istio.io/istio@v0.0.0-20240520182934-d79c90f27776/manifests/charts/istio-control/istio-discovery/templates/validatingadmissionpolicy.yaml

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/manifests/charts/istio-control/istio-discovery/templates/validatingadmissionpolicy.yaml (about)

     1  {{- if .Values.experimental.stableValidationPolicy }}
     2  apiVersion: admissionregistration.k8s.io/v1
     3  kind: ValidatingAdmissionPolicy
     4  metadata:
     5    name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
     6  spec:
     7    failurePolicy: Fail
     8    matchConstraints:
     9      resourceRules:
    10      - apiGroups:
    11          - security.istio.io
    12          - networking.istio.io
    13          - telemetry.istio.io
    14          - extensions.istio.io
    15        apiVersions: ["*"]
    16        operations:  ["CREATE", "UPDATE"]
    17        resources:   ["*"]
    18      objectSelector:
    19        matchExpressions:
    20          - key: istio.io/rev
    21            operator: In
    22            values:
    23            {{- if (eq .Values.revision "") }}
    24            - "default"
    25            {{- else }}
    26            - "{{ .Values.revision }}"
    27            {{- end }}
    28    variables:
    29      - name: isEnvoyFilter
    30        expression: "object.kind == 'EnvoyFilter'"
    31      - name: isWasmPlugin
    32        expression: "object.kind == 'WasmPlugin'"
    33      - name: isProxyConfig
    34        expression: "object.kind == 'ProxyConfig'"
    35      - name: isTelemetry
    36        expression: "object.kind == 'Telemetry'"
    37    validations:
    38      - expression: "!variables.isEnvoyFilter"
    39      - expression: "!variables.isWasmPlugin"
    40      - expression: "!variables.isProxyConfig"
    41      - expression: |
    42          !(
    43            variables.isTelemetry && (
    44              (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) ||
    45              (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) ||
    46              (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter))
    47            )
    48          )
    49  ---
    50  apiVersion: admissionregistration.k8s.io/v1
    51  kind: ValidatingAdmissionPolicyBinding
    52  metadata:
    53    name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
    54  spec:
    55    policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
    56    validationActions: [Deny]
    57  {{- end }}