diff --git a/README.md b/README.md index d099f6f..b01df79 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # netpol-synthesizer This application takes a JSON file, describing the connectivity in a given Kubernetes cluster, -and produces a set of Kubernetes NetworkPolicies that allow only the specified connectivity +and produces a set of policies (Kubernetes NetworkPolicies or Istio AuthorizationPolicies) that allow only the specified connectivity and nothing more. ### Requirements: @@ -18,11 +18,12 @@ pip install -r requirements.txt ### Usage: ```commandline -python src/netpol_synth.py [-o ] [-b baseline_rules_file] +python src/netpol_synth.py [-o ] [-b baseline_rules_file] [--policy_type=] ``` * `connectivity_file` is the path to a JSON file describing connectivity. This should be the output of running the [Network Topology Analyzer](https://github.com/np-guard/cluster-topology-analyzer). -* `output_file` *(optional)* is a path to output file where the resulting NetworkPolicy resources will be dumped (in YAML format). If omitted, output will be sent to stdout. +* `output_file` *(optional)* is a path to output file where the resulting policy resources will be dumped (in YAML format). If omitted, output will be sent to stdout. * `baseline_rules_file` is a yaml file containing a list of baseline rules. See [these examples](https://github.com/np-guard/baseline-rules/tree/master/examples) +* `policy_type_str` is one of the values: `['k8s', 'istio']`, *default:* `k8s` For example: ```commandline diff --git a/baseline-rules b/baseline-rules index b16e183..53a3b1a 160000 --- a/baseline-rules +++ b/baseline-rules @@ -1 +1 @@ -Subproject commit b16e1835a25bfed9f1c8e1f48d4d66b721ead81a +Subproject commit 53a3b1ae07850a8db2511ce1de8c9363e71642f6 diff --git a/src/netpol_synth.py b/src/netpol_synth.py index 6626f3f..a46ed66 100644 --- a/src/netpol_synth.py +++ b/src/netpol_synth.py @@ -17,7 +17,8 @@ common_services_dir = (base_dir / '../baseline-rules/src').resolve() sys.path.insert(0, str(common_services_dir)) -from baseline_rule import BaselineRules, BaselineRuleAction +from baseline_rule import BaselineRule, BaselineRules, BaselineRuleAction +from selector import LabelSelector, IpSelector class NoAliasDumper(yaml.SafeDumper): @@ -25,6 +26,7 @@ class NoAliasDumper(yaml.SafeDumper): This class is needed to avoid aliases and references in the generated yaml file (so that users will be able to copy & paste individual NetworkPolicies) """ + def ignore_aliases(self, data): return True @@ -38,6 +40,7 @@ class DeploymentLinks: namespace: str = '' selectors: Optional[dict] = None labels: dict = field(default_factory=dict) + service_account_name: str = '' ingress_conns: list = field(default_factory=list) egress_conns: list = field(default_factory=list) @@ -46,6 +49,7 @@ class NetpolSynthesizer: """ This is the main class for the conversion. Call its synthesize() method to generate k8s NetworkPolicy resources """ + def __init__(self, connectivity_file, baseline_files): self.deployments = {} self.baseline_rules = BaselineRules(baseline_files) @@ -66,9 +70,10 @@ def _process_connectivity_file(self, connectivity_file): continue for connection in element: src_deploy = self._find_or_add_deployment(connection['source']['Resource']) + used_ports_src = connection['source']['Resource'].get('UsedPorts', []) tgt_deploy = self._find_or_add_deployment(connection['target']['Resource']) links = connection['link']['resource'] - port_list = self._links_to_port_list(links.get('network')) + port_list = self._links_to_port_list(links.get('network'), used_ports_src) if links.get('type') == 'LoadBalancer': src_deploy = internet_src # A Service of type LoadBalancer exposes the target to the internet elif not src_deploy.name: @@ -80,8 +85,8 @@ def _process_connectivity_file(self, connectivity_file): f'is disallowed by baseline rule {violated_baseline_rule}') else: if src_deploy not in [internet_src, namespace_src]: - self.deployments[src_deploy.name].egress_conns.append((tgt_deploy.selectors, port_list)) - self.deployments[tgt_deploy.name].ingress_conns.append((src_deploy.selectors, port_list)) + self.deployments[src_deploy.name].egress_conns.append((tgt_deploy, port_list)) + self.deployments[tgt_deploy.name].ingress_conns.append((src_deploy, port_list)) def _find_or_add_deployment(self, resource): """ @@ -98,7 +103,8 @@ def _find_or_add_deployment(self, resource): namespace = resource.get('namespace', '') sel = self._selector_array_to_pod_selector(resource.get('selectors', [])) labels = resource.get('labels', {}) - self.deployments[name] = DeploymentLinks(name, namespace, sel, labels) + sa_name = resource.get('serviceaccountname', 'default') + self.deployments[name] = DeploymentLinks(name, namespace, sel, labels, sa_name) return self.deployments[name] def _allowed_by_baseline(self, source_labels, target_labels, port_list): @@ -119,7 +125,10 @@ def _selector_array_to_pod_selector(sel_array): return {'podSelector': {'matchLabels': res}} @staticmethod - def _links_to_port_list(links): + def _links_to_port_list(links, used_ports): + if used_ports: + # refer only to relevant ports (not all service ports are in use) + return [{'port': link.get('target_port')} for link in links if link.get('port') in used_ports] return [{'port': link.get('target_port')} for link in links] def _add_must_allow_connections(self): @@ -128,19 +137,24 @@ def _add_must_allow_connections(self): if not rule.action == BaselineRuleAction.allow: continue if rule.matches_source(deploy.labels): - deploy.egress_conns.append((rule.targets_as_netpol_peer(), rule.get_port_array())) + deploy.egress_conns.append((rule.target, rule.get_port_array())) if rule.matches_target(deploy.labels): - deploy.ingress_conns.append((rule.sources_as_netpol_peer(), rule.get_port_array())) + deploy.ingress_conns.append((rule.source, rule.get_port_array())) @staticmethod - def _xgress_conns_to_rules(conns, is_ingress): + def _xgress_conns_to_network_policy_rules(conns, is_ingress): + # TODO: peer type in connection has multiple options currently + # a conn is a tuple of (DeploymentLinks, port list) or (list[Selector], ports list) res_rules = [] seen_rules = set() for conn in conns: rule = {'ports': conn[1]} if conn[1] else {} - if conn[0]: + + selectors = conn[0].selectors if isinstance(conn[0], DeploymentLinks) else \ + BaselineRule.selectors_as_netpol_peer(conn[0]) + if selectors: selector_key = 'from' if is_ingress else 'to' - rule[selector_key] = [conn[0]] + rule[selector_key] = [selectors] rule_yaml = yaml.dump(rule) if rule_yaml in seen_rules: continue @@ -154,13 +168,82 @@ def _xgress_conns_to_rules(conns, is_ingress): return res_rules - def synthesize(self, output_file): - """ - Generates NetworkPolicies in yaml format based on the analysis done in the ctor. - If output file is specified, the output is dumped into the file. Otherwise, stdout is used - :param output_file: A file opened for writing - :return: None - """ + def _find_deployments_from_pod_selector(self, selectors): + # selectors is of type list[LabelSelector] + assert all(isinstance(selector, LabelSelector) for selector in selectors) + res = [] + for deploy in self.deployments.values(): + labels = deploy.labels + if all(selector.matches(labels) for selector in selectors): + res.append(deploy) + return res + + def _get_auth_policy_source_from_baseline_rule_selector(self, selectors): + # selectors is of type list[LabelSelector] or IpSelector + if isinstance(selectors, IpSelector): + return {'ipBlocks': [str(selectors.ipn)]} + + assert all(isinstance(selector, LabelSelector) for selector in selectors) + src_deployments = self._find_deployments_from_pod_selector(selectors) + return self._gst_auth_policy_source_from_deployments(src_deployments) + + def _gst_auth_policy_source_from_deployments(self, deployments): + res = {} + principals_list = self._get_principals_list_from_deployments(deployments) + if principals_list: + res['principals'] = principals_list + return res + + @staticmethod + def _get_principals_list_from_deployments(deployments): + principals_list = [] + for src_deployment in deployments: + if src_deployment.service_account_name != '': + ns = src_deployment.namespace or 'default' + principals_list.append(f"cluster.local/ns/{ns}/sa/{src_deployment.service_account_name}") + return principals_list + + def _ingress_conns_to_auth_policy_rules(self, conns): + # a conn is a tuple of (DeploymentLinks, port list) or (list[Selector], ports list) + res_rules = [] + seen_rules = set() + for conn in conns: + rule = {} + if not isinstance(conn[0], DeploymentLinks): # connection from baseline rule with peer as selector + src_dict = self._get_auth_policy_source_from_baseline_rule_selector(conn[0]) + else: + src_dict = self._gst_auth_policy_source_from_deployments([conn[0]]) + if src_dict: + from_list = [{'source': src_dict}] + rule['from'] = from_list + if conn[1]: + ports_list = {'ports': [str(port['port']) for port in conn[1]]} + to_list = [{'operation': ports_list}] + rule['to'] = to_list + rule_yaml = yaml.dump(rule) + if rule_yaml in seen_rules: + continue + seen_rules.add(rule_yaml) + res_rules.append(rule) + return res_rules + + def _synthesize_istio_authorization_policies(self): + authpolicies = [] + for deployment in self.deployments.values(): + metadata = {'name': deployment.name + '-authpol'} + if deployment.namespace: + metadata['namespace'] = deployment.namespace + spec = {'selector': deployment.selectors['podSelector'], + 'action': 'ALLOW', + 'rules': self._ingress_conns_to_auth_policy_rules(deployment.ingress_conns)} + authpol = {'apiVersion': 'security.istio.io/v1beta1', + 'kind': 'AuthorizationPolicy', + 'metadata': metadata, + 'spec': spec} + authpolicies.append(authpol) + return authpolicies + + def _synthesize_k8s_network_policies(self): netpols = [] for deployment in self.deployments.values(): metadata = {'name': deployment.name + '-netpol'} @@ -168,19 +251,30 @@ def synthesize(self, output_file): metadata['namespace'] = deployment.namespace spec = {'podSelector': deployment.selectors['podSelector'], 'policyTypes': ['Ingress', 'Egress'], - 'ingress': self._xgress_conns_to_rules(deployment.ingress_conns, True), - 'egress': self._xgress_conns_to_rules(deployment.egress_conns, False)} + 'ingress': self._xgress_conns_to_network_policy_rules(deployment.ingress_conns, True), + 'egress': self._xgress_conns_to_network_policy_rules(deployment.egress_conns, False)} netpol = {'apiVersion': 'networking.k8s.io/v1', 'kind': 'NetworkPolicy', 'metadata': metadata, 'spec': spec} netpols.append(netpol) + return netpols + def synthesize(self, output_file, policy_type): + """ + Generates NetworkPolicies/AuthorizationPolicies in yaml format based on the analysis done in the ctor. + If output file is specified, the output is dumped into the file. Otherwise, stdout is used + :param output_file: A file opened for writing + :param policy_type: the required policy type (k8s/istio) + :return: None + """ + policy_list = self._synthesize_istio_authorization_policies() if policy_type == 'istio' \ + else self._synthesize_k8s_network_policies() if output_file: - yaml.dump_all(netpols, output_file, Dumper=NoAliasDumper) + yaml.dump_all(policy_list, output_file, Dumper=NoAliasDumper) print(f'\nNetwork Policies were successfully written to {output_file.name}') else: - print(yaml.dump_all(netpols)) + print(yaml.dump_all(policy_list)) def netpol_synth_main(args=None): @@ -189,15 +283,18 @@ def netpol_synth_main(args=None): :param args: Commandline arguments :return: None """ - parser = argparse.ArgumentParser(description='A generator for K8s Network Policies') + parser = argparse.ArgumentParser( + description='A generator for micro-segmentation policies: K8s Network Policies / Istio Authorization Policies') parser.add_argument('connectivity_file', type=open, help='A json input file describing connectivity') parser.add_argument('--baseline', '-b', type=str, metavar='FILE', action='append', help='A baseline-requirements file') parser.add_argument('--output', '-o', type=argparse.FileType('w'), metavar='FILE', help='Output file for NetworkPolicy resources') + parser.add_argument('--policy_type', choices=['k8s', 'istio'], help='Choose policy type to generate (k8s/istio)', + default='k8s') args = parser.parse_args(args) - NetpolSynthesizer(args.connectivity_file, args.baseline).synthesize(args.output) + NetpolSynthesizer(args.connectivity_file, args.baseline).synthesize(args.output, args.policy_type) if __name__ == "__main__": diff --git a/tests/connectivity_jsons/online-boutique-with-sa.json b/tests/connectivity_jsons/online-boutique-with-sa.json new file mode 100644 index 0000000..9276b3f --- /dev/null +++ b/tests/connectivity_jsons/online-boutique-with-sa.json @@ -0,0 +1,1271 @@ +[ + { + "source": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "Resource": { + "name": "frontend", + "selectors": [ + "app:frontend" + ], + "labels": { + "app": "frontend" + }, + "serviceaccountname": "frontend", + "filepath": "\\frontend.yaml", + "kind": "Deployment", + "image": { + "id": "us-east4-docker.pkg.dev/mygke-200/containers/boutique/frontend:v0.3.6" + }, + "network": [ + { + "container_url": 8080, + "protocol": "" + } + ], + "Envs": [ + "productcatalogservice:3550", + "currencyservice:7000", + "cartservice:7070", + "recommendationservice:8080", + "shippingservice:50051", + "checkoutservice:5050", + "adservice:9555" + ] + } + }, + "target": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "Resource": { + "name": "adservice", + "selectors": [ + "app:adservice" + ], + "labels": { + "app": "adservice" + }, + "serviceaccountname": "adservice", + "filepath": "\\adservice.yaml", + "kind": "Deployment", + "image": { + "id": "us-east4-docker.pkg.dev/mygke-200/containers/boutique/adservice:v0.3.6" + }, + "network": [ + { + "container_url": 9555, + "protocol": "" + } + ], + "Envs": null + } + }, + "link": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "resource": { + "name": "adservice", + "namespace": "", + "selectors": [ + "app:adservice" + ], + "type": "ClusterIP", + "filepath": "\\adservice.yaml", + "kind": "Service", + "network": [ + { + "port": 9555, + "target_port": 9555 + } + ] + } + } + }, + { + "source": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "Resource": { + "name": "checkoutservice", + "selectors": [ + "app:checkoutservice" + ], + "labels": { + "app": "checkoutservice" + }, + "serviceaccountname": "checkoutservice", + "filepath": "\\checkoutservice.yaml", + "kind": "Deployment", + "image": { + "id": "us-east4-docker.pkg.dev/mygke-200/containers/boutique/checkoutservice:v0.3.6" + }, + "network": [ + { + "container_url": 5050, + "protocol": "" + } + ], + "Envs": [ + "productcatalogservice:3550", + "shippingservice:50051", + "paymentservice:50051", + "emailservice:5000", + "currencyservice:7000", + "cartservice:7070" + ] + } + }, + "target": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "Resource": { + "name": "cartservice", + "selectors": [ + "app:cartservice" + ], + "labels": { + "app": "cartservice" + }, + "serviceaccountname": "cartservice", + "filepath": "\\cartservice.yaml", + "kind": "Deployment", + "image": { + "id": "us-east4-docker.pkg.dev/mygke-200/containers/boutique/cartservice:1bb10bf" + }, + "network": [ + { + "container_url": 7070, + "protocol": "" + } + ], + "Envs": null + } + }, + "link": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "resource": { + "name": "cartservice", + "namespace": "", + "selectors": [ + "app:cartservice" + ], + "type": "ClusterIP", + "filepath": "\\cartservice.yaml", + "kind": "Service", + "network": [ + { + "port": 7070, + "target_port": 7070 + } + ] + } + } + }, + { + "source": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "Resource": { + "name": "frontend", + "selectors": [ + "app:frontend" + ], + "labels": { + "app": "frontend" + }, + "serviceaccountname": "frontend", + "filepath": "\\frontend.yaml", + "kind": "Deployment", + "image": { + "id": "us-east4-docker.pkg.dev/mygke-200/containers/boutique/frontend:v0.3.6" + }, + "network": [ + { + "container_url": 8080, + "protocol": "" + } + ], + "Envs": [ + "productcatalogservice:3550", + "currencyservice:7000", + "cartservice:7070", + "recommendationservice:8080", + "shippingservice:50051", + "checkoutservice:5050", + "adservice:9555" + ] + } + }, + "target": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "Resource": { + "name": "cartservice", + "selectors": [ + "app:cartservice" + ], + "labels": { + "app": "cartservice" + }, + "serviceaccountname": "cartservice", + "filepath": "\\cartservice.yaml", + "kind": "Deployment", + "image": { + "id": "us-east4-docker.pkg.dev/mygke-200/containers/boutique/cartservice:1bb10bf" + }, + "network": [ + { + "container_url": 7070, + "protocol": "" + } + ], + "Envs": null + } + }, + "link": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "resource": { + "name": "cartservice", + "namespace": "", + "selectors": [ + "app:cartservice" + ], + "type": "ClusterIP", + "filepath": "\\cartservice.yaml", + "kind": "Service", + "network": [ + { + "port": 7070, + "target_port": 7070 + } + ] + } + } + }, + { + "source": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "Resource": { + "name": "frontend", + "selectors": [ + "app:frontend" + ], + "labels": { + "app": "frontend" + }, + "serviceaccountname": "frontend", + "filepath": "\\frontend.yaml", + "kind": "Deployment", + "image": { + "id": "us-east4-docker.pkg.dev/mygke-200/containers/boutique/frontend:v0.3.6" + }, + "network": [ + { + "container_url": 8080, + "protocol": "" + } + ], + "Envs": [ + "productcatalogservice:3550", + "currencyservice:7000", + "cartservice:7070", + "recommendationservice:8080", + "shippingservice:50051", + "checkoutservice:5050", + "adservice:9555" + ] + } + }, + "target": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "Resource": { + "name": "checkoutservice", + "selectors": [ + "app:checkoutservice" + ], + "labels": { + "app": "checkoutservice" + }, + "serviceaccountname": "checkoutservice", + "filepath": "\\checkoutservice.yaml", + "kind": "Deployment", + "image": { + "id": "us-east4-docker.pkg.dev/mygke-200/containers/boutique/checkoutservice:v0.3.6" + }, + "network": [ + { + "container_url": 5050, + "protocol": "" + } + ], + "Envs": [ + "productcatalogservice:3550", + "shippingservice:50051", + "paymentservice:50051", + "emailservice:5000", + "currencyservice:7000", + "cartservice:7070" + ] + } + }, + "link": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "resource": { + "name": "checkoutservice", + "namespace": "", + "selectors": [ + "app:checkoutservice" + ], + "type": "ClusterIP", + "filepath": "\\checkoutservice.yaml", + "kind": "Service", + "network": [ + { + "port": 5050, + "target_port": 5050 + } + ] + } + } + }, + { + "source": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "Resource": { + "name": "checkoutservice", + "selectors": [ + "app:checkoutservice" + ], + "labels": { + "app": "checkoutservice" + }, + "serviceaccountname": "checkoutservice", + "filepath": "\\checkoutservice.yaml", + "kind": "Deployment", + "image": { + "id": "us-east4-docker.pkg.dev/mygke-200/containers/boutique/checkoutservice:v0.3.6" + }, + "network": [ + { + "container_url": 5050, + "protocol": "" + } + ], + "Envs": [ + "productcatalogservice:3550", + "shippingservice:50051", + "paymentservice:50051", + "emailservice:5000", + "currencyservice:7000", + "cartservice:7070" + ] + } + }, + "target": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "Resource": { + "name": "currencyservice", + "selectors": [ + "app:currencyservice" + ], + "labels": { + "app": "currencyservice" + }, + "serviceaccountname": "currencyservice", + "filepath": "\\currencyservice.yaml", + "kind": "Deployment", + "image": { + "id": "us-east4-docker.pkg.dev/mygke-200/containers/boutique/currencyservice:v0.3.6" + }, + "network": [ + { + "container_url": 7000, + "protocol": "" + } + ], + "Envs": null + } + }, + "link": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "resource": { + "name": "currencyservice", + "namespace": "", + "selectors": [ + "app:currencyservice" + ], + "type": "ClusterIP", + "filepath": "\\currencyservice.yaml", + "kind": "Service", + "network": [ + { + "port": 7000, + "target_port": 7000 + } + ] + } + } + }, + { + "source": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "Resource": { + "name": "frontend", + "selectors": [ + "app:frontend" + ], + "labels": { + "app": "frontend" + }, + "serviceaccountname": "frontend", + "filepath": "\\frontend.yaml", + "kind": "Deployment", + "image": { + "id": "us-east4-docker.pkg.dev/mygke-200/containers/boutique/frontend:v0.3.6" + }, + "network": [ + { + "container_url": 8080, + "protocol": "" + } + ], + "Envs": [ + "productcatalogservice:3550", + "currencyservice:7000", + "cartservice:7070", + "recommendationservice:8080", + "shippingservice:50051", + "checkoutservice:5050", + "adservice:9555" + ] + } + }, + "target": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "Resource": { + "name": "currencyservice", + "selectors": [ + "app:currencyservice" + ], + "labels": { + "app": "currencyservice" + }, + "serviceaccountname": "currencyservice", + "filepath": "\\currencyservice.yaml", + "kind": "Deployment", + "image": { + "id": "us-east4-docker.pkg.dev/mygke-200/containers/boutique/currencyservice:v0.3.6" + }, + "network": [ + { + "container_url": 7000, + "protocol": "" + } + ], + "Envs": null + } + }, + "link": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "resource": { + "name": "currencyservice", + "namespace": "", + "selectors": [ + "app:currencyservice" + ], + "type": "ClusterIP", + "filepath": "\\currencyservice.yaml", + "kind": "Service", + "network": [ + { + "port": 7000, + "target_port": 7000 + } + ] + } + } + }, + { + "source": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "Resource": { + "name": "checkoutservice", + "selectors": [ + "app:checkoutservice" + ], + "labels": { + "app": "checkoutservice" + }, + "serviceaccountname": "checkoutservice", + "filepath": "\\checkoutservice.yaml", + "kind": "Deployment", + "image": { + "id": "us-east4-docker.pkg.dev/mygke-200/containers/boutique/checkoutservice:v0.3.6" + }, + "network": [ + { + "container_url": 5050, + "protocol": "" + } + ], + "Envs": [ + "productcatalogservice:3550", + "shippingservice:50051", + "paymentservice:50051", + "emailservice:5000", + "currencyservice:7000", + "cartservice:7070" + ] + } + }, + "target": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "Resource": { + "name": "emailservice", + "selectors": [ + "app:emailservice" + ], + "labels": { + "app": "emailservice" + }, + "serviceaccountname": "emailservice", + "filepath": "\\emailservice.yaml", + "kind": "Deployment", + "image": { + "id": "us-east4-docker.pkg.dev/mygke-200/containers/boutique/emailservice:v0.3.6" + }, + "network": [ + { + "container_url": 8080, + "protocol": "" + } + ], + "Envs": null + } + }, + "link": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "resource": { + "name": "emailservice", + "namespace": "", + "selectors": [ + "app:emailservice" + ], + "type": "ClusterIP", + "filepath": "\\emailservice.yaml", + "kind": "Service", + "network": [ + { + "port": 5000, + "target_port": 8080 + } + ] + } + } + }, + { + "source": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "Resource": { + "name": "loadgenerator", + "selectors": [ + "app:loadgenerator" + ], + "labels": { + "app": "loadgenerator" + }, + "serviceaccountname": "loadgenerator", + "filepath": "\\loadgenerator.yaml", + "kind": "Deployment", + "image": { + "id": "us-east4-docker.pkg.dev/mygke-200/containers/boutique/loadgenerator:v0.3.6" + }, + "network": null, + "Envs": [ + "frontend:80" + ] + } + }, + "target": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "Resource": { + "name": "frontend", + "selectors": [ + "app:frontend" + ], + "labels": { + "app": "frontend" + }, + "serviceaccountname": "frontend", + "filepath": "\\frontend.yaml", + "kind": "Deployment", + "image": { + "id": "us-east4-docker.pkg.dev/mygke-200/containers/boutique/frontend:v0.3.6" + }, + "network": [ + { + "container_url": 8080, + "protocol": "" + } + ], + "Envs": [ + "productcatalogservice:3550", + "currencyservice:7000", + "cartservice:7070", + "recommendationservice:8080", + "shippingservice:50051", + "checkoutservice:5050", + "adservice:9555" + ] + } + }, + "link": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "resource": { + "name": "frontend", + "namespace": "", + "selectors": [ + "app:frontend" + ], + "type": "ClusterIP", + "filepath": "\\frontend.yaml", + "kind": "Service", + "network": [ + { + "port": 80, + "target_port": 8080 + } + ] + } + } + }, + { + "source": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "Resource": { + "name": "checkoutservice", + "selectors": [ + "app:checkoutservice" + ], + "labels": { + "app": "checkoutservice" + }, + "serviceaccountname": "checkoutservice", + "filepath": "\\checkoutservice.yaml", + "kind": "Deployment", + "image": { + "id": "us-east4-docker.pkg.dev/mygke-200/containers/boutique/checkoutservice:v0.3.6" + }, + "network": [ + { + "container_url": 5050, + "protocol": "" + } + ], + "Envs": [ + "productcatalogservice:3550", + "shippingservice:50051", + "paymentservice:50051", + "emailservice:5000", + "currencyservice:7000", + "cartservice:7070" + ] + } + }, + "target": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "Resource": { + "name": "paymentservice", + "selectors": [ + "app:paymentservice" + ], + "labels": { + "app": "paymentservice" + }, + "serviceaccountname": "paymentservice", + "filepath": "\\paymentservice.yaml", + "kind": "Deployment", + "image": { + "id": "us-east4-docker.pkg.dev/mygke-200/containers/boutique/paymentservice:v0.3.6" + }, + "network": [ + { + "container_url": 50051, + "protocol": "" + } + ], + "Envs": null + } + }, + "link": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "resource": { + "name": "paymentservice", + "namespace": "", + "selectors": [ + "app:paymentservice" + ], + "type": "ClusterIP", + "filepath": "\\paymentservice.yaml", + "kind": "Service", + "network": [ + { + "port": 50051, + "target_port": 50051 + } + ] + } + } + }, + { + "source": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "Resource": { + "name": "checkoutservice", + "selectors": [ + "app:checkoutservice" + ], + "labels": { + "app": "checkoutservice" + }, + "serviceaccountname": "checkoutservice", + "filepath": "\\checkoutservice.yaml", + "kind": "Deployment", + "image": { + "id": "us-east4-docker.pkg.dev/mygke-200/containers/boutique/checkoutservice:v0.3.6" + }, + "network": [ + { + "container_url": 5050, + "protocol": "" + } + ], + "Envs": [ + "productcatalogservice:3550", + "shippingservice:50051", + "paymentservice:50051", + "emailservice:5000", + "currencyservice:7000", + "cartservice:7070" + ] + } + }, + "target": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "Resource": { + "name": "productcatalogservice", + "selectors": [ + "app:productcatalogservice" + ], + "labels": { + "app": "productcatalogservice" + }, + "serviceaccountname": "productcatalogservice", + "filepath": "\\productcatalogservice.yaml", + "kind": "Deployment", + "image": { + "id": "us-east4-docker.pkg.dev/mygke-200/containers/boutique/productcatalogservice:v0.3.6" + }, + "network": [ + { + "container_url": 3550, + "protocol": "" + } + ], + "Envs": null + } + }, + "link": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "resource": { + "name": "productcatalogservice", + "namespace": "", + "selectors": [ + "app:productcatalogservice" + ], + "type": "ClusterIP", + "filepath": "\\productcatalogservice.yaml", + "kind": "Service", + "network": [ + { + "port": 3550, + "target_port": 3550 + } + ] + } + } + }, + { + "source": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "Resource": { + "name": "frontend", + "selectors": [ + "app:frontend" + ], + "labels": { + "app": "frontend" + }, + "serviceaccountname": "frontend", + "filepath": "\\frontend.yaml", + "kind": "Deployment", + "image": { + "id": "us-east4-docker.pkg.dev/mygke-200/containers/boutique/frontend:v0.3.6" + }, + "network": [ + { + "container_url": 8080, + "protocol": "" + } + ], + "Envs": [ + "productcatalogservice:3550", + "currencyservice:7000", + "cartservice:7070", + "recommendationservice:8080", + "shippingservice:50051", + "checkoutservice:5050", + "adservice:9555" + ] + } + }, + "target": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "Resource": { + "name": "productcatalogservice", + "selectors": [ + "app:productcatalogservice" + ], + "labels": { + "app": "productcatalogservice" + }, + "serviceaccountname": "productcatalogservice", + "filepath": "\\productcatalogservice.yaml", + "kind": "Deployment", + "image": { + "id": "us-east4-docker.pkg.dev/mygke-200/containers/boutique/productcatalogservice:v0.3.6" + }, + "network": [ + { + "container_url": 3550, + "protocol": "" + } + ], + "Envs": null + } + }, + "link": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "resource": { + "name": "productcatalogservice", + "namespace": "", + "selectors": [ + "app:productcatalogservice" + ], + "type": "ClusterIP", + "filepath": "\\productcatalogservice.yaml", + "kind": "Service", + "network": [ + { + "port": 3550, + "target_port": 3550 + } + ] + } + } + }, + { + "source": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "Resource": { + "name": "recommendationservice", + "selectors": [ + "app:recommendationservice" + ], + "labels": { + "app": "recommendationservice" + }, + "serviceaccountname": "recommendationservice", + "filepath": "\\recommendationservice.yaml", + "kind": "Deployment", + "image": { + "id": "us-east4-docker.pkg.dev/mygke-200/containers/boutique/recommendationservice:v0.3.6" + }, + "network": [ + { + "container_url": 8080, + "protocol": "" + } + ], + "Envs": [ + "productcatalogservice:3550" + ] + } + }, + "target": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "Resource": { + "name": "productcatalogservice", + "selectors": [ + "app:productcatalogservice" + ], + "labels": { + "app": "productcatalogservice" + }, + "serviceaccountname": "productcatalogservice", + "filepath": "\\productcatalogservice.yaml", + "kind": "Deployment", + "image": { + "id": "us-east4-docker.pkg.dev/mygke-200/containers/boutique/productcatalogservice:v0.3.6" + }, + "network": [ + { + "container_url": 3550, + "protocol": "" + } + ], + "Envs": null + } + }, + "link": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "resource": { + "name": "productcatalogservice", + "namespace": "", + "selectors": [ + "app:productcatalogservice" + ], + "type": "ClusterIP", + "filepath": "\\productcatalogservice.yaml", + "kind": "Service", + "network": [ + { + "port": 3550, + "target_port": 3550 + } + ] + } + } + }, + { + "source": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "Resource": { + "name": "frontend", + "selectors": [ + "app:frontend" + ], + "labels": { + "app": "frontend" + }, + "serviceaccountname": "frontend", + "filepath": "\\frontend.yaml", + "kind": "Deployment", + "image": { + "id": "us-east4-docker.pkg.dev/mygke-200/containers/boutique/frontend:v0.3.6" + }, + "network": [ + { + "container_url": 8080, + "protocol": "" + } + ], + "Envs": [ + "productcatalogservice:3550", + "currencyservice:7000", + "cartservice:7070", + "recommendationservice:8080", + "shippingservice:50051", + "checkoutservice:5050", + "adservice:9555" + ] + } + }, + "target": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "Resource": { + "name": "recommendationservice", + "selectors": [ + "app:recommendationservice" + ], + "labels": { + "app": "recommendationservice" + }, + "serviceaccountname": "recommendationservice", + "filepath": "\\recommendationservice.yaml", + "kind": "Deployment", + "image": { + "id": "us-east4-docker.pkg.dev/mygke-200/containers/boutique/recommendationservice:v0.3.6" + }, + "network": [ + { + "container_url": 8080, + "protocol": "" + } + ], + "Envs": [ + "productcatalogservice:3550" + ] + } + }, + "link": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "resource": { + "name": "recommendationservice", + "namespace": "", + "selectors": [ + "app:recommendationservice" + ], + "type": "ClusterIP", + "filepath": "\\recommendationservice.yaml", + "kind": "Service", + "network": [ + { + "port": 8080, + "target_port": 8080 + } + ] + } + } + }, + { + "source": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "Resource": { + "name": "checkoutservice", + "selectors": [ + "app:checkoutservice" + ], + "labels": { + "app": "checkoutservice" + }, + "serviceaccountname": "checkoutservice", + "filepath": "\\checkoutservice.yaml", + "kind": "Deployment", + "image": { + "id": "us-east4-docker.pkg.dev/mygke-200/containers/boutique/checkoutservice:v0.3.6" + }, + "network": [ + { + "container_url": 5050, + "protocol": "" + } + ], + "Envs": [ + "productcatalogservice:3550", + "shippingservice:50051", + "paymentservice:50051", + "emailservice:5000", + "currencyservice:7000", + "cartservice:7070" + ] + } + }, + "target": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "Resource": { + "name": "shippingservice", + "selectors": [ + "app:shippingservice" + ], + "labels": { + "app": "shippingservice" + }, + "serviceaccountname": "shippingservice", + "filepath": "\\shippingservice.yaml", + "kind": "Deployment", + "image": { + "id": "us-east4-docker.pkg.dev/mygke-200/containers/boutique/shippingservice:v0.3.6" + }, + "network": [ + { + "container_url": 50051, + "protocol": "" + } + ], + "Envs": null + } + }, + "link": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "resource": { + "name": "shippingservice", + "namespace": "", + "selectors": [ + "app:shippingservice" + ], + "type": "ClusterIP", + "filepath": "\\shippingservice.yaml", + "kind": "Service", + "network": [ + { + "port": 50051, + "target_port": 50051 + } + ] + } + } + }, + { + "source": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "Resource": { + "name": "frontend", + "selectors": [ + "app:frontend" + ], + "labels": { + "app": "frontend" + }, + "serviceaccountname": "frontend", + "filepath": "\\frontend.yaml", + "kind": "Deployment", + "image": { + "id": "us-east4-docker.pkg.dev/mygke-200/containers/boutique/frontend:v0.3.6" + }, + "network": [ + { + "container_url": 8080, + "protocol": "" + } + ], + "Envs": [ + "productcatalogservice:3550", + "currencyservice:7000", + "cartservice:7070", + "recommendationservice:8080", + "shippingservice:50051", + "checkoutservice:5050", + "adservice:9555" + ] + } + }, + "target": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "Resource": { + "name": "shippingservice", + "selectors": [ + "app:shippingservice" + ], + "labels": { + "app": "shippingservice" + }, + "serviceaccountname": "shippingservice", + "filepath": "\\shippingservice.yaml", + "kind": "Deployment", + "image": { + "id": "us-east4-docker.pkg.dev/mygke-200/containers/boutique/shippingservice:v0.3.6" + }, + "network": [ + { + "container_url": 50051, + "protocol": "" + } + ], + "Envs": null + } + }, + "link": { + "git_url": "https://github.com/nadgowdas/microservices-demo", + "git_branch": "matser", + "commitid": "9133fdc043b20be15f958339e96564eac04bed6e", + "resource": { + "name": "shippingservice", + "namespace": "", + "selectors": [ + "app:shippingservice" + ], + "type": "ClusterIP", + "filepath": "\\shippingservice.yaml", + "kind": "Service", + "network": [ + { + "port": 50051, + "target_port": 50051 + } + ] + } + } + } +] \ No newline at end of file diff --git a/tests/er_files/online-boutique-with-sa-istio-auth-policies-allow-loadgen-baseline.yaml b/tests/er_files/online-boutique-with-sa-istio-auth-policies-allow-loadgen-baseline.yaml new file mode 100644 index 0000000..9c0f9c6 --- /dev/null +++ b/tests/er_files/online-boutique-with-sa-istio-auth-policies-allow-loadgen-baseline.yaml @@ -0,0 +1,320 @@ +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: frontend-authpol +spec: + action: ALLOW + rules: + - from: + - source: + principals: + - cluster.local/ns/default/sa/loadgenerator + to: + - operation: + ports: + - '8080' + - from: + - source: + principals: + - cluster.local/ns/default/sa/loadgenerator + to: + - operation: + ports: + - '32000' + selector: + matchLabels: + app: frontend +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: adservice-authpol +spec: + action: ALLOW + rules: + - from: + - source: + principals: + - cluster.local/ns/default/sa/frontend + to: + - operation: + ports: + - '9555' + - from: + - source: + principals: + - cluster.local/ns/default/sa/loadgenerator + to: + - operation: + ports: + - '32000' + selector: + matchLabels: + app: adservice +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: checkoutservice-authpol +spec: + action: ALLOW + rules: + - from: + - source: + principals: + - cluster.local/ns/default/sa/frontend + to: + - operation: + ports: + - '5050' + - from: + - source: + principals: + - cluster.local/ns/default/sa/loadgenerator + to: + - operation: + ports: + - '32000' + selector: + matchLabels: + app: checkoutservice +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: cartservice-authpol +spec: + action: ALLOW + rules: + - from: + - source: + principals: + - cluster.local/ns/default/sa/checkoutservice + to: + - operation: + ports: + - '7070' + - from: + - source: + principals: + - cluster.local/ns/default/sa/frontend + to: + - operation: + ports: + - '7070' + - from: + - source: + principals: + - cluster.local/ns/default/sa/loadgenerator + to: + - operation: + ports: + - '32000' + selector: + matchLabels: + app: cartservice +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: currencyservice-authpol +spec: + action: ALLOW + rules: + - from: + - source: + principals: + - cluster.local/ns/default/sa/checkoutservice + to: + - operation: + ports: + - '7000' + - from: + - source: + principals: + - cluster.local/ns/default/sa/frontend + to: + - operation: + ports: + - '7000' + - from: + - source: + principals: + - cluster.local/ns/default/sa/loadgenerator + to: + - operation: + ports: + - '32000' + selector: + matchLabels: + app: currencyservice +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: emailservice-authpol +spec: + action: ALLOW + rules: + - from: + - source: + principals: + - cluster.local/ns/default/sa/checkoutservice + to: + - operation: + ports: + - '8080' + - from: + - source: + principals: + - cluster.local/ns/default/sa/loadgenerator + to: + - operation: + ports: + - '32000' + selector: + matchLabels: + app: emailservice +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: loadgenerator-authpol +spec: + action: ALLOW + rules: + - from: + - source: + principals: + - cluster.local/ns/default/sa/loadgenerator + to: + - operation: + ports: + - '32000' + selector: + matchLabels: + app: loadgenerator +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: paymentservice-authpol +spec: + action: ALLOW + rules: + - from: + - source: + principals: + - cluster.local/ns/default/sa/checkoutservice + to: + - operation: + ports: + - '50051' + selector: + matchLabels: + app: paymentservice +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: productcatalogservice-authpol +spec: + action: ALLOW + rules: + - from: + - source: + principals: + - cluster.local/ns/default/sa/checkoutservice + to: + - operation: + ports: + - '3550' + - from: + - source: + principals: + - cluster.local/ns/default/sa/frontend + to: + - operation: + ports: + - '3550' + - from: + - source: + principals: + - cluster.local/ns/default/sa/recommendationservice + to: + - operation: + ports: + - '3550' + - from: + - source: + principals: + - cluster.local/ns/default/sa/loadgenerator + to: + - operation: + ports: + - '32000' + selector: + matchLabels: + app: productcatalogservice +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: recommendationservice-authpol +spec: + action: ALLOW + rules: + - from: + - source: + principals: + - cluster.local/ns/default/sa/frontend + to: + - operation: + ports: + - '8080' + - from: + - source: + principals: + - cluster.local/ns/default/sa/loadgenerator + to: + - operation: + ports: + - '32000' + selector: + matchLabels: + app: recommendationservice +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: shippingservice-authpol +spec: + action: ALLOW + rules: + - from: + - source: + principals: + - cluster.local/ns/default/sa/checkoutservice + to: + - operation: + ports: + - '50051' + - from: + - source: + principals: + - cluster.local/ns/default/sa/frontend + to: + - operation: + ports: + - '50051' + - from: + - source: + principals: + - cluster.local/ns/default/sa/loadgenerator + to: + - operation: + ports: + - '32000' + selector: + matchLabels: + app: shippingservice diff --git a/tests/er_files/online-boutique-with-sa-istio-auth-policies-restrict_access_to_payment-baseline.yaml b/tests/er_files/online-boutique-with-sa-istio-auth-policies-restrict_access_to_payment-baseline.yaml new file mode 100644 index 0000000..637d839 --- /dev/null +++ b/tests/er_files/online-boutique-with-sa-istio-auth-policies-restrict_access_to_payment-baseline.yaml @@ -0,0 +1,232 @@ +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: frontend-authpol +spec: + action: ALLOW + rules: + - from: + - source: + principals: + - cluster.local/ns/default/sa/loadgenerator + to: + - operation: + ports: + - '8080' + selector: + matchLabels: + app: frontend +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: adservice-authpol +spec: + action: ALLOW + rules: + - from: + - source: + principals: + - cluster.local/ns/default/sa/frontend + to: + - operation: + ports: + - '9555' + selector: + matchLabels: + app: adservice +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: checkoutservice-authpol +spec: + action: ALLOW + rules: + - from: + - source: + principals: + - cluster.local/ns/default/sa/frontend + to: + - operation: + ports: + - '5050' + selector: + matchLabels: + app: checkoutservice +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: cartservice-authpol +spec: + action: ALLOW + rules: + - from: + - source: + principals: + - cluster.local/ns/default/sa/checkoutservice + to: + - operation: + ports: + - '7070' + - from: + - source: + principals: + - cluster.local/ns/default/sa/frontend + to: + - operation: + ports: + - '7070' + selector: + matchLabels: + app: cartservice +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: currencyservice-authpol +spec: + action: ALLOW + rules: + - from: + - source: + principals: + - cluster.local/ns/default/sa/checkoutservice + to: + - operation: + ports: + - '7000' + - from: + - source: + principals: + - cluster.local/ns/default/sa/frontend + to: + - operation: + ports: + - '7000' + selector: + matchLabels: + app: currencyservice +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: emailservice-authpol +spec: + action: ALLOW + rules: + - from: + - source: + principals: + - cluster.local/ns/default/sa/checkoutservice + to: + - operation: + ports: + - '8080' + selector: + matchLabels: + app: emailservice +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: loadgenerator-authpol +spec: + action: ALLOW + rules: [] + selector: + matchLabels: + app: loadgenerator +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: paymentservice-authpol +spec: + action: ALLOW + rules: [] + selector: + matchLabels: + app: paymentservice +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: productcatalogservice-authpol +spec: + action: ALLOW + rules: + - from: + - source: + principals: + - cluster.local/ns/default/sa/checkoutservice + to: + - operation: + ports: + - '3550' + - from: + - source: + principals: + - cluster.local/ns/default/sa/frontend + to: + - operation: + ports: + - '3550' + - from: + - source: + principals: + - cluster.local/ns/default/sa/recommendationservice + to: + - operation: + ports: + - '3550' + selector: + matchLabels: + app: productcatalogservice +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: recommendationservice-authpol +spec: + action: ALLOW + rules: + - from: + - source: + principals: + - cluster.local/ns/default/sa/frontend + to: + - operation: + ports: + - '8080' + selector: + matchLabels: + app: recommendationservice +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: shippingservice-authpol +spec: + action: ALLOW + rules: + - from: + - source: + principals: + - cluster.local/ns/default/sa/checkoutservice + to: + - operation: + ports: + - '50051' + - from: + - source: + principals: + - cluster.local/ns/default/sa/frontend + to: + - operation: + ports: + - '50051' + selector: + matchLabels: + app: shippingservice diff --git a/tests/er_files/online-boutique-with-sa-no-baseline-istio-auth-policies.yaml b/tests/er_files/online-boutique-with-sa-no-baseline-istio-auth-policies.yaml new file mode 100644 index 0000000..ef324b3 --- /dev/null +++ b/tests/er_files/online-boutique-with-sa-no-baseline-istio-auth-policies.yaml @@ -0,0 +1,240 @@ +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: frontend-authpol +spec: + action: ALLOW + rules: + - from: + - source: + principals: + - cluster.local/ns/default/sa/loadgenerator + to: + - operation: + ports: + - '8080' + selector: + matchLabels: + app: frontend +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: adservice-authpol +spec: + action: ALLOW + rules: + - from: + - source: + principals: + - cluster.local/ns/default/sa/frontend + to: + - operation: + ports: + - '9555' + selector: + matchLabels: + app: adservice +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: checkoutservice-authpol +spec: + action: ALLOW + rules: + - from: + - source: + principals: + - cluster.local/ns/default/sa/frontend + to: + - operation: + ports: + - '5050' + selector: + matchLabels: + app: checkoutservice +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: cartservice-authpol +spec: + action: ALLOW + rules: + - from: + - source: + principals: + - cluster.local/ns/default/sa/checkoutservice + to: + - operation: + ports: + - '7070' + - from: + - source: + principals: + - cluster.local/ns/default/sa/frontend + to: + - operation: + ports: + - '7070' + selector: + matchLabels: + app: cartservice +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: currencyservice-authpol +spec: + action: ALLOW + rules: + - from: + - source: + principals: + - cluster.local/ns/default/sa/checkoutservice + to: + - operation: + ports: + - '7000' + - from: + - source: + principals: + - cluster.local/ns/default/sa/frontend + to: + - operation: + ports: + - '7000' + selector: + matchLabels: + app: currencyservice +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: emailservice-authpol +spec: + action: ALLOW + rules: + - from: + - source: + principals: + - cluster.local/ns/default/sa/checkoutservice + to: + - operation: + ports: + - '8080' + selector: + matchLabels: + app: emailservice +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: loadgenerator-authpol +spec: + action: ALLOW + rules: [] + selector: + matchLabels: + app: loadgenerator +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: paymentservice-authpol +spec: + action: ALLOW + rules: + - from: + - source: + principals: + - cluster.local/ns/default/sa/checkoutservice + to: + - operation: + ports: + - '50051' + selector: + matchLabels: + app: paymentservice +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: productcatalogservice-authpol +spec: + action: ALLOW + rules: + - from: + - source: + principals: + - cluster.local/ns/default/sa/checkoutservice + to: + - operation: + ports: + - '3550' + - from: + - source: + principals: + - cluster.local/ns/default/sa/frontend + to: + - operation: + ports: + - '3550' + - from: + - source: + principals: + - cluster.local/ns/default/sa/recommendationservice + to: + - operation: + ports: + - '3550' + selector: + matchLabels: + app: productcatalogservice +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: recommendationservice-authpol +spec: + action: ALLOW + rules: + - from: + - source: + principals: + - cluster.local/ns/default/sa/frontend + to: + - operation: + ports: + - '8080' + selector: + matchLabels: + app: recommendationservice +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: shippingservice-authpol +spec: + action: ALLOW + rules: + - from: + - source: + principals: + - cluster.local/ns/default/sa/checkoutservice + to: + - operation: + ports: + - '50051' + - from: + - source: + principals: + - cluster.local/ns/default/sa/frontend + to: + - operation: + ports: + - '50051' + selector: + matchLabels: + app: shippingservice diff --git a/tests/tests.json b/tests/tests.json index 3f547ad..1bf43b6 100644 --- a/tests/tests.json +++ b/tests/tests.json @@ -32,5 +32,20 @@ "name": "akmebank-allow-https-baseline", "inputLinks": "akmebank-links.json", "args": ["-b", "../baseline-rules/examples/allow_https_egress.yaml"] + }, + { + "name": "online-boutique-with-sa-no-baseline-istio-auth-policies", + "inputLinks": "online-boutique-with-sa.json", + "args": ["--policy_type=istio"] + }, + { + "name": "online-boutique-with-sa-istio-auth-policies-allow-loadgen-baseline", + "inputLinks": "online-boutique-with-sa.json", + "args": ["--policy_type=istio", "-b", "../baseline-rules/examples/allow_load_generation.yaml"] + }, + { + "name": "online-boutique-with-sa-istio-auth-policies-restrict_access_to_payment-baseline", + "inputLinks": "online-boutique-with-sa.json", + "args": ["--policy_type=istio", "-b", "../baseline-rules/examples/restrict_access_to_payment.yaml"] } ]