feat: analogous AuthorizationPolicies to NetworkPolicies for (Istio) …

…multi-cluster access
Nextdoor · Oct 25, 2024 · c9d5fe3 · c9d5fe3
1 parent ffb64c5
commit c9d5fe3
Show file tree

Hide file tree

Showing 20 changed files with 221 additions and 28 deletions.
diff --git a/charts/nd-common/Chart.yaml b/charts/nd-common/Chart.yaml
@@ -2,5 +2,5 @@ apiVersion: v2
 name: nd-common
 description: A helper chart used by most of our other charts
 type: library
-version: 0.3.2
+version: 0.3.3
 appVersion: latest
diff --git a/charts/nd-common/README.md b/charts/nd-common/README.md
@@ -2,7 +2,7 @@
 
 A helper chart used by most of our other charts
 
-![Version: 0.3.2](https://img.shields.io/badge/Version-0.3.2-informational?style=flat-square) ![Type: library](https://img.shields.io/badge/Type-library-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
+![Version: 0.3.3](https://img.shields.io/badge/Version-0.3.3-informational?style=flat-square) ![Type: library](https://img.shields.io/badge/Type-library-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
 
 **This chart is a [Library Chart](https://helm.sh/docs/topics/library_charts/)** -
 this means that the chart itself deploys no resources, and has no `.yaml`

diff --git a/charts/nd-common/templates/_authorizationpolicy.tpl b/charts/nd-common/templates/_authorizationpolicy.tpl
@@ -0,0 +1,81 @@
+{{- /*
+
+This function creates the following two AuthorizationPolicy objects:
+
+  1. To allow same-namespace access (this can probably be migrated to a
+     Kyverno ClusterPolicy that applies this on all namespaces, but for
+     now adding here for smooth transition for "allow" AuthorizationPolicies
+     to be created too)
+
+  2. To allowNamespaces to have ingress access to the service (a drop-in
+     replacement of the NetworkPolicy we make defunct when a service is to
+     be accessed from a multi-cluster setup
+
+These objects are generally pretty simple, but we re-use them in a few places
+and it's nice to have one common way to make them.
+
+AuthorizationPolicies can be used in lieu of NetworkPolicies in a multi-
+cluster setup
+
+Via https://istio.io/latest/docs/concepts/security/#allow-nothing-deny-all-and-allow-all-policy:
+
+> Note the “deny by default” behavior applies only if the workload has at least one authorization
+policy with the ALLOW action.
+
+- */}}
+{{- define "nd-common.authorizationPolicy" }}
+{{- if .Values.istio.enabled }}
+{{- /*
+
+Create a default AuthorizationPolicy that allows local namespace ingress
+
+See note above: after a while, wWe can probably have this as part of a
+Kyverno ClusterPolicy that's added to all namespaces.
+
+- */}}
+---
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: allow-local-namespace-ingress
+spec:
+  selector:
+    matchLabels:
+      {{- include "nd-common.selectorLabels" . | nindent 6 }}
+  action: ALLOW
+  rules:
+  - from:
+    - source:
+        namespaces: [{{ .Release.Namespace }}]
+
+{{- if .Values.ports }}
+{{- if gt (len .Values.ports) 0 }}
+{{- if gt (len .Values.network.allowedNamespaces) 0 }}
+---
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: allow-{{ include "nd-common.fullname" . }}-ingress
+spec:
+  selector:
+    matchLabels:
+      {{- include "nd-common.selectorLabels" . | nindent 6 }}
+  action: ALLOW
+  rules:
+  - from:
+    - source:
+        namespaces:
+        {{- range .Values.network.allowedNamespaces }}
+        - {{ . | quote }}
+        {{- end }}
+    to:
+    - operation:
+        ports:
+        {{- range $port := .Values.ports }}
+        - {{ $port.containerPort | quote }}
+        {{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/nd-common/templates/_networkpolicy.tpl b/charts/nd-common/templates/_networkpolicy.tpl
@@ -8,6 +8,28 @@ Kubernetes network, as our default is to block all traffic.
 */}}
 
