istio

policies.go
89 строк · 3.3 Кб
Перенос по словам
1
// Copyright Istio Authors
2
//
3
// Licensed under the Apache License, Version 2.0 (the "License");
4
// you may not use this file except in compliance with the License.
5
// You may obtain a copy of the License at
6
//
7
//     http://www.apache.org/licenses/LICENSE-2.0
8
//
9
// Unless required by applicable law or agreed to in writing, software
10
// distributed under the License is distributed on an "AS IS" BASIS,
11
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12
// See the License for the specific language governing permissions and
13
// limitations under the License.
14

15
// nolint: gocritic
16
package ambient
17

18
import (
19
	securityclient "istio.io/client-go/pkg/apis/security/v1beta1"
20
	"istio.io/istio/pilot/pkg/model"
21
	"istio.io/istio/pkg/kube/krt"
22
	"istio.io/istio/pkg/workloadapi/security"
23
)
24

25
func PolicyCollections(
26
	AuthzPolicies krt.Collection[*securityclient.AuthorizationPolicy],
27
	PeerAuths krt.Collection[*securityclient.PeerAuthentication],
28
	MeshConfig krt.Singleton[MeshConfig],
29
) (krt.Collection[model.WorkloadAuthorization], krt.Collection[model.WorkloadAuthorization]) {
30
	AuthzDerivedPolicies := krt.NewCollection(AuthzPolicies, func(ctx krt.HandlerContext, i *securityclient.AuthorizationPolicy) *model.WorkloadAuthorization {
31
		meshCfg := krt.FetchOne(ctx, MeshConfig.AsCollection())
32
		pol := convertAuthorizationPolicy(meshCfg.GetRootNamespace(), i)
33
		if pol == nil {
34
			return nil
35
		}
36
		return &model.WorkloadAuthorization{Authorization: pol, LabelSelector: model.NewSelector(i.Spec.GetSelector().GetMatchLabels())}
37
	}, krt.WithName("AuthzDerivedPolicies"))
38
	PeerAuthDerivedPolicies := krt.NewCollection(PeerAuths, func(ctx krt.HandlerContext, i *securityclient.PeerAuthentication) *model.WorkloadAuthorization {
39
		meshCfg := krt.FetchOne(ctx, MeshConfig.AsCollection())
40
		pol := convertPeerAuthentication(meshCfg.GetRootNamespace(), i)
41
		if pol == nil {
42
			return nil
43
		}
44
		return &model.WorkloadAuthorization{
45
			Authorization: pol,
46
			LabelSelector: model.NewSelector(i.Spec.GetSelector().GetMatchLabels()),
47
		}
48
	}, krt.WithName("PeerAuthDerivedPolicies"))
49
	DefaultPolicy := krt.NewSingleton[model.WorkloadAuthorization](func(ctx krt.HandlerContext) *model.WorkloadAuthorization {
50
		if len(krt.Fetch(ctx, PeerAuths)) == 0 {
51
			return nil
52
		}
53
		meshCfg := krt.FetchOne(ctx, MeshConfig.AsCollection())
54
		// If there are any PeerAuthentications in our cache, send our static STRICT policy
55
		return &model.WorkloadAuthorization{
56
			LabelSelector: model.LabelSelector{},
57
			Authorization: &security.Authorization{
58
				Name:      staticStrictPolicyName,
59
				Namespace: meshCfg.GetRootNamespace(),
60
				Scope:     security.Scope_WORKLOAD_SELECTOR,
61
				Action:    security.Action_DENY,
62
				Groups: []*security.Group{
63
					{
64
						Rules: []*security.Rules{
65
							{
66
								Matches: []*security.Match{
67
									{
68
										NotPrincipals: []*security.StringMatch{
69
											{
70
												MatchType: &security.StringMatch_Presence{},
71
											},
72
										},
73
									},
74
								},
75
							},
76
						},
77
					},
78
				},
79
			},
80
		}
81
	}, krt.WithName("DefaultPolicy"))
82
	// Policies contains all of the policies we will send down to clients
83
	Policies := krt.JoinCollection([]krt.Collection[model.WorkloadAuthorization]{
84
		AuthzDerivedPolicies,
85
		PeerAuthDerivedPolicies,
86
		DefaultPolicy.AsCollection(),
87
	}, krt.WithName("Policies"))
88
	return AuthzDerivedPolicies, Policies
89
}
90
istio

Использование cookies
