kyverno · anushkamittal2001 · May 6, 2024 · Apr 8, 2024 · Apr 18, 2024 · Apr 25, 2024
@@ -0,0 +1,16 @@
+apiVersion: security.istio.io/v1
+kind: AuthorizationPolicy
+metadata:
+  name: kyverno-ext-authz-grpc
+  namespace: demo
+spec:
+  action: CUSTOM
+  provider:
+    # The provider name must match the extension provider defined in the mesh config.
+    name: kyverno-ext-authz-grpc
+  rules:
+  # The rules specify when to trigger the external authorizer.
+  - to:
+    - operation:
+        notPaths: ["/healthz"]
+    # Allowed all path except /healthz
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: demo
+  labels:
+    istio-injection: enabled 
@@ -0,0 +1,47 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: policy-files
+  namespace: demo
+data:
+  policy.yaml: |
+    apiVersion: json.kyverno.io/v1alpha1
+    kind: ValidatingPolicy
+    metadata:
+      name: checkrequest
+    spec:
+      rules:
+        - name: deny-guest-request-at-post
+          assert:
+            any:
+            - message: "POST method calls at path /book are not allowed to guests users"
+              check:
+                request:
+                    http:
+                        method: POST
+                        headers:
+                            authorization:
+                                (split(@, ' ')[1]):
+                                    (jwt_decode(@ , 'secret').payload.role): admin
+                        path: /book                             
+            - message: "GET method call is allowed to both guest and admin users"
+              check:
+                request:
+                    http:
+                        method: GET
+                        headers:
+                            authorization:
+                                (split(@, ' ')[1]):
+                                    (jwt_decode(@ , 'secret').payload.role): admin
+                        path: /book 
+            - message: "GET method call is allowed to both guest and admin users"
+              check:
+                request:
+                    http:
+                        method: GET
+                        headers:
+                            authorization:
+                                (split(@, ' ')[1]):
+                                    (jwt_decode(@ , 'secret').payload.role): guest
+                        path: /book               
+
@@ -0,0 +1,17 @@
+# ServiceEntry to register the Kyverno-Envoy sidecars as external authorizers.
+apiVersion: networking.istio.io/v1beta1
+kind: ServiceEntry
+metadata:
+  name: kyverno-ext-authz-grpc-local
+spec:
+  hosts:
+  - "kyverno-ext-authz-grpc.local"
+   # The service name to be used in the extension provider in the mesh config.
+  endpoints:
+  - address: "127.0.0.1"
+  ports:
+  - name: grpc
+    number: 9000
+    # The port number to be used in the extension provider in the mesh config.
+    protocol: GRPC
+  resolution: STATIC
@@ -1,40 +1,34 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: demo
-  labels:
-    istio-injection: enabled 
----
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: echo
+  name: testapp
   namespace: demo
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app: echo
+      app: testapp
   template:
     metadata:
       labels:
-        app: echo
+        kyverno-envoy-sidecar/injection: enabled
+        app: testapp
     spec:
       containers:
-      - name: echo
-        image: mendhak/http-https-echo
+      - name: testapp
+        image: sanskardevops/test-application:0.0.1
         ports:
         - containerPort: 8080
 ---
 apiVersion: v1
 kind: Service
 metadata:
-  name: echo
+  name: testapp
   namespace: demo
 spec:
-  type: ClusterIP  
+  type: ClusterIP
   selector:
-    app: echo
+    app: testapp
   ports:
   - port: 8080
     targetPort: 8080