| Team Lead | Members | | --- | --- | | Ben Francis | | [P1BIGROCKS-2489](https://jira.il2.dso.mil/browse/P1BIGROCKS-2489) After Istio is integrated in each application (&111 ) AuthorizationPolicies can be used to further control what workloads can do what actions on various endpoints. For instance the way that Gitlab Runners use the Anchore or Twistlock CLI are very different than how Istio ingress does. These authorization policies should allow for more granular control of the communications between the services. ## Steps to implement for each package: 1. install package, run the package to make sure it works as is first, 2. add allow nothing policy, add template policy allow-nothing-policy ``` {{- /* the allow-nothing policy should eventually be provided by istio itself cluster-wide */ -}} {{- if and .Values.istio.enabled .Values.istio.hardened.enabled -}} apiVersion: security.istio.io/v1 kind: AuthorizationPolicy metadata: name: allow-nothing-policy namespace: {{ .Release.Namespace }} spec: {} {{- end }} ``` template policy ``` {{- /* Render Istio Auth policies */ -}} {{- if and $.Values.istio.enabled $.Values.istio.hardened.enabled -}} {{- range $.Values.istio.hardened.customAuthorizationPolicies -}} {{- if .enabled -}} apiVersion: security.istio.io/v1 kind: AuthorizationPolicy metadata: name: {{ .name }} namespace: {{ $.Release.Namespace }} spec: {{- toYaml .spec | nindent 2 }} --- {{ end -}} {{ end -}} {{- end -}} ``` 3. redeploy and see whats broken, then add what policies are needed