istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pilot/pkg/features/security.go (about)

     1  // Copyright Istio Authors
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package features
    16  
    17  import (
    18  	"strings"
    19  
    20  	"k8s.io/apimachinery/pkg/types"
    21  
    22  	"istio.io/istio/pkg/env"
    23  	"istio.io/istio/pkg/log"
    24  	"istio.io/istio/pkg/util/sets"
    25  )
    26  
    27  // Define security related features here.
    28  var (
    29  	// SkipValidateTrustDomain tells the server proxy to not to check the peer's trust domain when
    30  	// mTLS is enabled in authentication policy.
    31  	SkipValidateTrustDomain = env.Register(
    32  		"PILOT_SKIP_VALIDATE_TRUST_DOMAIN",
    33  		false,
    34  		"Skip validating the peer is from the same trust domain when mTLS is enabled in authentication policy").Get()
    35  
    36  	XDSAuth = env.Register("XDS_AUTH", true,
    37  		"If true, will authenticate XDS clients.").Get()
    38  
    39  	EnableXDSIdentityCheck = env.Register(
    40  		"PILOT_ENABLE_XDS_IDENTITY_CHECK",
    41  		true,
    42  		"If enabled, pilot will authorize XDS clients, to ensure they are acting only as namespaces they have permissions for.",
    43  	).Get()
    44  
    45  	// TODO: Move this to proper API.
    46  	trustedGatewayCIDR = env.Register(
    47  		"TRUSTED_GATEWAY_CIDR",
    48  		"",
    49  		"If set, any connections from gateway to Istiod with this CIDR range are treated as trusted for using authentication mechanisms like XFCC."+
    50  			" This can only be used when the network where Istiod and the authenticating gateways are running in a trusted/secure network",
    51  	)
    52  
    53  	TrustedGatewayCIDR = func() []string {
    54  		cidr := trustedGatewayCIDR.Get()
    55  
    56  		// splitting the empty string will result [""]
    57  		if cidr == "" {
    58  			return []string{}
    59  		}
    60  
    61  		return strings.Split(cidr, ",")
    62  	}()
    63  
    64  	CATrustedNodeAccounts = func() sets.Set[types.NamespacedName] {
    65  		accounts := env.Register(
    66  			"CA_TRUSTED_NODE_ACCOUNTS",
    67  			"",
    68  			"If set, the list of service accounts that are allowed to use node authentication for CSRs. "+
    69  				"Node authentication allows an identity to create CSRs on behalf of other identities, but only if there is a pod "+
    70  				"running on the same node with that identity. "+
    71  				"This is intended for use with node proxies.",
    72  		).Get()
    73  		res := sets.New[types.NamespacedName]()
    74  		if accounts == "" {
    75  			return res
    76  		}
    77  		for _, v := range strings.Split(accounts, ",") {
    78  			ns, sa, valid := strings.Cut(v, "/")
    79  			if !valid {
    80  				log.Warnf("Invalid CA_TRUSTED_NODE_ACCOUNTS, ignoring: %v", v)
    81  				continue
    82  			}
    83  			res.Insert(types.NamespacedName{
    84  				Namespace: ns,
    85  				Name:      sa,
    86  			})
    87  		}
    88  		return res
    89  	}()
    90  
    91  	CertSignerDomain = env.Register("CERT_SIGNER_DOMAIN", "", "The cert signer domain info").Get()
    92  
    93  	UseCacertsForSelfSignedCA = env.Register("USE_CACERTS_FOR_SELF_SIGNED_CA", false,
    94  		"If enabled, istiod will use a secret named cacerts to store its self-signed istio-"+
    95  			"generated root certificate.").Get()
    96  )