 {{- define "nd-common.networkPolicy" }}
+{{- if .Values.network.multiCluster.allowFromRemote }}
+{{- /*
+
+NetworkPolicies can't enforce Ingress from **outside** the Kubernetes
+cluster - i.e., it only knows about cluster-local namespaces. So, we
+allow all and instead restrict with Istio's AuthorizationPolicy
+
+- */}}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-for-multi-cluster-all-ingress
+  labels:
+    {{- include "nd-common.labels" . | nindent 4 }}
+spec:
+  policyTypes: [Ingress]
+  podSelector:
+    matchLabels:
+      {{- include "nd-common.selectorLabels" . | nindent 6 }}
+  ingress:
+    - {}
+{{- else }}
 {{- if .Values.ports }}
 {{- if gt (len .Values.ports) 0 }}
 {{- if gt (len .Values.network.allowedNamespaces) 0 }}
@@ -42,3 +64,4 @@ spec:
 {{- end }}
 {{- end }}
 {{- end }}
+{{- end }}
diff --git a/charts/rollout-app/Chart.yaml b/charts/rollout-app/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: rollout-app
 description: Argo Rollout-based Application Helm Chart
 type: application
-version: 1.3.1
+version: 1.3.2
 appVersion: latest
 maintainers:
   - name: diranged
@@ -13,5 +13,5 @@ dependencies:
     repository: https://k8s-charts.nextdoor.com
     condition: istio-alerts.enabled
   - name: nd-common
-    version: 0.3.2
+    version: 0.3.3
     repository: file://../nd-common
diff --git a/charts/rollout-app/README.md b/charts/rollout-app/README.md
@@ -2,7 +2,7 @@
 
 Argo Rollout-based Application Helm Chart
 
-![Version: 1.3.1](https://img.shields.io/badge/Version-1.3.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
+![Version: 1.3.2](https://img.shields.io/badge/Version-1.3.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
 
 [analysistemplate]: https://argoproj.github.io/argo-rollouts/features/analysis/?query=AnalysisTemplate#background-analysis
 [argo_rollouts]: https://argoproj.github.io/argo-rollouts/
@@ -20,6 +20,16 @@ how these work, and the various custom resource definitions.
 
 ### 1.2.x -> 1.3.x
 
+**NEW: Allow access from cross-cluster, in-mesh services**
+
+`network.multiCluster.allowFromRemote` will tweak your NetworkPolicies to allow
+access from other services running in a different cluster in a multi-cluter,
+multi-primary Istio environment.
+
+Also, beginning with this version, if your app is on the mesh, we'll create
+analogous [AuthorizationPolicies](https://istio.io/latest/docs/reference/config/security/authorization-policy/) to the already existing NetworkPolicies,
+as they work in lieu of NetPols for a multi-clustered, multi-primary setup.
+
 **NEW: Maintenance Mode and Custom HTTP Fault Injections**
 
 `virtualService.fault` allows you to set custom [HTTP fault injections](https://istio.io/latest/docs/reference/config/networking/virtual-service/#HTTPFaultInjection)
@@ -206,7 +216,7 @@ secretsEngine: sealed
 
 | Repository | Name | Version |
 |------------|------|---------|
-| file://../nd-common | nd-common | 0.3.2 |
+| file://../nd-common | nd-common | 0.3.3 |
 | https://k8s-charts.nextdoor.com | istio-alerts | 0.5.2 |
 
