github.com/kiali/kiali@v1.84.0/business/checkers/destinationrules/disabled_namespacewide_mtls_checker.go (about) 1 package destinationrules 2 3 import ( 4 networking_v1beta1 "istio.io/client-go/pkg/apis/networking/v1beta1" 5 6 "github.com/kiali/kiali/kubernetes" 7 "github.com/kiali/kiali/models" 8 ) 9 10 type DisabledNamespaceWideMTLSChecker struct { 11 DestinationRule *networking_v1beta1.DestinationRule 12 MTLSDetails kubernetes.MTLSDetails 13 } 14 15 // Check if a the PeerAuthn is allows non-mtls traffic when DestinationRule explicitly disables mTLS ns-wide 16 func (m DisabledNamespaceWideMTLSChecker) Check() ([]*models.IstioCheck, bool) { 17 validations := make([]*models.IstioCheck, 0) 18 19 // Stop validation if DestinationRule doesn't explicitly disables mTLS 20 if _, mode := kubernetes.DestinationRuleHasNamespaceWideMTLSEnabled(m.DestinationRule.Namespace, m.DestinationRule); mode != "DISABLE" { 21 return validations, true 22 } 23 24 // otherwise, check among PeerAuthentications for a rule enabling mTLS 25 nsDisablePeerAuthnFound := false 26 for _, mp := range m.MTLSDetails.PeerAuthentications { 27 enabled, mode := kubernetes.PeerAuthnHasMTLSEnabled(mp) 28 if enabled { 29 // If PeerAuthn has mTLS enabled in STRICT mode 30 // traffic going through DestinationRule won't work 31 if mode == "STRICT" { 32 check := models.Build("destinationrules.mtls.policymtlsenabled", "spec/trafficPolicy/tls/mode") 33 return append(validations, &check), false 34 } else { 35 // If PeerAuthn has mTLS enabled in PERMISSIVE mode 36 // traffic going through DestinationRule will work 37 // no need for further analysis in MeshPeerAuthentications 38 return validations, true 39 } 40 } 41 if mode == "DISABLE" { 42 nsDisablePeerAuthnFound = true 43 } 44 } 45 46 if !nsDisablePeerAuthnFound { 47 // In case any PeerAuthn enables mTLS, check among MeshPeerAuthentications for a rule enabling it 48 for _, mp := range m.MTLSDetails.MeshPeerAuthentications { 49 if strictMode := kubernetes.PeerAuthnHasStrictMTLS(mp); strictMode { 50 check := models.Build("destinationrules.mtls.meshpolicymtlsenabled", "spec/trafficPolicy/tls/mode") 51 return append(validations, &check), false 52 } 53 } 54 } 55 56 return validations, true 57 }