UNCLASSIFIED - NO CUI

Skip to content

Resolve "Implement Istio Authorization Policies"

Jimmy Ungerman requested to merge 42-implement-istio-authorization-policies into main

General MR

Summary

This MR creates authorization policies for the eck-operator chart.

Relevant logs/screenshots

The following overrides will deploy eck-operator and elasticsearch-kibana to show that the Istio Authorization Policy does not prohibit the operator from being called by the elasticsearch and kibana instances.

eckOperator:
  # -- Toggle deployment of ECK Operator.
  enabled: true
  git:
    repo: https://repo1.dso.mil/big-bang/product/packages/eck-operator.git
    tag: null
    branch: "42-implement-istio-authorization-policies"
  values:
    istio:
      enabled: true
      hardened:
        enabled: true

elasticsearchKibana:
  enabled: true
  git:
    repo: https://repo1.dso.mil/big-bang/product/packages/elasticsearch-kibana.git
    tag: null
    branch: "93-implement-istio-authorization-policies"
  values:
    istio:
      # -- Toggle istio interaction.
      enabled: true
      hardened:
        enabled: true
        customAuthorizationPolicies: []
        # - name: "allow-nothing"
        #   enabled: true
        #   spec: {}
        prometheus:
          enabled: false
          namespaces:
            - monitoring
          principals:
            - cluster.local/ns/monitoring/sa/monitoring-grafana
            - cluster.local/ns/monitoring/sa/monitoring-monitoring-kube-alertmanager
            - cluster.local/ns/monitoring/sa/monitoring-monitoring-kube-operator
            - cluster.local/ns/monitoring/sa/monitoring-monitoring-kube-prometheus
            - cluster.local/ns/monitoring/sa/monitoring-monitoring-kube-state-metrics
            - cluster.local/ns/monitoring/sa/monitoring-monitoring-prometheus-node-exporter
        fluentbit:
          enabled: false
          namespaces:
            - fluentbit
          principals:
            - cluster.local/ns/fluentbit/sa/fluentbit-fluent-bit
        elasticOperator:
          enabled: true
          namespaces:
            - eck-operator 
          principals:
            - cluster.local/ns/eck-operator/sa/elastic-operator 
        mattermost:
          enabled: false
          namespaces:
            - mattermost
          principals:
            - cluster.local/ns/mattermost/sa/mattermost 
        jaeger:
          enabled: false
          namespaces:
          - jaeger
          principals:
          - cluster.local/ns/jaeger/sa/jaeger
          - cluster.local/ns/jaeger/sa/jaeger-instance
          - cluster.local/ns/jaeger/sa/default

After deployed, ensure all pods are running and you can login to kibana

Linked Issue

Issue 42

Upgrade Notices

N/A

#42 (closed)

Edited by Blane Staskiewicz

Merge request reports

UNCLASSIFIED - NO CUI