search

cruise-automation / k-rail

Kubernetes security tool for policy enforcement
Apache License 2.0
444 stars 55 forks source link

[FR] Add policy to enforce unique Istio VirtualServices (like unique Ingress policy) #83

Open funkypenguin opened 4 years ago

funkypenguin commented 4 years ago

Hey guys,

Could we have another policy, similar to https://github.com/cruise-automation/k-rail#unique-ingress-host, which could prevent deployment of Istio VirtualServices with duplicate names? The policy would serve the same purpose - preventing the accidental (or deliberate) interception of traffic to one service simply by creating a matching virtualservice in another namespace.

I'd be happy to take a crack at duplicating policies/ingress/unique_ingress_host.go myself, but might need help to add a check to ensure that the necessary CRD to list VirtualServices even exists in the cluster.

Here's an example virtualservice record - the record we care about is spec.hosts

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  annotations:
    meta.helm.sh/release-name: minio
    meta.helm.sh/release-namespace: dev
  creationTimestamp: "2020-07-27T09:44:34Z"
  generation: 1
  labels:
    app.kubernetes.io/managed-by: Helm
  name: dev-minio.elpenguino.net
  namespace: dev
  resourceVersion: "10700039"
  selfLink: /apis/networking.istio.io/v1beta1/namespaces/dev/virtualservices/dev-minio.elpenguino.net
  uid: 118e4125-20b6-4a82-b940-94c729387b62
spec:
  gateways:
  - istio-ingressgateway.istio-system.svc.cluster.local
  hosts:
  - dev-minio.elpenguino.net

Thanks! D

dustin-decker commented 4 years ago

That would be a great addition.

If you'd like to attempt, here are the PRs for reference: https://github.com/cruise-automation/k-rail/pull/63/files https://github.com/cruise-automation/k-rail/pull/64/files

I don't think we need any special consideration for ensuring the CRD is present - just handling the error and ensuring the request continues to the apiserver so the user gets that feedback should be enough.

Let us know if you need any assistance.

dustin-decker commented 4 years ago

Hey David, we could use this policy as well. I can add it soon if you're too busy.

mark-adams commented 1 year ago

👋 The k-rail project has been deprecated and is no longer under active development. We recommend taking a look at OPA Gatekeeper to see if it might meet your needs going forward.

Thanks for your contribution(s) to the project!