github.com/kyma-project/kyma-environment-broker@v0.0.1/resources/kcp/charts/kyma-environment-broker/templates/authorization-policy.yaml (about) 1 apiVersion: security.istio.io/v1beta1 2 kind: AuthorizationPolicy 3 metadata: 4 name: istio-passthrough 5 namespace: kcp-system 6 annotations: 7 argocd.argoproj.io/sync-options: Prune=false 8 spec: 9 action: ALLOW 10 rules: 11 - from: 12 - source: 13 namespaces: 14 - istio-system 15 to: 16 - operation: 17 methods: 18 - GET 19 paths: 20 - /kubeconfig* 21 {{- if .Values.swagger.virtualService.enabled }} 22 - / 23 - /swagger* 24 - /schema* 25 {{- end }} 26 selector: 27 matchLabels: 28 app.kubernetes.io/name: {{ include "kyma-env-broker.name" . }} 29 app.kubernetes.io/instance: {{ .Release.Name }} 30 --- 31 apiVersion: security.istio.io/v1beta1 32 kind: AuthorizationPolicy 33 metadata: 34 name: istio-monitoring 35 namespace: kcp-system 36 spec: 37 action: ALLOW 38 rules: 39 - to: 40 - operation: 41 paths: 42 - /metrics 43 selector: 44 matchLabels: 45 app.kubernetes.io/name: {{ include "kyma-env-broker.name" . }} 46 app.kubernetes.io/instance: {{ .Release.Name }} 47 --- 48 apiVersion: security.istio.io/v1beta1 49 kind: AuthorizationPolicy 50 metadata: 51 name: istio-info-runtimes 52 namespace: kcp-system 53 spec: 54 action: ALLOW 55 rules: 56 - to: 57 - operation: 58 methods: 59 - GET 60 paths: 61 - /info/runtimes 62 from: 63 - source: 64 requestPrincipals: 65 - {{ tpl .Values.oidc.issuer $ }}/* 66 when: 67 - key: request.auth.claims[scp] 68 values: 69 - cld:read 70 selector: 71 matchLabels: 72 app.kubernetes.io/name: {{ include "kyma-env-broker.name" . }} 73 app.kubernetes.io/instance: {{ .Release.Name }} 74 --- 75 apiVersion: security.istio.io/v1beta1 76 kind: AuthorizationPolicy 77 metadata: 78 name: istio-oauth2-local 79 namespace: kcp-system 80 spec: 81 action: ALLOW 82 rules: 83 - from: 84 - source: 85 namespaces: ["kcp-system"] 86 selector: 87 matchLabels: 88 app.kubernetes.io/instance: kcp 89 app.kubernetes.io/name: kyma-environment-broker 90 --- 91 apiVersion: security.istio.io/v1beta1 92 kind: AuthorizationPolicy 93 metadata: 94 name: istio-oauth2 95 namespace: kcp-system 96 spec: 97 action: ALLOW 98 rules: 99 - to: 100 - operation: 101 methods: 102 - GET 103 - PUT 104 - PATCH 105 - DELETE 106 paths: 107 - /oauth/* 108 from: 109 - source: 110 requestPrincipals: 111 - {{ tpl .Values.oidc.issuer $ }}/* 112 when: 113 - key: request.auth.claims[scp] 114 values: 115 - broker:write 116 selector: 117 matchLabels: 118 app.kubernetes.io/name: {{ include "kyma-env-broker.name" . }} 119 app.kubernetes.io/instance: {{ .Release.Name }} 120 --- 121 apiVersion: security.istio.io/v1beta1 122 kind: AuthorizationPolicy 123 metadata: 124 name: istio-runtimes 125 namespace: kcp-system 126 spec: 127 action: ALLOW 128 rules: 129 - to: 130 - operation: 131 methods: 132 - GET 133 paths: 134 - /runtimes 135 from: 136 - source: 137 requestPrincipals: 138 - {{ tpl .Values.oidc.issuer $ }}/* 139 when: 140 - key: request.auth.claims[groups] 141 values: 142 - {{ .Values.oidc.groups.admin }} 143 - {{ .Values.oidc.groups.operator }} 144 - to: 145 - operation: 146 methods: 147 - GET 148 paths: 149 - /runtimes 150 from: 151 - source: 152 principals: 153 {{- with .Values.runtimeAllowedPrincipals }} 154 {{ tpl . $ | indent 10 }} 155 {{- end }} 156 157 selector: 158 matchLabels: 159 app.kubernetes.io/name: {{ include "kyma-env-broker.name" . }} 160 app.kubernetes.io/instance: {{ .Release.Name }} 161 --- 162 apiVersion: security.istio.io/v1beta1 163 kind: AuthorizationPolicy 164 metadata: 165 name: istio-events 166 namespace: kcp-system 167 spec: 168 action: ALLOW 169 rules: 170 - to: 171 - operation: 172 methods: 173 - GET 174 paths: 175 - /events 176 from: 177 - source: 178 requestPrincipals: 179 - {{ tpl .Values.oidc.issuer $ }}/* 180 when: 181 - key: request.auth.claims[groups] 182 values: 183 - {{ .Values.oidc.groups.admin }} 184 - {{ .Values.oidc.groups.operator }} 185 - to: 186 - operation: 187 methods: 188 - GET 189 paths: 190 - /events 191 from: 192 - source: 193 principals: 194 {{- with .Values.runtimeAllowedPrincipals }} 195 {{ tpl . $ | indent 10 }} 196 {{- end }} 197 selector: 198 matchLabels: 199 app.kubernetes.io/name: {{ include "kyma-env-broker.name" . }} 200 app.kubernetes.io/instance: {{ .Release.Name }} 201 --- 202 apiVersion: security.istio.io/v1beta1 203 kind: AuthorizationPolicy 204 metadata: 205 name: istio-orchestrations 206 namespace: kcp-system 207 spec: 208 action: ALLOW 209 rules: 210 - to: 211 - operation: 212 methods: 213 - GET 214 - PUT 215 - POST 216 paths: 217 - /orchestrations* 218 from: 219 - source: 220 requestPrincipals: 221 - {{ tpl .Values.oidc.issuer $ }}/* 222 when: 223 - key: request.auth.claims[groups] 224 values: 225 - {{ .Values.oidc.groups.orchestrations }} 226 selector: 227 matchLabels: 228 app.kubernetes.io/name: {{ include "kyma-env-broker.name" . }} 229 app.kubernetes.io/instance: {{ .Release.Name }} 230 231 --- 232 apiVersion: security.istio.io/v1beta1 233 kind: AuthorizationPolicy 234 metadata: 235 name: istio-upgrade 236 namespace: kcp-system 237 spec: 238 action: ALLOW 239 rules: 240 - to: 241 - operation: 242 methods: 243 - POST 244 paths: 245 - /upgrade/* 246 from: 247 - source: 248 requestPrincipals: 249 - {{ tpl .Values.oidc.issuer $ }}/* 250 when: 251 - key: request.auth.claims[groups] 252 values: 253 - {{ .Values.oidc.groups.orchestrations }} 254 selector: 255 matchLabels: 256 app.kubernetes.io/name: {{ include "kyma-env-broker.name" . }} 257 app.kubernetes.io/instance: {{ .Release.Name }}