Draft: Resolve "Implement Istio Authorization Policies"
General MR
Summary
This MR adds support for Istio Authorization Policies to the Cluster Auditor package. To test out the new AuthorizationPolicies, begin by deploying a bigbang cluster with the following overrides:
# Have to zero-out tag to deploy by branch here.
clusterAuditor:
enabled: true
git:
tag: null
branch: "81-implement-istio-authorization-policies"
values:
istio:
enabled: true
hardened:
enabled: true
tempo:
enabled: true
# Cluster Auditor depends on opa-gatekeeper, monitoring, and grafana
gatekeeper:
enabled: true
monitoring:
enabled: true
grafana:
enabled: true
This deploys cluster-auditor and all of its dependencies. Once deployed, you can inspect the istio-proxy
container logs in the opa-exporter
pod for the following successful requests. Navigating to the OPA Violations dashboard should successfully show the violations.
To ensure that it really is blocking authorization as well, we can delete the allow-prom-operator-policy
and delete the opa-exporter
pod for it to reset. You should now see rbac not allowed
entries in your logs.
Relevant logs/screenshots
Successful connection with AuthorizationPolicy
[2024-01-03T19:48:15.449Z] "GET /metrics HTTP/2" 200 - via_upstream - "-" 0 4633 4 3 "-" "Prometheus/2.48.1" "eb0186d8-87c2-9ad7-8b02-d29696d135e1" "10.42.3.13:9141" "10.42.3.13:9141" inbound|9141|| 127.0.0.6:57327 10.42.3.13:9141 10.42.1.6:52674 - default traceID=dd2cef03e0838fe64ded94d8de7c64f5
Grafana Dashboard Successfully Populating
Connection Failed due to AuthorizationPolicy
[2024-01-03T19:56:40.491Z] "GET /metrics HTTP/2" 403 - rbac_access_denied_matched_policy[none] - "-" 0 19 0 - "-" "Prometheus/2.48.1" "402673d6-76e4-9b59-ace1-eb754003c125" "10.42.3.15:9141" "-" inbound|9141|| - 10.42.3.15:9141 10.42.1.6:41070 - - traceID=-
Closes #81 (closed)