Resolve "Implement Istio Authorization Policies"

General MR

Summary

Add istio authorization policies

Relevant logs/screenshots

Deploy renovate with this test yaml

renovate.yaml

packages:
  renovate:
    enabled: true
    git:
      repo: https://repo1.dso.mil/big-bang/product/packages/renovate.git
      path: "./chart"
      tags: null
      branch: "16-implement-istio-authorization-policies"
    values:
      networkPolicies:

        enabled: "{{ $.Values.networkPolicies.enabled }}"
      istio:
        enabled: "{{ $.Values.istio.enabled }}"
        hardened:
          enabled: true
          customAuthorizationPolicies: []
      cronjob:
        schedule: '/1 * * * *'
      renovate:
        config: |
          {
              "platform": "gitlab",
              "endpoint": "https://repo1.dso.mil/api/v4",
              "token": "custom_token",
              "autodiscover": "false",
              "dryRun": true,
              "printConfig": true,
              "repositories": ["organ/repo"]
          }

1. Examine the logs from the Renovate pod. Depending on your access key, you might encounter an 'access denied to the repo' message. Alternatively, if your key is valid but linked to a non-existent repository, you should see a 'repo not found' error.
2. Modify your hosts and add renovate.bigbang.dev to the bigbang entry. Look for an XML response from curl -L renovate.bigbang.dev.
3. Remove the public-ingressgateway-minio-authz-policy. This action is akin to setting istio.renovvate.enabled to false.
4. After using curl -L renovate.bigbang.dev, watch out for an RBAC denied error.
5. Deploy two distinct pod info pods in the Renovate namespace. Retrieve the IP address of one pod with kubectl get pods pod-name -o=jsonpath='{.status.podIP}' , then kubectl exec into the other pod and execute curl -L http://[pod_ip]:9898. This tests the permission for communication within the namespace. To further test, delete the allow namespace communication policy and try the curl command again. This should result in an RBAC denied error from curl -L http://[pod_ip]:9898.

sample-pod-info.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: podinfo
  labels:
    app: podinfo
spec:
  replicas: 1
  selector:
    matchLabels:
      app: podinfo
  template:
    metadata:
      labels:
        app: podinfo
    spec:
      containers:
      - name: podinfo
        image: stefanprodan/podinfo:latest
        ports:
        - containerPort: 9898
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: podinfo2
  labels:
    app: podinfo2
spec:
  replicas: 1
  selector:
    matchLabels:
      app: podinfo2
  template:
    metadata:
      labels:
        app: podinfo2
    spec:
      containers:
      - name: podinfo2
        image: stefanprodan/podinfo:latest
        ports:
        - containerPort: 9898

Closes #16 (closed)