github.com/kiali/kiali@v1.84.0/business/checkers/authorization_policies_checker.go

github.com/kiali/kiali@v1.84.0/business/checkers/authorization_policies_checker.go (about)

     1  package checkers
     2  
     3  import (
     4  	networking_v1beta1 "istio.io/client-go/pkg/apis/networking/v1beta1"
     5  	security_v1beta "istio.io/client-go/pkg/apis/security/v1beta1"
     6  
     7  	"github.com/kiali/kiali/business/checkers/authorization"
     8  	"github.com/kiali/kiali/business/checkers/common"
     9  	"github.com/kiali/kiali/kubernetes"
    10  	"github.com/kiali/kiali/models"
    11  )
    12  
    13  const AuthorizationPolicyCheckerType = "authorizationpolicy"
    14  
    15  type AuthorizationPolicyChecker struct {
    16  	Cluster               string
    17  	MtlsDetails           kubernetes.MTLSDetails
    18  	Namespaces            models.Namespaces
    19  	PolicyAllowAny        bool
    20  	RegistryServices      []*kubernetes.RegistryService
    21  	ServiceAccounts       map[string][]string
    22  	ServiceEntries        []*networking_v1beta1.ServiceEntry
    23  	AuthorizationPolicies []*security_v1beta.AuthorizationPolicy
    24  	VirtualServices       []*networking_v1beta1.VirtualService
    25  	WorkloadsPerNamespace map[string]models.WorkloadList
    26  }
    27  
    28  func (a AuthorizationPolicyChecker) Check() models.IstioValidations {
    29  	validations := models.IstioValidations{}
    30  
    31  	// Individual validations
    32  	for _, authPolicy := range a.AuthorizationPolicies {
    33  		validations.MergeValidations(a.runChecks(authPolicy))
    34  	}
    35  
    36  	// Group Validations
    37  	validations.MergeValidations(authorization.MtlsEnabledChecker{
    38  		AuthorizationPolicies: a.AuthorizationPolicies,
    39  		MtlsDetails:           a.MtlsDetails,
    40  		RegistryServices:      a.RegistryServices,
    41  	}.Check())
    42  
    43  	return validations
    44  }
    45  
    46  // runChecks runs all the individual checks for a single mesh policy and appends the result into validations.
    47  func (a AuthorizationPolicyChecker) runChecks(authPolicy *security_v1beta.AuthorizationPolicy) models.IstioValidations {
    48  	policyName := authPolicy.Name
    49  	key, rrValidation := EmptyValidValidation(policyName, authPolicy.Namespace, AuthorizationPolicyCheckerType, a.Cluster)
    50  	serviceHosts := kubernetes.ServiceEntryHostnames(a.ServiceEntries)
    51  	matchLabels := make(map[string]string)
    52  	if authPolicy.Spec.Selector != nil {
    53  		matchLabels = authPolicy.Spec.Selector.MatchLabels
    54  	}
    55  	enabledCheckers := []Checker{
    56  		common.SelectorNoWorkloadFoundChecker(AuthorizationPolicyCheckerType, matchLabels, a.WorkloadsPerNamespace),
    57  		authorization.NamespaceMethodChecker{AuthorizationPolicy: authPolicy, Namespaces: a.Namespaces.GetNames()},
    58  		authorization.NoHostChecker{AuthorizationPolicy: authPolicy, Namespaces: a.Namespaces,
    59  			ServiceEntries: serviceHosts, VirtualServices: a.VirtualServices, RegistryServices: a.RegistryServices, PolicyAllowAny: a.PolicyAllowAny},
    60  		authorization.PrincipalsChecker{Cluster: a.Cluster, AuthorizationPolicy: authPolicy, ServiceAccounts: a.ServiceAccounts},
    61  	}
    62  
    63  	for _, checker := range enabledCheckers {
    64  		checks, validChecker := checker.Check()
    65  		rrValidation.Checks = append(rrValidation.Checks, checks...)
    66  		rrValidation.Valid = rrValidation.Valid && validChecker
    67  	}
    68  
    69  	return models.IstioValidations{key: rrValidation}
    70  }