github.com/kiali/kiali@v1.84.0/business/checkers/workloads/uncovered_workload_checker.go (about) 1 package workloads 2 3 import ( 4 security_v1beta "istio.io/client-go/pkg/apis/security/v1beta1" 5 "k8s.io/apimachinery/pkg/labels" 6 7 "github.com/kiali/kiali/config" 8 "github.com/kiali/kiali/models" 9 ) 10 11 type UncoveredWorkloadChecker struct { 12 Workload models.WorkloadListItem 13 Namespace string 14 AuthorizationPolicies []*security_v1beta.AuthorizationPolicy 15 } 16 17 func (ucw UncoveredWorkloadChecker) Check() ([]*models.IstioCheck, bool) { 18 checks, valid := make([]*models.IstioCheck, 0), true 19 20 wlSelector := labels.Set(ucw.Workload.Labels) 21 22 if !ucw.hasCoveringAuthPolicy(wlSelector) { 23 check := models.Build("workload.authorizationpolicy.needstobecovered", "workload") 24 checks = append(checks, &check) 25 } 26 27 return checks, valid 28 } 29 30 func (ucw UncoveredWorkloadChecker) hasCoveringAuthPolicy(wlSelector labels.Labels) bool { 31 32 // for each authorization policy, if the authorization policy namespace is wide mesh (istio root ns) then check for selector restrictions 33 // if it has a specific namespace , check for same namespace, then check for selector restrictions 34 // else workload not covered (false) 35 for _, ap := range ucw.AuthorizationPolicies { 36 apNamespace := ap.Namespace 37 apLabels := map[string]string{} 38 if ap.Spec.Selector != nil { 39 apLabels = ap.Spec.Selector.MatchLabels 40 } 41 var apSelector labels.Selector 42 if len(apLabels) > 0 { 43 apSelector = labels.SelectorFromSet(apLabels) 44 } 45 46 if config.IsRootNamespace(apNamespace) || apNamespace == ucw.Namespace { 47 if apSelector == nil || apSelector.Matches(wlSelector) { 48 return true 49 } 50 } 51 } 52 return false 53 }