github.com/kiali/kiali@v1.84.0/business/checkers/authorization_policies_checker.go (about) 1 package checkers 2 3 import ( 4 networking_v1beta1 "istio.io/client-go/pkg/apis/networking/v1beta1" 5 security_v1beta "istio.io/client-go/pkg/apis/security/v1beta1" 6 7 "github.com/kiali/kiali/business/checkers/authorization" 8 "github.com/kiali/kiali/business/checkers/common" 9 "github.com/kiali/kiali/kubernetes" 10 "github.com/kiali/kiali/models" 11 ) 12 13 const AuthorizationPolicyCheckerType = "authorizationpolicy" 14 15 type AuthorizationPolicyChecker struct { 16 Cluster string 17 MtlsDetails kubernetes.MTLSDetails 18 Namespaces models.Namespaces 19 PolicyAllowAny bool 20 RegistryServices []*kubernetes.RegistryService 21 ServiceAccounts map[string][]string 22 ServiceEntries []*networking_v1beta1.ServiceEntry 23 AuthorizationPolicies []*security_v1beta.AuthorizationPolicy 24 VirtualServices []*networking_v1beta1.VirtualService 25 WorkloadsPerNamespace map[string]models.WorkloadList 26 } 27 28 func (a AuthorizationPolicyChecker) Check() models.IstioValidations { 29 validations := models.IstioValidations{} 30 31 // Individual validations 32 for _, authPolicy := range a.AuthorizationPolicies { 33 validations.MergeValidations(a.runChecks(authPolicy)) 34 } 35 36 // Group Validations 37 validations.MergeValidations(authorization.MtlsEnabledChecker{ 38 AuthorizationPolicies: a.AuthorizationPolicies, 39 MtlsDetails: a.MtlsDetails, 40 RegistryServices: a.RegistryServices, 41 }.Check()) 42 43 return validations 44 } 45 46 // runChecks runs all the individual checks for a single mesh policy and appends the result into validations. 47 func (a AuthorizationPolicyChecker) runChecks(authPolicy *security_v1beta.AuthorizationPolicy) models.IstioValidations { 48 policyName := authPolicy.Name 49 key, rrValidation := EmptyValidValidation(policyName, authPolicy.Namespace, AuthorizationPolicyCheckerType, a.Cluster) 50 serviceHosts := kubernetes.ServiceEntryHostnames(a.ServiceEntries) 51 matchLabels := make(map[string]string) 52 if authPolicy.Spec.Selector != nil { 53 matchLabels = authPolicy.Spec.Selector.MatchLabels 54 } 55 enabledCheckers := []Checker{ 56 common.SelectorNoWorkloadFoundChecker(AuthorizationPolicyCheckerType, matchLabels, a.WorkloadsPerNamespace), 57 authorization.NamespaceMethodChecker{AuthorizationPolicy: authPolicy, Namespaces: a.Namespaces.GetNames()}, 58 authorization.NoHostChecker{AuthorizationPolicy: authPolicy, Namespaces: a.Namespaces, 59 ServiceEntries: serviceHosts, VirtualServices: a.VirtualServices, RegistryServices: a.RegistryServices, PolicyAllowAny: a.PolicyAllowAny}, 60 authorization.PrincipalsChecker{Cluster: a.Cluster, AuthorizationPolicy: authPolicy, ServiceAccounts: a.ServiceAccounts}, 61 } 62 63 for _, checker := range enabledCheckers { 64 checks, validChecker := checker.Check() 65 rrValidation.Checks = append(rrValidation.Checks, checks...) 66 rrValidation.Valid = rrValidation.Valid && validChecker 67 } 68 69 return models.IstioValidations{key: rrValidation} 70 }