 ## Values
@@ -299,7 +309,8 @@ secretsEngine: sealed
 | monitor.scrapeTimeout | string | `nil` | ServiceMonitor scrape timeout in Go duration format (e.g. 15s) |
 | monitor.tlsConfig | string | `nil` | ServiceMonitor will use these tlsConfig settings to make the health check requests |
 | nameOverride | string | `""` |  |
-| network.allowedNamespaces | `strings[]` | `[]` | A list of namespaces that are allowed to access the Pods in this application. If not supplied, then no `NetworkPolicy` is created, and your application may be isolated to itself. Note, enabling `VirtualService` or `Ingress` configurations will create their own dedicated `NetworkPolicy` resources, so this is only intended for internal service-to-service communication grants. |
+| network.allowedNamespaces | `strings[]` | `[]` | A list of namespaces that are allowed to access the Pods in this application. If not supplied, then no `NetworkPolicy` or `AuthorizationPolicy` is created, and your application may be isolated to itself. Note, enabling `VirtualService` or `Ingress` configurations will create their own dedicated `NetworkPolicy` resources, so this is only intended for internal service-to-service communication grants. |
+| network.multiCluster.allowFromRemote | `bool` | `false` | If set to "True", then the NetworkPolicies will be opened up and traffic auth will be managed by Istio's `AuthorizationPolicy` instead.  This assumes your app is part of the Istio service mesh |
 | nodeSelector | `map` | `{}` | A list of key/value pairs that will be added in to the nodeSelector spec for the pods. |
 | podAnnotations | `Map` | `{}` | List of Annotations to be added to the PodSpec |
 | podDisruptionBudget | object | `{"maxUnavailable":1}` | Set up a PodDisruptionBudget for the Deployment. See https://kubernetes.io/docs/tasks/run-application/configure-pdb/ for more details. |

diff --git a/charts/rollout-app/README.md.gotmpl b/charts/rollout-app/README.md.gotmpl
@@ -19,6 +19,16 @@ how these work, and the various custom resource definitions.
 
 ### 1.2.x -> 1.3.x
 
+**NEW: Allow access from cross-cluster, in-mesh services**
+
+`network.multiCluster.allowFromRemote` will tweak your NetworkPolicies to allow
+access from other services running in a different cluster in a multi-cluter,
+multi-primary Istio environment.
+
+Also, beginning with this version, if your app is on the mesh, we'll create
+analogous [AuthorizationPolicies](https://istio.io/latest/docs/reference/config/security/authorization-policy/) to the already existing NetworkPolicies,
+as they work in lieu of NetPols for a multi-clustered, multi-primary setup.
+
 **NEW: Maintenance Mode and Custom HTTP Fault Injections**
 
 `virtualService.fault` allows you to set custom [HTTP fault injections](https://istio.io/latest/docs/reference/config/networking/virtual-service/#HTTPFaultInjection)

diff --git a/charts/rollout-app/templates/authorizationpolicy.yaml b/charts/rollout-app/templates/authorizationpolicy.yaml
@@ -0,0 +1 @@
+{{- include "nd-common.authorizationPolicy" . }}
diff --git a/charts/rollout-app/values.yaml b/charts/rollout-app/values.yaml
@@ -805,14 +805,21 @@ istio:
 
 # Network access controls for the Pods in this application
 network:
-  # -- (`strings[]`) A list of namespaces that are allowed to access the Pods
-  # in this application. If not supplied, then no `NetworkPolicy` is created,
-  # and your application may be isolated to itself. Note, enabling
-    # `VirtualService` or `Ingress` configurations will create their own
+  # -- (`strings[]`) A list of namespaces that are allowed to access the Pods in
+  # this application. If not supplied, then no `NetworkPolicy` or `AuthorizationPolicy`
+  # is created, and your application may be isolated to itself. Note, enabling
+  # `VirtualService` or `Ingress` configurations will create their own
   # dedicated `NetworkPolicy` resources, so this is only intended for internal
   # service-to-service communication grants.
   allowedNamespaces: []
 
