copy stable policy to istiod-remote

Signed-off-by: Whitney Griffith <[email protected]>
istio · May 8, 2024 · 86546ac · 86546ac
1 parent a727351
commit 86546ac
Show file tree

Hide file tree

Showing 2 changed files with 60 additions and 0 deletions.
diff --git a/Makefile.core.mk b/Makefile.core.mk
@@ -362,6 +362,7 @@ copy-templates:
  cp manifests/charts/istio-control/istio-discovery/templates/configmap.yaml manifests/charts/istiod-remote/templates
  cp manifests/charts/istio-control/istio-discovery/templates/_helpers.tpl manifests/charts/istiod-remote/templates
  sed -e '1 i {{- if .Values.global.configCluster }}' -e '$$ a {{- end }}' manifests/charts/base/crds/crd-all.gen.yaml > manifests/charts/istiod-remote/templates/crd-all.gen.yaml
+ sed -e '1 i {{- if .Values.global.configCluster }}' -e '$$ a {{- end }}' manifests/charts/istio-control/istio-discovery/templates/validatingadmissionpolicy.yaml > manifests/charts/istiod-remote/templates/validatingadmissionpolicy.yaml
  sed -e '1 i {{- if .Values.global.configCluster }}' -e '$$ a {{- end }}' manifests/charts/base/templates/default.yaml > manifests/charts/istiod-remote/templates/default.yaml
  sed -e '1 i {{- if .Values.global.configCluster }}' -e '$$ a {{- end }}' manifests/charts/istio-control/istio-discovery/templates/validatingwebhookconfiguration.yaml > manifests/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml
  sed -e '1 i {{- if .Values.global.configCluster }}' -e '$$ a {{- end }}' manifests/charts/istio-control/istio-discovery/templates/serviceaccount.yaml > manifests/charts/istiod-remote/templates/serviceaccount.yaml

diff --git a/manifests/charts/istiod-remote/templates/validatingadmissionpolicy.yaml b/manifests/charts/istiod-remote/templates/validatingadmissionpolicy.yaml
@@ -0,0 +1,59 @@
+{{- if .Values.global.configCluster }}
+{{- if .Values.experimental.stableValidationPolicy }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+ name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
+spec:
+ failurePolicy: Fail
+ matchConstraints:
+ resourceRules:
+ - apiGroups:
+ - security.istio.io
+ - networking.istio.io
+ - telemetry.istio.io
+ - extensions.istio.io
+ apiVersions: ["*"]
+ operations: ["CREATE", "UPDATE"]
+ resources: ["*"]
+ objectSelector:
+ matchExpressions:
+ - key: istio.io/rev
+ operator: In
+ values:
+ {{- if (eq .Values.revision "") }}
+ - "default"
+ {{- else }}
+ - "{{ .Values.revision }}"
+ {{- end }}
+ variables:
+ - name: isEnvoyFilter
+ expression: "object.kind == 'EnvoyFilter'"
+ - name: isWasmPlugin
+ expression: "object.kind == 'WasmPlugin'"
+ - name: isProxyConfig
+ expression: "object.kind == 'ProxyConfig'"
+ - name: isTelemetry
+ expression: "object.kind == 'Telemetry'"
+ validations:
+ - expression: "!variables.isEnvoyFilter"
+ - expression: "!variables.isWasmPlugin"
+ - expression: "!variables.isProxyConfig"
+ - expression: |
+ !(
+ variables.isTelemetry && (
+ (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) ||
+ (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) ||
+ (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter))
+ )
+ )
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+ name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
+spec:
+ policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
+ validationActions: [Deny]
+{{- end }}
+{{- end }}