istio
89 строк · 3.3 Кб
1// Copyright Istio Authors
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7// http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15// nolint: gocritic
16package ambient17
18import (19securityclient "istio.io/client-go/pkg/apis/security/v1beta1"20"istio.io/istio/pilot/pkg/model"21"istio.io/istio/pkg/kube/krt"22"istio.io/istio/pkg/workloadapi/security"23)
24
25func PolicyCollections(26AuthzPolicies krt.Collection[*securityclient.AuthorizationPolicy],27PeerAuths krt.Collection[*securityclient.PeerAuthentication],28MeshConfig krt.Singleton[MeshConfig],29) (krt.Collection[model.WorkloadAuthorization], krt.Collection[model.WorkloadAuthorization]) {30AuthzDerivedPolicies := krt.NewCollection(AuthzPolicies, func(ctx krt.HandlerContext, i *securityclient.AuthorizationPolicy) *model.WorkloadAuthorization {31meshCfg := krt.FetchOne(ctx, MeshConfig.AsCollection())32pol := convertAuthorizationPolicy(meshCfg.GetRootNamespace(), i)33if pol == nil {34return nil35}36return &model.WorkloadAuthorization{Authorization: pol, LabelSelector: model.NewSelector(i.Spec.GetSelector().GetMatchLabels())}37}, krt.WithName("AuthzDerivedPolicies"))38PeerAuthDerivedPolicies := krt.NewCollection(PeerAuths, func(ctx krt.HandlerContext, i *securityclient.PeerAuthentication) *model.WorkloadAuthorization {39meshCfg := krt.FetchOne(ctx, MeshConfig.AsCollection())40pol := convertPeerAuthentication(meshCfg.GetRootNamespace(), i)41if pol == nil {42return nil43}44return &model.WorkloadAuthorization{45Authorization: pol,46LabelSelector: model.NewSelector(i.Spec.GetSelector().GetMatchLabels()),47}48}, krt.WithName("PeerAuthDerivedPolicies"))49DefaultPolicy := krt.NewSingleton[model.WorkloadAuthorization](func(ctx krt.HandlerContext) *model.WorkloadAuthorization {50if len(krt.Fetch(ctx, PeerAuths)) == 0 {51return nil52}53meshCfg := krt.FetchOne(ctx, MeshConfig.AsCollection())54// If there are any PeerAuthentications in our cache, send our static STRICT policy55return &model.WorkloadAuthorization{56LabelSelector: model.LabelSelector{},57Authorization: &security.Authorization{58Name: staticStrictPolicyName,59Namespace: meshCfg.GetRootNamespace(),60Scope: security.Scope_WORKLOAD_SELECTOR,61Action: security.Action_DENY,62Groups: []*security.Group{63{64Rules: []*security.Rules{65{66Matches: []*security.Match{67{68NotPrincipals: []*security.StringMatch{69{70MatchType: &security.StringMatch_Presence{},71},72},73},74},75},76},77},78},79},80}81}, krt.WithName("DefaultPolicy"))82// Policies contains all of the policies we will send down to clients83Policies := krt.JoinCollection([]krt.Collection[model.WorkloadAuthorization]{84AuthzDerivedPolicies,85PeerAuthDerivedPolicies,86DefaultPolicy.AsCollection(),87}, krt.WithName("Policies"))88return AuthzDerivedPolicies, Policies89}
90