+  multiCluster:
+    # -- (`bool`) If set to "True", then the NetworkPolicies will be opened up
+    # and traffic auth will be managed by Istio's `AuthorizationPolicy` instead.
+    #
+    # This assumes your app is part of the Istio service mesh
+    allowFromRemote: false
+
 # Configures labels and other parameters assuming that the Datadog Agent is
 # installed on the underlying hosts and is part of the Kubernetes cluster.
 datadog:

diff --git a/charts/simple-app/Chart.yaml b/charts/simple-app/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: simple-app
 description: Default Microservice Helm Chart
 type: application
-version: 1.11.1
+version: 1.11.2
 appVersion: latest
 maintainers:
   - name: diranged
@@ -13,5 +13,5 @@ dependencies:
     repository: https://k8s-charts.nextdoor.com
     condition: istio-alerts.enabled
   - name: nd-common
-    version: 0.3.2
+    version: 0.3.3
     repository: file://../nd-common
diff --git a/charts/simple-app/README.md b/charts/simple-app/README.md
@@ -2,7 +2,7 @@
 
 Default Microservice Helm Chart
 
-![Version: 1.11.1](https://img.shields.io/badge/Version-1.11.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
+![Version: 1.11.2](https://img.shields.io/badge/Version-1.11.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
 
 [deployments]: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
 [hpa]: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
@@ -15,6 +15,16 @@ defaults for you like the Kubernetes [Horizontal Pod Autoscaler][hpa].
 
 ### 1.10.x -> 1.11.x
 
+**NEW: Allow access from cross-cluster, in-mesh services**
+
+`network.multiCluster.allowFromRemote` will tweak your NetworkPolicies to allow
+access from other services running in a different cluster in a multi-cluter,
+multi-primary Istio environment.
+
+Also, beginning with this version, if your app is on the mesh, we'll create
+analogous [AuthorizationPolicies](https://istio.io/latest/docs/reference/config/security/authorization-policy/) to the already existing NetworkPolicies,
+as they work in lieu of NetPols for a multi-clustered, multi-primary setup.
+
 **NEW: Maintenance Mode and Custom HTTP Fault Injections**
 
 `virtualService.fault` allows you to set custom [HTTP fault injections](https://istio.io/latest/docs/reference/config/networking/virtual-service/#HTTPFaultInjection)
@@ -356,7 +366,7 @@ secretsEngine: sealed
 
 | Repository | Name | Version |
 |------------|------|---------|
-| file://../nd-common | nd-common | 0.3.2 |
+| file://../nd-common | nd-common | 0.3.3 |
 | https://k8s-charts.nextdoor.com | istio-alerts | 0.5.2 |
 
 ## Values
@@ -434,7 +444,8 @@ secretsEngine: sealed
 | monitor.scrapeTimeout | string | `nil` | ServiceMonitor scrape timeout in Go duration format (e.g. 15s) |
 | monitor.tlsConfig | string | `nil` | ServiceMonitor will use these tlsConfig settings to make the health check requests |
 | nameOverride | string | `""` |  |
-| network.allowedNamespaces | `strings[]` | `[]` | A list of namespaces that are allowed to access the Pods in this application. If not supplied, then no `NetworkPolicy` is created, and your application may be isolated to itself. Note, enabling `VirtualService` or `Ingress` configurations will create their own dedicated `NetworkPolicy` resources, so this is only intended for internal service-to-service communication grants. |
+| network.allowedNamespaces | `strings[]` | `[]` | A list of namespaces that are allowed to access the Pods in this application. If not supplied, then no `NetworkPolicy` or `AuthorizationPolicy` is created, and your application may be isolated to itself. Note, enabling `VirtualService` or `Ingress` configurations will create their own dedicated `NetworkPolicy` resources, so this is only intended for internal service-to-service communication grants. |
+| network.multiCluster.allowFromRemote | `bool` | `false` | If set to "True", then the NetworkPolicies will be opened up and traffic auth will be managed by Istio's `AuthorizationPolicy` instead.  This assumes your app is part of the Istio service mesh |
 | nodeSelector | `map` | `{}` | A list of key/value pairs that will be added in to the nodeSelector spec for the pods. |
 | podAnnotations | `Map` | `{}` | List of Annotations to be added to the PodSpec |
 | podDisruptionBudget | object | `{"maxUnavailable":1}` | Set up a PodDisruptionBudget for the Deployment. See https://kubernetes.io/docs/tasks/run-application/configure-pdb/ for more details. |

