UNCLASSIFIED - NO CUI

Skip to content

Draft: Resolve "Implement Istio Authorization Policies"

Jimmy Ungerman requested to merge 81-implement-istio-authorization-policies-2 into main

General MR

Summary

This MR adds support for Istio Authorization Policies to the Cluster Auditor package. To test out the new AuthorizationPolicies, begin by deploying a bigbang cluster with the following overrides:

# Have to zero-out tag to deploy by branch here.
clusterAuditor:
  enabled: true
  git:
    tag: null
    branch: "81-implement-istio-authorization-policies"
  values:
    istio:
      enabled: true
      hardened:
        enabled: true
        tempo:
          enabled: true
      
# Cluster Auditor depends on opa-gatekeeper, monitoring, and grafana
gatekeeper:
  enabled: true
monitoring:
  enabled: true
grafana:
  enabled: true

This deploys cluster-auditor and all of its dependencies. Once deployed, you can inspect the istio-proxy container logs in the opa-exporter pod for the following successful requests. Navigating to the OPA Violations dashboard should successfully show the violations.

To ensure that it really is blocking authorization as well, we can delete the allow-prom-operator-policy and delete the opa-exporter pod for it to reset. You should now see rbac not allowed entries in your logs.

Relevant logs/screenshots

Successful connection with AuthorizationPolicy

[2024-01-03T19:48:15.449Z] "GET /metrics HTTP/2" 200 - via_upstream - "-" 0 4633 4 3 "-" "Prometheus/2.48.1" "eb0186d8-87c2-9ad7-8b02-d29696d135e1" "10.42.3.13:9141" "10.42.3.13:9141" inbound|9141|| 127.0.0.6:57327 10.42.3.13:9141 10.42.1.6:52674 - default traceID=dd2cef03e0838fe64ded94d8de7c64f5

Grafana Dashboard Successfully Populating

Screenshot_2024-01-03_at_12.56.27_PM

Connection Failed due to AuthorizationPolicy

[2024-01-03T19:56:40.491Z] "GET /metrics HTTP/2" 403 - rbac_access_denied_matched_policy[none] - "-" 0 19 0 - "-" "Prometheus/2.48.1" "402673d6-76e4-9b59-ace1-eb754003c125" "10.42.3.15:9141" "-" inbound|9141|| - 10.42.3.15:9141 10.42.1.6:41070 - - traceID=-

Closes #81 (closed)

Merge request reports