github.com/kiali/kiali@v1.84.0/business/checkers/destinationrules/disabled_namespacewide_mtls_checker.go

github.com/kiali/kiali@v1.84.0/business/checkers/destinationrules/disabled_namespacewide_mtls_checker.go (about)

     1  package destinationrules
     2  
     3  import (
     4  	networking_v1beta1 "istio.io/client-go/pkg/apis/networking/v1beta1"
     5  
     6  	"github.com/kiali/kiali/kubernetes"
     7  	"github.com/kiali/kiali/models"
     8  )
     9  
    10  type DisabledNamespaceWideMTLSChecker struct {
    11  	DestinationRule *networking_v1beta1.DestinationRule
    12  	MTLSDetails     kubernetes.MTLSDetails
    13  }
    14  
    15  // Check if a the PeerAuthn is allows non-mtls traffic when DestinationRule explicitly disables mTLS ns-wide
    16  func (m DisabledNamespaceWideMTLSChecker) Check() ([]*models.IstioCheck, bool) {
    17  	validations := make([]*models.IstioCheck, 0)
    18  
    19  	// Stop validation if DestinationRule doesn't explicitly disables mTLS
    20  	if _, mode := kubernetes.DestinationRuleHasNamespaceWideMTLSEnabled(m.DestinationRule.Namespace, m.DestinationRule); mode != "DISABLE" {
    21  		return validations, true
    22  	}
    23  
    24  	// otherwise, check among PeerAuthentications for a rule enabling mTLS
    25  	nsDisablePeerAuthnFound := false
    26  	for _, mp := range m.MTLSDetails.PeerAuthentications {
    27  		enabled, mode := kubernetes.PeerAuthnHasMTLSEnabled(mp)
    28  		if enabled {
    29  			// If PeerAuthn has mTLS enabled in STRICT mode
    30  			// traffic going through DestinationRule won't work
    31  			if mode == "STRICT" {
    32  				check := models.Build("destinationrules.mtls.policymtlsenabled", "spec/trafficPolicy/tls/mode")
    33  				return append(validations, &check), false
    34  			} else {
    35  				// If PeerAuthn has mTLS enabled in PERMISSIVE mode
    36  				// traffic going through DestinationRule will work
    37  				// no need for further analysis in MeshPeerAuthentications
    38  				return validations, true
    39  			}
    40  		}
    41  		if mode == "DISABLE" {
    42  			nsDisablePeerAuthnFound = true
    43  		}
    44  	}
    45  
    46  	if !nsDisablePeerAuthnFound {
    47  		// In case any PeerAuthn enables mTLS, check among MeshPeerAuthentications for a rule enabling it
    48  		for _, mp := range m.MTLSDetails.MeshPeerAuthentications {
    49  			if strictMode := kubernetes.PeerAuthnHasStrictMTLS(mp); strictMode {
    50  				check := models.Build("destinationrules.mtls.meshpolicymtlsenabled", "spec/trafficPolicy/tls/mode")
    51  				return append(validations, &check), false
    52  			}
    53  		}
    54  	}
    55  
    56  	return validations, true
    57  }