diff --git a/charts/simple-app/README.md.gotmpl b/charts/simple-app/README.md.gotmpl
@@ -14,6 +14,16 @@ defaults for you like the Kubernetes [Horizontal Pod Autoscaler][hpa].
 
 ### 1.10.x -> 1.11.x
 
+**NEW: Allow access from cross-cluster, in-mesh services**
+
+`network.multiCluster.allowFromRemote` will tweak your NetworkPolicies to allow
+access from other services running in a different cluster in a multi-cluter,
+multi-primary Istio environment.
+
+Also, beginning with this version, if your app is on the mesh, we'll create
+analogous [AuthorizationPolicies](https://istio.io/latest/docs/reference/config/security/authorization-policy/) to the already existing NetworkPolicies,
+as they work in lieu of NetPols for a multi-clustered, multi-primary setup.
+
 **NEW: Maintenance Mode and Custom HTTP Fault Injections**
 
 `virtualService.fault` allows you to set custom [HTTP fault injections](https://istio.io/latest/docs/reference/config/networking/virtual-service/#HTTPFaultInjection)

diff --git a/charts/simple-app/templates/authorizationpolicy.yaml b/charts/simple-app/templates/authorizationpolicy.yaml
@@ -0,0 +1 @@
+{{- include "nd-common.authorizationPolicy" . }}
diff --git a/charts/simple-app/values.local.yaml b/charts/simple-app/values.local.yaml
@@ -50,3 +50,5 @@ datadog:
 
 network:
   allowedNamespaces: [foo, bar]
+  multiCluster:
+    allowFromRemote: false
diff --git a/charts/simple-app/values.yaml b/charts/simple-app/values.yaml
@@ -685,14 +685,21 @@ priorityClassName: null
 
 # Network access controls for the Pods in this application
 network:
-  # -- (`strings[]`) A list of namespaces that are allowed to access the Pods
-  # in this application. If not supplied, then no `NetworkPolicy` is created,
-  # and your application may be isolated to itself. Note, enabling
-    # `VirtualService` or `Ingress` configurations will create their own
+  # -- (`strings[]`) A list of namespaces that are allowed to access the Pods in
+  # this application. If not supplied, then no `NetworkPolicy` or `AuthorizationPolicy`
+  # is created, and your application may be isolated to itself. Note, enabling
+  # `VirtualService` or `Ingress` configurations will create their own
   # dedicated `NetworkPolicy` resources, so this is only intended for internal
   # service-to-service communication grants.
   allowedNamespaces: []
 
+  multiCluster:
+    # -- (`bool`) If set to "True", then the NetworkPolicies will be opened up
+    # and traffic auth will be managed by Istio's `AuthorizationPolicy` instead.
+    #
+    # This assumes your app is part of the Istio service mesh
+    allowFromRemote: false
+
 # Configures labels and other parameters assuming that the Datadog Agent is
 # installed on the underlying hosts and is part of the Kubernetes cluster.
 datadog:

diff --git a/charts/stateful-app/Chart.yaml b/charts/stateful-app/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: stateful-app
 description: Default StatefulSet Helm Chart
 type: application
-version: 1.3.1
+version: 1.3.2
 appVersion: latest
 maintainers:
   - name: diranged
@@ -13,5 +13,5 @@ dependencies:
     repository: https://k8s-charts.nextdoor.com
     condition: istio-alerts.enabled
   - name: nd-common
-    version: 0.3.2
+    version: 0.3.3
     repository: file://../nd-common
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		{{- include "nd-common.authorizationPolicy" . }}