-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
updated sample-application and used kyverno-ext-authz server as sidecar
Signed-off-by: Sanskarzz <sanskar.gur@gmail.com>
- Loading branch information
1 parent
853bc37
commit ac8dbbe
Showing
9 changed files
with
260 additions
and
282 deletions.
There are no files selected for viewing
Large diffs are not rendered by default.
Oops, something went wrong.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
apiVersion: v1 | ||
kind: Namespace | ||
metadata: | ||
name: demo | ||
labels: | ||
istio-injection: enabled |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
apiVersion: v1 | ||
kind: ConfigMap | ||
metadata: | ||
name: policy-files | ||
namespace: demo | ||
data: | ||
policy.yaml: | | ||
apiVersion: json.kyverno.io/v1alpha1 | ||
kind: ValidatingPolicy | ||
metadata: | ||
name: checkrequest | ||
spec: | ||
rules: | ||
- name: deny-guest-request-at-post | ||
assert: | ||
any: | ||
- message: "POST method calls at path /book are not allowed to guests users" | ||
check: | ||
request: | ||
http: | ||
method: POST | ||
headers: | ||
authorization: | ||
(split(@, ' ')[1]): | ||
(jwt_decode(@ , 'secret').payload.role): admin | ||
path: /book | ||
- message: "GET method call is allowed to both guest and admin users" | ||
check: | ||
request: | ||
http: | ||
method: GET | ||
headers: | ||
authorization: | ||
(split(@, ' ')[1]): | ||
(jwt_decode(@ , 'secret').payload.role): admin | ||
path: /book | ||
- message: "GET method call is allowed to both guest and admin users" | ||
check: | ||
request: | ||
http: | ||
method: GET | ||
headers: | ||
authorization: | ||
(split(@, ' ')[1]): | ||
(jwt_decode(@ , 'secret').payload.role): guest | ||
path: /book | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
# ServiceEntry to register the Kyverno-Envoy sidecars as external authorizers. | ||
apiVersion: networking.istio.io/v1beta1 | ||
kind: ServiceEntry | ||
metadata: | ||
name: kyverno-ext-authz-grpc-local | ||
spec: | ||
hosts: | ||
- "kyverno-ext-authz-grpc.local" | ||
# The service name to be used in the extension provider in the mesh config. | ||
endpoints: | ||
- address: "127.0.0.1" | ||
ports: | ||
- name: grpc | ||
number: 9000 | ||
# The port number to be used in the extension provider in the mesh config. | ||
protocol: GRPC | ||
resolution: STATIC |
24 changes: 9 additions & 15 deletions
24
demo/istio/manifests/sample-application.yaml → demo/istio/manifests/test-application.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,40 +1,34 @@ | ||
apiVersion: v1 | ||
kind: Namespace | ||
metadata: | ||
name: demo | ||
labels: | ||
istio-injection: enabled | ||
--- | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: echo | ||
name: testapp | ||
namespace: demo | ||
spec: | ||
replicas: 1 | ||
selector: | ||
matchLabels: | ||
app: echo | ||
app: testapp | ||
template: | ||
metadata: | ||
labels: | ||
app: echo | ||
kyverno-envoy-sidecar/injection: enabled | ||
app: testapp | ||
spec: | ||
containers: | ||
- name: echo | ||
image: mendhak/http-https-echo | ||
- name: testapp | ||
image: sanskardevops/test-application:0.0.1 | ||
ports: | ||
- containerPort: 8080 | ||
--- | ||
apiVersion: v1 | ||
kind: Service | ||
metadata: | ||
name: echo | ||
name: testapp | ||
namespace: demo | ||
spec: | ||
type: ClusterIP | ||
type: ClusterIP | ||
selector: | ||
app: echo | ||
app: testapp | ||
ports: | ||
- port: 8080 | ||
targetPort: 8080 |