] \ No newline at end of file diff --git a/Istio/06-AuthorizationPolicy/04-audit/deployment.yaml b/Istio/06-AuthorizationPolicy/04-audit/deployment.yaml new file mode 100755 index 0000000..36e6b76 --- /dev/null +++ b/Istio/06-AuthorizationPolicy/04-audit/deployment.yaml @@ -0,0 +1,48 @@ +# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - port: 80 + name: http + selector: + app: helloworld +--- +#apiVersion: v1 +#kind: ServiceAccount +#metadata: +# name: istio-helloworld +# labels: +# account: +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: helloworld-nginx + labels: + app: helloworld +spec: + replicas: 1 + selector: + matchLabels: + app: helloworld + template: + metadata: + labels: + app: helloworld + spec: +# serviceAccountName: istio-helloworld + containers: + - name: helloworld + image: nginx + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent #Always + ports: + - containerPort: 80 diff --git a/Istio/__bookshelf/bookinfo-gateway.yaml b/Istio/06-AuthorizationPolicy/04-audit/gateway.yaml similarity index 50% rename from Istio/__bookshelf/bookinfo-gateway.yaml rename to Istio/06-AuthorizationPolicy/04-audit/gateway.yaml index 57fb37b..252a01e 100755 --- a/Istio/__bookshelf/bookinfo-gateway.yaml +++ b/Istio/06-AuthorizationPolicy/04-audit/gateway.yaml @@ -1,8 +1,7 @@ - apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: - name: bookinfo-gateway + name: helloworld-gateway spec: selector: istio: ingressgateway # use istio default controller @@ -17,36 +16,20 @@ spec: apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: - name: bookinfo + name: helloworld-vs spec: hosts: - "*" gateways: - - bookinfo-gateway + - helloworld-gateway http: - - match: - - uri: - exact: /productpage - - uri: - prefix: /static - - uri: - exact: /login - - uri: - exact: /logout - - uri: - prefix: /api/v1/products - route: - - destination: - host: productpage - port: - number: 9080 - match: - uri: exact: /helloworld route: - destination: - host: productpage + host: helloworld port: - number: 9080 + number: 80 rewrite: - uri: "/productpage" + uri: "/" \ No newline at end of file diff --git a/Istio/06-Internal-Authentication/03-disable-mTLS/authentication.yaml b/Istio/06-AuthorizationPolicy/05-disable-mTLS/authentication.yaml similarity index 100% rename from Istio/06-Internal-Authentication/03-disable-mTLS/authentication.yaml rename to Istio/06-AuthorizationPolicy/05-disable-mTLS/authentication.yaml diff --git a/Istio/06-Internal-Authentication/03-disable-mTLS/deployment.yaml b/Istio/06-AuthorizationPolicy/05-disable-mTLS/deployment.yaml similarity index 100% rename from Istio/06-Internal-Authentication/03-disable-mTLS/deployment.yaml rename to Istio/06-AuthorizationPolicy/05-disable-mTLS/deployment.yaml diff --git a/Istio/06-Internal-Authentication/03-disable-mTLS/gateway.yaml b/Istio/06-AuthorizationPolicy/05-disable-mTLS/gateway.yaml similarity index 100% rename from Istio/06-Internal-Authentication/03-disable-mTLS/gateway.yaml rename to Istio/06-AuthorizationPolicy/05-disable-mTLS/gateway.yaml diff --git a/Istio/06-Internal-Authentication/README.md b/Istio/06-AuthorizationPolicy/README.md similarity index 67% rename from Istio/06-Internal-Authentication/README.md rename to Istio/06-AuthorizationPolicy/README.md index dc7c773..b8fa14d 100644 --- a/Istio/06-Internal-Authentication/README.md +++ b/Istio/06-AuthorizationPolicy/README.md @@ -10,7 +10,17 @@ - Audit / logs (should be the 3th) +- disable mTLS (4th) JWT seems important, refer to source.requestPrincipals -https://istio.io/latest/docs/tasks/security/authentication/ \ No newline at end of file +https://istio.io/latest/docs/tasks/security/authentication/ + + + +Per deployment: +```yaml + selector: + matchLabels: + app: myapi +``` \ No newline at end of file diff --git a/Istio/__bookshelf/README.md b/Istio/__bookshelf/README.md deleted file mode 100755 index 4ce3894..0000000 --- a/Istio/__bookshelf/README.md +++ /dev/null @@ -1 +0,0 @@ -# Example from istio, storing it for testing purposes \ No newline at end of file diff --git a/Istio/__bookshelf/bookinfo.yaml b/Istio/__bookshelf/bookinfo.yaml deleted file mode 100755 index 4de3a21..0000000 --- a/Istio/__bookshelf/bookinfo.yaml +++ /dev/null @@ -1,343 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# This file defines the services, service accounts, and deployments for the Bookinfo sample. -# -# To apply all 4 Bookinfo services, their corresponding service accounts, and deployments: -# -# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -# -# Alternatively, you can deploy any resource separately: -# -# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l service=reviews # reviews Service -# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l account=reviews # reviews ServiceAccount -# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l app=reviews,version=v3 # reviews-v3 Deployment -################################################################################################## - -################################################################################################## -# Details service -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: details - labels: - app: details - service: details -spec: - ports: - - port: 9080 - name: http - selector: - app: details ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bookinfo-details - labels: - account: details ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: details-v1 - labels: - app: details - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: details - version: v1 - template: - metadata: - labels: - app: details - version: v1 - spec: - serviceAccountName: bookinfo-details - containers: - - name: details - image: docker.io/istio/examples-bookinfo-details-v1:1.17.0 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9080 - securityContext: - runAsUser: 1000 ---- -################################################################################################## -# Ratings service -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: ratings - labels: - app: ratings - service: ratings -spec: - ports: - - port: 9080 - name: http - selector: - app: ratings ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bookinfo-ratings - labels: - account: ratings ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ratings-v1 - labels: - app: ratings - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: ratings - version: v1 - template: - metadata: - labels: - app: ratings - version: v1 - spec: - serviceAccountName: bookinfo-ratings - containers: - - name: ratings - image: docker.io/istio/examples-bookinfo-ratings-v1:1.17.0 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9080 - securityContext: - runAsUser: 1000 ---- -################################################################################################## -# Reviews service -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: reviews - labels: - app: reviews - service: reviews -spec: - ports: - - port: 9080 - name: http - selector: - app: reviews ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bookinfo-reviews - labels: - account: reviews ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reviews-v1 - labels: - app: reviews - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: reviews - version: v1 - template: - metadata: - labels: - app: reviews - version: v1 - spec: - serviceAccountName: bookinfo-reviews - containers: - - name: reviews - image: docker.io/istio/examples-bookinfo-reviews-v1:1.17.0 - imagePullPolicy: IfNotPresent - env: - - name: LOG_DIR - value: "/tmp/logs" - ports: - - containerPort: 9080 - volumeMounts: - - name: tmp - mountPath: /tmp - - name: wlp-output - mountPath: /opt/ibm/wlp/output - securityContext: - runAsUser: 1000 - volumes: - - name: wlp-output - emptyDir: {} - - name: tmp - emptyDir: {} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reviews-v2 - labels: - app: reviews - version: v2 -spec: - replicas: 1 - selector: - matchLabels: - app: reviews - version: v2 - template: - metadata: - labels: - app: reviews - version: v2 - spec: - serviceAccountName: bookinfo-reviews - containers: - - name: reviews - image: docker.io/istio/examples-bookinfo-reviews-v2:1.17.0 - imagePullPolicy: IfNotPresent - env: - - name: LOG_DIR - value: "/tmp/logs" - ports: - - containerPort: 9080 - volumeMounts: - - name: tmp - mountPath: /tmp - - name: wlp-output - mountPath: /opt/ibm/wlp/output - securityContext: - runAsUser: 1000 - volumes: - - name: wlp-output - emptyDir: {} - - name: tmp - emptyDir: {} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reviews-v3 - labels: - app: reviews - version: v3 -spec: - replicas: 1 - selector: - matchLabels: - app: reviews - version: v3 - template: - metadata: - labels: - app: reviews - version: v3 - spec: - serviceAccountName: bookinfo-reviews - containers: - - name: reviews - image: docker.io/istio/examples-bookinfo-reviews-v3:1.17.0 - imagePullPolicy: IfNotPresent - env: - - name: LOG_DIR - value: "/tmp/logs" - ports: - - containerPort: 9080 - volumeMounts: - - name: tmp - mountPath: /tmp - - name: wlp-output - mountPath: /opt/ibm/wlp/output - securityContext: - runAsUser: 1000 - volumes: - - name: wlp-output - emptyDir: {} - - name: tmp - emptyDir: {} ---- -################################################################################################## -# Productpage services -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: productpage - labels: - app: productpage - service: productpage -spec: - ports: - - port: 9080 - name: http - selector: - app: productpage ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bookinfo-productpage - labels: - account: productpage ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: productpage-v1 - labels: - app: productpage - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: productpage - version: v1 - template: - metadata: - labels: - app: productpage - version: v1 - spec: - serviceAccountName: bookinfo-productpage - containers: - - name: productpage - image: docker.io/istio/examples-bookinfo-productpage-v1:1.17.0 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9080 - volumeMounts: - - name: tmp - mountPath: /tmp - securityContext: - runAsUser: 1000 - volumes: - - name: tmp - emptyDir: {} ----