[AAI] Create Authorization Policies for AAI
- Create Authorization Policies for AAI
- Add initial authorized serviceAccounts for each sub-component service
Issue-ID: OOM-3126
Change-Id: Ic7fdaf595ae3534805a39859fe8e02b81999bef3
Signed-off-by: amatthews <adrian.matthews@est.tech>
Signed-off-by: AndrewLamb <andrew.a.lamb@est.tech>
diff --git a/kubernetes/aai/components/aai-babel/templates/authorizationpolicy.yaml b/kubernetes/aai/components/aai-babel/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000..5a9baa8
--- /dev/null
+++ b/kubernetes/aai/components/aai-babel/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/aai/components/aai-babel/values.yaml b/kubernetes/aai/components/aai-babel/values.yaml
index bbc64d2..718651d 100644
--- a/kubernetes/aai/components/aai-babel/values.yaml
+++ b/kubernetes/aai/components/aai-babel/values.yaml
@@ -71,6 +71,13 @@
config:
ssl: "redirect"
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: aai-modelloader-read
+ - serviceAccount: istio-ingress
+ namespace: istio-ingress
+
resources:
small:
limits:
diff --git a/kubernetes/aai/components/aai-graphadmin/templates/authorizationpolicy.yaml b/kubernetes/aai/components/aai-graphadmin/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000..5a9baa8
--- /dev/null
+++ b/kubernetes/aai/components/aai-graphadmin/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/aai/components/aai-graphadmin/values.yaml b/kubernetes/aai/components/aai-graphadmin/values.yaml
index 3e3d685..253a11c 100644
--- a/kubernetes/aai/components/aai-graphadmin/values.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/values.yaml
@@ -202,6 +202,11 @@
ingress:
enabled: false
+# No inbound communications.
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals: []
+
persistence:
enabled: true
## A manually managed Persistent Volume and Claim
diff --git a/kubernetes/aai/components/aai-resources/templates/authorizationpolicy.yaml b/kubernetes/aai/components/aai-resources/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000..5a9baa8
--- /dev/null
+++ b/kubernetes/aai/components/aai-resources/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/aai/components/aai-resources/values.yaml b/kubernetes/aai/components/aai-resources/values.yaml
index a966776..613604f 100644
--- a/kubernetes/aai/components/aai-resources/values.yaml
+++ b/kubernetes/aai/components/aai-resources/values.yaml
@@ -205,6 +205,12 @@
ingress:
enabled: false
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: aai-read
+ - serviceAccount: consul-read
+
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
diff --git a/kubernetes/aai/components/aai-schema-service/templates/authorizationpolicy.yaml b/kubernetes/aai/components/aai-schema-service/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000..5a9baa8
--- /dev/null
+++ b/kubernetes/aai/components/aai-schema-service/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/aai/components/aai-schema-service/values.yaml b/kubernetes/aai/components/aai-schema-service/values.yaml
index 19ee9d4..88f1786 100644
--- a/kubernetes/aai/components/aai-schema-service/values.yaml
+++ b/kubernetes/aai/components/aai-schema-service/values.yaml
@@ -98,6 +98,13 @@
ingress:
enabled: false
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: aai-graphadmin-read
+ - serviceAccount: aai-resources-read
+ - serviceAccount: aai-traversal-read
+
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
diff --git a/kubernetes/aai/components/aai-sparky-be/templates/authorizationpolicy.yaml b/kubernetes/aai/components/aai-sparky-be/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000..5a9baa8
--- /dev/null
+++ b/kubernetes/aai/components/aai-sparky-be/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/aai/components/aai-sparky-be/values.yaml b/kubernetes/aai/components/aai-sparky-be/values.yaml
index 8ec4553..7fe0a62 100644
--- a/kubernetes/aai/components/aai-sparky-be/values.yaml
+++ b/kubernetes/aai/components/aai-sparky-be/values.yaml
@@ -95,6 +95,12 @@
config:
ssl: "redirect"
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: istio-ingress
+ namespace: istio-ingress
+
podAnnotations:
sidecar.istio.io/rewriteAppHTTPProbers: "false"
diff --git a/kubernetes/aai/components/aai-traversal/templates/authorizationpolicy.yaml b/kubernetes/aai/components/aai-traversal/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000..5a9baa8
--- /dev/null
+++ b/kubernetes/aai/components/aai-traversal/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/aai/components/aai-traversal/values.yaml b/kubernetes/aai/components/aai-traversal/values.yaml
index 106b440..fac033b 100644
--- a/kubernetes/aai/components/aai-traversal/values.yaml
+++ b/kubernetes/aai/components/aai-traversal/values.yaml
@@ -228,6 +228,12 @@
ingress:
enabled: false
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: aai-read
+ - serviceAccount: consul-read
+
# To make logback capping values configurable
logback:
logToFileEnabled: true