github.com/kiali/kiali@v1.84.0/business/references/auth_policy_references.go (about) 1 package references 2 3 import ( 4 networking_v1beta1 "istio.io/client-go/pkg/apis/networking/v1beta1" 5 security_v1beta "istio.io/client-go/pkg/apis/security/v1beta1" 6 7 "k8s.io/apimachinery/pkg/labels" 8 9 "github.com/kiali/kiali/config" 10 "github.com/kiali/kiali/kubernetes" 11 "github.com/kiali/kiali/models" 12 ) 13 14 type AuthorizationPolicyReferences struct { 15 AuthorizationPolicies []*security_v1beta.AuthorizationPolicy 16 Namespace string 17 Namespaces models.Namespaces 18 ServiceEntries []*networking_v1beta1.ServiceEntry 19 VirtualServices []*networking_v1beta1.VirtualService 20 RegistryServices []*kubernetes.RegistryService 21 WorkloadsPerNamespace map[string]models.WorkloadList 22 } 23 24 func (n AuthorizationPolicyReferences) References() models.IstioReferencesMap { 25 result := models.IstioReferencesMap{} 26 27 for _, ap := range n.AuthorizationPolicies { 28 namespace := ap.Namespace 29 key := models.IstioReferenceKey{Namespace: namespace, Name: ap.Name, ObjectType: models.ObjectTypeSingular[kubernetes.AuthorizationPolicies]} 30 references := &models.IstioReferences{} 31 for _, rule := range ap.Spec.Rules { 32 if rule == nil { 33 continue 34 } 35 if len(rule.To) > 0 { 36 for _, t := range rule.To { 37 if t == nil || t.Operation == nil || len(t.Operation.Hosts) == 0 { 38 continue 39 } 40 for _, h := range t.Operation.Hosts { 41 fqdn := kubernetes.GetHost(h, namespace, n.Namespaces.GetNames()) 42 if !fqdn.IsWildcard() { 43 configRef := n.getConfigReferences(fqdn) 44 references.ObjectReferences = append(references.ObjectReferences, configRef...) 45 // if No ServiceEntry or VS is found, look into Services as RegistryServices contains all 46 if len(configRef) == 0 { 47 references.ServiceReferences = append(references.ServiceReferences, n.getServiceReferences(fqdn, namespace)...) 48 } 49 } 50 } 51 } 52 } 53 } 54 references.WorkloadReferences = append(references.WorkloadReferences, n.getWorkloadReferences(ap)...) 55 result.MergeReferencesMap(models.IstioReferencesMap{key: references}) 56 } 57 58 return result 59 } 60 61 func (n AuthorizationPolicyReferences) getServiceReferences(host kubernetes.Host, itemNamespace string) []models.ServiceReference { 62 result := make([]models.ServiceReference, 0) 63 if kubernetes.HasMatchingRegistryService(itemNamespace, host.String(), n.RegistryServices) { 64 result = append(result, models.ServiceReference{Name: host.Service, Namespace: host.Namespace}) 65 } 66 return result 67 } 68 69 func (n AuthorizationPolicyReferences) getConfigReferences(host kubernetes.Host) []models.IstioReference { 70 result := make([]models.IstioReference, 0) 71 for _, se := range n.ServiceEntries { 72 for _, seHost := range se.Spec.Hosts { 73 if seHost == host.String() { 74 result = append(result, models.IstioReference{Name: se.Name, Namespace: se.Namespace, ObjectType: models.ObjectTypeSingular[kubernetes.ServiceEntries]}) 75 continue 76 } 77 } 78 } 79 for _, vs := range n.VirtualServices { 80 for hostIdx := 0; hostIdx < len(vs.Spec.Hosts); hostIdx++ { 81 vHost := vs.Spec.Hosts[hostIdx] 82 83 hostS := kubernetes.ParseHost(vHost, vs.Namespace) 84 if hostS.String() == host.String() { 85 result = append(result, models.IstioReference{Name: vs.Name, Namespace: vs.Namespace, ObjectType: models.ObjectTypeSingular[kubernetes.VirtualServices]}) 86 continue 87 } 88 } 89 } 90 return result 91 } 92 93 func (n AuthorizationPolicyReferences) getWorkloadReferences(ap *security_v1beta.AuthorizationPolicy) []models.WorkloadReference { 94 result := make([]models.WorkloadReference, 0) 95 if ap.Spec.Selector != nil { 96 selector := labels.SelectorFromSet(ap.Spec.Selector.MatchLabels) 97 98 // AuthPolicy searches Workloads from own namespace, or from all namespaces when AuthPolicy is in root namespace 99 for _, wls := range n.WorkloadsPerNamespace { 100 if !config.IsRootNamespace(ap.Namespace) && wls.Namespace != ap.Namespace { 101 continue 102 } 103 for _, wl := range wls.Workloads { 104 wlLabelSet := labels.Set(wl.Labels) 105 if selector.Matches(wlLabelSet) { 106 result = append(result, models.WorkloadReference{Name: wl.Name, Namespace: wls.Namespace}) 107 } 108 } 109 } 110 } 111 return result 112 }