Kubernetes Istio Pod Security
July 4, 2023
We implemented security between the pods to allow only named pods to be able to talk to each other. This was done using both an AuthorisationPolicy and a NetworkPolicy.
Here's the AuthorisationPolicy:
{{ $env := .Values.global.env }}
{{ $ns := .Release.Namespace }}
{{- if .Values.allowedServices }}
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-{{ $env }}-{{ .Chart.Name }}-access
spec:
action: ALLOW
selector:
matchLabels:
app: {{ $env }}-{{ .Chart.Name }}
rules:
- from:
- source:
namespaces:
- {{ $ns }}
principals:
{{- range .Values.allowedServices }}
- cluster.local/ns/{{ $ns }}/sa/{{ $env }}-{{ . }}
{{- end }}
{{- end }}
And here's the NetworkPolicy:
{{ $env := .Values.global.env }}
{{ $ns := .Release.Namespace }}
{{- if .Values.allowedServices }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-{{ .Values.global.env }}-{{ .Chart.Name }}-ingress
spec:
podSelector:
matchLabels:
app: {{ .Values.global.env }}-{{ .Chart.Name }}
policyTypes:
- Ingress
ingress:
- from:
{{- range .Values.allowedServices }}
- podSelector:
matchLabels:
app: {{ $env}}-{{ . }}
namespaceSelector:
matchLabels:
name: {{ $ns }}
{{- end }}
{{- end }}
This is aligned with the following section in values.yaml, and this controls which apps are allowed to call into this one:
allowedServices:
- my-app
- app-2
- other-app
