Kubernetes Istio Pod Security

July 4, 2023

We implemented security between the pods to allow only named pods to be able to talk to each other. This was done using both an AuthorisationPolicy and a NetworkPolicy.

Here's the AuthorisationPolicy:

{{ $env := .Values.global.env }}
{{ $ns := .Release.Namespace }}
{{- if .Values.allowedServices }}
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: allow-{{ $env }}-{{ .Chart.Name }}-access
spec:
  action: ALLOW
  selector:
    matchLabels:
      app: {{ $env }}-{{ .Chart.Name }}
  rules:
    - from:
      - source:
          namespaces:
          - {{ $ns }}
          principals:
          {{- range .Values.allowedServices }}
          - cluster.local/ns/{{ $ns }}/sa/{{ $env }}-{{ . }}
          {{- end }}
{{- end }}

And here's the NetworkPolicy:

{{ $env := .Values.global.env }}
{{ $ns := .Release.Namespace }}
{{- if .Values.allowedServices }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-{{ .Values.global.env }}-{{ .Chart.Name }}-ingress
spec:
  podSelector:
    matchLabels:
      app: {{ .Values.global.env }}-{{ .Chart.Name }}
  policyTypes:
    - Ingress
  ingress:
    - from:
      {{- range .Values.allowedServices }}
      - podSelector:
          matchLabels:
            app: {{ $env}}-{{ . }}
        namespaceSelector:
          matchLabels:
            name: {{ $ns }}
      {{- end }}
{{- end }}

This is aligned with the following section in values.yaml, and this controls which apps are allowed to call into this one:

allowedServices:
  - my-app
  - app-2
  - other-app