github.com/kiali/kiali@v1.84.0/business/references/auth_policy_references.go

github.com/kiali/kiali@v1.84.0/business/references/auth_policy_references.go (about)

     1  package references
     2  
     3  import (
     4  	networking_v1beta1 "istio.io/client-go/pkg/apis/networking/v1beta1"
     5  	security_v1beta "istio.io/client-go/pkg/apis/security/v1beta1"
     6  
     7  	"k8s.io/apimachinery/pkg/labels"
     8  
     9  	"github.com/kiali/kiali/config"
    10  	"github.com/kiali/kiali/kubernetes"
    11  	"github.com/kiali/kiali/models"
    12  )
    13  
    14  type AuthorizationPolicyReferences struct {
    15  	AuthorizationPolicies []*security_v1beta.AuthorizationPolicy
    16  	Namespace             string
    17  	Namespaces            models.Namespaces
    18  	ServiceEntries        []*networking_v1beta1.ServiceEntry
    19  	VirtualServices       []*networking_v1beta1.VirtualService
    20  	RegistryServices      []*kubernetes.RegistryService
    21  	WorkloadsPerNamespace map[string]models.WorkloadList
    22  }
    23  
    24  func (n AuthorizationPolicyReferences) References() models.IstioReferencesMap {
    25  	result := models.IstioReferencesMap{}
    26  
    27  	for _, ap := range n.AuthorizationPolicies {
    28  		namespace := ap.Namespace
    29  		key := models.IstioReferenceKey{Namespace: namespace, Name: ap.Name, ObjectType: models.ObjectTypeSingular[kubernetes.AuthorizationPolicies]}
    30  		references := &models.IstioReferences{}
    31  		for _, rule := range ap.Spec.Rules {
    32  			if rule == nil {
    33  				continue
    34  			}
    35  			if len(rule.To) > 0 {
    36  				for _, t := range rule.To {
    37  					if t == nil || t.Operation == nil || len(t.Operation.Hosts) == 0 {
    38  						continue
    39  					}
    40  					for _, h := range t.Operation.Hosts {
    41  						fqdn := kubernetes.GetHost(h, namespace, n.Namespaces.GetNames())
    42  						if !fqdn.IsWildcard() {
    43  							configRef := n.getConfigReferences(fqdn)
    44  							references.ObjectReferences = append(references.ObjectReferences, configRef...)
    45  							// if No ServiceEntry or VS is found, look into Services as RegistryServices contains all
    46  							if len(configRef) == 0 {
    47  								references.ServiceReferences = append(references.ServiceReferences, n.getServiceReferences(fqdn, namespace)...)
    48  							}
    49  						}
    50  					}
    51  				}
    52  			}
    53  		}
    54  		references.WorkloadReferences = append(references.WorkloadReferences, n.getWorkloadReferences(ap)...)
    55  		result.MergeReferencesMap(models.IstioReferencesMap{key: references})
    56  	}
    57  
    58  	return result
    59  }
    60  
    61  func (n AuthorizationPolicyReferences) getServiceReferences(host kubernetes.Host, itemNamespace string) []models.ServiceReference {
    62  	result := make([]models.ServiceReference, 0)
    63  	if kubernetes.HasMatchingRegistryService(itemNamespace, host.String(), n.RegistryServices) {
    64  		result = append(result, models.ServiceReference{Name: host.Service, Namespace: host.Namespace})
    65  	}
    66  	return result
    67  }
    68  
    69  func (n AuthorizationPolicyReferences) getConfigReferences(host kubernetes.Host) []models.IstioReference {
    70  	result := make([]models.IstioReference, 0)
    71  	for _, se := range n.ServiceEntries {
    72  		for _, seHost := range se.Spec.Hosts {
    73  			if seHost == host.String() {
    74  				result = append(result, models.IstioReference{Name: se.Name, Namespace: se.Namespace, ObjectType: models.ObjectTypeSingular[kubernetes.ServiceEntries]})
    75  				continue
    76  			}
    77  		}
    78  	}
    79  	for _, vs := range n.VirtualServices {
    80  		for hostIdx := 0; hostIdx < len(vs.Spec.Hosts); hostIdx++ {
    81  			vHost := vs.Spec.Hosts[hostIdx]
    82  
    83  			hostS := kubernetes.ParseHost(vHost, vs.Namespace)
    84  			if hostS.String() == host.String() {
    85  				result = append(result, models.IstioReference{Name: vs.Name, Namespace: vs.Namespace, ObjectType: models.ObjectTypeSingular[kubernetes.VirtualServices]})
    86  				continue
    87  			}
    88  		}
    89  	}
    90  	return result
    91  }
    92  
    93  func (n AuthorizationPolicyReferences) getWorkloadReferences(ap *security_v1beta.AuthorizationPolicy) []models.WorkloadReference {
    94  	result := make([]models.WorkloadReference, 0)
    95  	if ap.Spec.Selector != nil {
    96  		selector := labels.SelectorFromSet(ap.Spec.Selector.MatchLabels)
    97  
    98  		// AuthPolicy searches Workloads from own namespace, or from all namespaces when AuthPolicy is in root namespace
    99  		for _, wls := range n.WorkloadsPerNamespace {
   100  			if !config.IsRootNamespace(ap.Namespace) && wls.Namespace != ap.Namespace {
   101  				continue
   102  			}
   103  			for _, wl := range wls.Workloads {
   104  				wlLabelSet := labels.Set(wl.Labels)
   105  				if selector.Matches(wlLabelSet) {
   106  					result = append(result, models.WorkloadReference{Name: wl.Name, Namespace: wls.Namespace})
   107  				}
   108  			}
   109  		}
   110  	}
   111  	return result
   112  }