UNCLASSIFIED - NO CUI

Skip to content

Resolve "Implement Istio Authorization Policies"

Enoch Ofori requested to merge 93-implement-istio-authorization-policies into main

General MR

Summary

Adds istio authorization policies to the elasticsearch kibana package.

Relevant logs/screenshots

Use the following overrides to deploy the full stack and ensure all dependent packages start.

eckOperator:
  # -- Toggle deployment of ECK Operator.
  enabled: true
  git:
    repo: https://repo1.dso.mil/big-bang/product/packages/eck-operator.git
    tag: null
    branch: "42-implement-istio-authorization-policies"
  values:
    istio:
      enabled: true
      hardened:
        enabled: true

elasticsearchKibana:
  enabled: true
  git:
    repo: https://repo1.dso.mil/big-bang/product/packages/elasticsearch-kibana.git
    tag: null
    branch: "93-implement-istio-authorization-policies"
  values:
    istio:
      # -- Toggle istio interaction.
      enabled: true
      hardened:
        enabled: true
        customAuthorizationPolicies: []
        # - name: "allow-nothing"
        #   enabled: true
        #   spec: {}
        prometheus:
          enabled: false
          namespaces:
            - monitoring
          principals:
            - cluster.local/ns/monitoring/sa/monitoring-grafana
            - cluster.local/ns/monitoring/sa/monitoring-monitoring-kube-alertmanager
            - cluster.local/ns/monitoring/sa/monitoring-monitoring-kube-operator
            - cluster.local/ns/monitoring/sa/monitoring-monitoring-kube-prometheus
            - cluster.local/ns/monitoring/sa/monitoring-monitoring-kube-state-metrics
            - cluster.local/ns/monitoring/sa/monitoring-monitoring-prometheus-node-exporter
        fluentbit:
          enabled: false
          namespaces:
            - fluentbit
          principals:
            - cluster.local/ns/fluentbit/sa/fluentbit-fluent-bit
        elasticOperator:
          enabled: true
          namespaces:
            - eck-operator 
          principals:
            - cluster.local/ns/eck-operator/sa/elastic-operator 
        mattermost:
          enabled: false
          namespaces:
            - mattermost
          principals:
            - cluster.local/ns/mattermost/sa/mattermost 
        jaeger:
          enabled: false
          namespaces:
          - jaeger
          principals:
          - cluster.local/ns/jaeger/sa/jaeger
          - cluster.local/ns/jaeger/sa/jaeger-instance
          - cluster.local/ns/jaeger/sa/default

monitoring:
  enabled: true
  sso:
    enabled: true
    prometheus:
      client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-prometheus
    alertmanager:
      client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-alertmanager


kiali:
  enabled: true
  sso:
    enabled: true
    client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-kiali
  values:
    image:
      tag: v1.78.0@sha256:d8b8e5253540c0e78042dfc689acd61dd3add8260a760e7e9fb6a300731d0866

jaeger:
  enabled: true
  sso:
    enabled: true
    client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_jaeger
  values:
    istio:
      jaeger:
        enabled: true
    elasticsearch:
      enabled: true


grafana:
  enabled: true

fluentbit:
  enabled: true

Linked Issue

Issue 93

Upgrade Notices

N/A

Edited by Jimmy Ungerman

Merge request reports