Add a "require sidecar proxy injection label on namespace" `Constraint` in the ASM bundle?

[mathieu-benoit]

Is it planned to add a "require sidecar injection label on namespace" Constraint in the ASM bundle?

Today there is the 1.1.2_asm-sidecar-injection Constraint allowing to avoid anyone by passing the sidecar proxy label, but there is no Constraint forcing the namespaces in the Mesh to actually have the label.

Here could be an option to achieve that in the ASM bundle?

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
  name: namespace-sidecar-injection-label
spec:
  enforcementAction: deny
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Namespace
    excludedNamespaces:
    - config-management-monitoring
    - config-management-system
    - default
    - gatekeeper-system
    - gke-connect
    - istio-system
    - kube-node-lease
    - kube-public
    - kube-system
    - resource-group-system
  parameters:
    labels:
    - allowedRegex: enabled
      key: istio-injection
    - allowedRegex: (asm-managed|asm-managed-rapid|asm-managed-stable)
      key: "istio.io/rev"

Note: this is not working as-is as we need to find a way to have a OR and not a AND with the 2 labels illustrated above.

[apeabody]

Hi @liwenhao0810 - Could you please take a look at this request?

[liwenhao0810]

FWIK it might not always be true that all user namespaces are part of mesh, so the namespace level injection enforcement might not be always true. However bypassing sidecar injection would be as non-mesh namespaces' workloads shouldn't have this annotation either.

[mathieu-benoit]

Here are my thoughts on this, here is the CUJ I think we should help our customers with:

As a customer, I'm using the ASM bundle to have Google telling me what I should do to have a proper, successful and secure setup for my Mesh in my GKE cluster.

First thing first, if I don't have properly set up my Namespaces to be included in my Mesh, could you tell me please? And also how I should accomplish this? --> That's what the associated Constraint/ConstraintTemplate of this request is for.

That's what we illustrate in this tutorial at the very first step of setting the Constraints.

Now comes the tricky parts with some thoughts about their resolution:

• "I don't want to be warned with Google's system namespaces" --> fair enough, the list of excludedNamespaces is provided, there are may be more of them... let's figure them out for our customers
• "I have some namespaces with istio-injection: disabled label, I don't want to be warned --> fair enough, let's make this happen in our ConstraintTemplate
• "I have namespaces in my cluster that I don't want to include in my Mesh, how not be warned about them?" --> good point, here comes the points that customer could be able to have their own customization process on top of the default ASM bundle (see #31 which could be an option). That's what excludedNamespaces list is for, now finding a way for our customers to customize that part is something I think we should provide. In addition to that, with the previous point, why not guide them by asking them to explicitly set the istio-injection: disabled label to resolve this? There is also a combination of enforcementAction: dryrun and strictnessLevel: Low in order to make this Constraint not blocking our customers but more being their advisor.

Do you see other use-cases?

That's maybe the opportunity to have a custom K8sRequiredLabels just for ASM which could have all the intelligence in its ConstraintTemplate?

Let me know if that makes sense and what do you think about that. And let me know if you want we chat about that in 1:1 internally, more than happy to learn from you on this too.

[mathieu-benoit]

Following up on this @liwenhao0810, any thoughts or feedback? Thanks!

[liwenhao0810]

Sorry lost tracking of this, thanks for reminding! I would agree with you this is a good idea to have this constraint to guide user.

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days