Copy stable validation policy to istiod-remote

Makefile.core.mk

@@ -362,6 +362,8 @@ copy-templates:
  cp manifests/charts/istio-control/istio-discovery/templates/configmap.yaml manifests/charts/istiod-remote/templates
  cp manifests/charts/istio-control/istio-discovery/templates/_helpers.tpl manifests/charts/istiod-remote/templates
  sed -e '1 i {{- if .Values.global.configCluster }}' -e '$$ a {{- end }}' manifests/charts/base/crds/crd-all.gen.yaml > manifests/charts/istiod-remote/templates/crd-all.gen.yaml
+ sed -e '1 i {{- if .Values.global.configCluster }}' -e '$$ a {{- end }}' manifests/charts/base/templates/validatingadmissionpolicy.yaml > manifests/charts/istiod-remote/templates/defaultrevisionvalidatingadmissionpolicy.yaml
+ sed -e '1 i {{- if .Values.global.configCluster }}' -e '$$ a {{- end }}' manifests/charts/istio-control/istio-discovery/templates/validatingadmissionpolicy.yaml > manifests/charts/istiod-remote/templates/validatingadmissionpolicy.yaml
  sed -e '1 i {{- if .Values.global.configCluster }}' -e '$$ a {{- end }}' manifests/charts/base/templates/default.yaml > manifests/charts/istiod-remote/templates/default.yaml
  sed -e '1 i {{- if .Values.global.configCluster }}' -e '$$ a {{- end }}' manifests/charts/istio-control/istio-discovery/templates/validatingwebhookconfiguration.yaml > manifests/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml
  sed -e '1 i {{- if .Values.global.configCluster }}' -e '$$ a {{- end }}' manifests/charts/istio-control/istio-discovery/templates/serviceaccount.yaml > manifests/charts/istiod-remote/templates/serviceaccount.yaml

manifests/charts/istiod-remote/templates/defaultrevisionvalidatingadmissionpolicy.yaml

@@ -0,0 +1,53 @@
+{{- if .Values.global.configCluster }}
+{{- if and .Values.experimental.stableValidationPolicy (not (eq .Values.defaultRevision "")) }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+ name: "stable-channel-default-policy.istio.io"
+ labels:
+ release: {{ .Release.Name }}
+ istio: istiod
+ istio.io/rev: {{ .Values.defaultRevision }}
+spec:
+ failurePolicy: Fail
+ matchConstraints:
+ resourceRules:
+ - apiGroups:
+ - security.istio.io
+ - networking.istio.io
+ - telemetry.istio.io
+ - extensions.istio.io
+ apiVersions: ["*"]
+ operations: ["CREATE", "UPDATE"]
+ resources: ["*"]
+ variables:
+ - name: isEnvoyFilter
+ expression: "object.kind == 'EnvoyFilter'"
+ - name: isWasmPlugin
+ expression: "object.kind == 'WasmPlugin'"
+ - name: isProxyConfig
+ expression: "object.kind == 'ProxyConfig'"
+ - name: isTelemetry
+ expression: "object.kind == 'Telemetry'"
+ validations:
+ - expression: "!variables.isEnvoyFilter"
+ - expression: "!variables.isWasmPlugin"
+ - expression: "!variables.isProxyConfig"
+ - expression: |
+ !(
+ variables.isTelemetry && (
+ (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) ||
+ (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) ||
+ (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter))
+ )
+ )
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+ name: "stable-channel-default-policy-binding.istio.io"
+spec:
+ policyName: "stable-channel-default-policy.istio.io"
+ validationActions: [Deny]
+{{- end }}
+{{- end }}

manifests/charts/istiod-remote/templates/validatingadmissionpolicy.yaml

@@ -0,0 +1,59 @@
+{{- if .Values.global.configCluster }}
+{{- if .Values.experimental.stableValidationPolicy }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+ name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
+spec:
+ failurePolicy: Fail
+ matchConstraints:
+ resourceRules:
+ - apiGroups:
+ - security.istio.io
+ - networking.istio.io
+ - telemetry.istio.io
+ - extensions.istio.io
+ apiVersions: ["*"]
+ operations: ["CREATE", "UPDATE"]
+ resources: ["*"]
+ objectSelector:
+ matchExpressions:
+ - key: istio.io/rev
+ operator: In
+ values:
+ {{- if (eq .Values.revision "") }}
+ - "default"
+ {{- else }}
+ - "{{ .Values.revision }}"
+ {{- end }}
+ variables:
+ - name: isEnvoyFilter
+ expression: "object.kind == 'EnvoyFilter'"
+ - name: isWasmPlugin
+ expression: "object.kind == 'WasmPlugin'"
+ - name: isProxyConfig
+ expression: "object.kind == 'ProxyConfig'"
+ - name: isTelemetry
+ expression: "object.kind == 'Telemetry'"
+ validations:
+ - expression: "!variables.isEnvoyFilter"
+ - expression: "!variables.isWasmPlugin"
+ - expression: "!variables.isProxyConfig"
+ - expression: |
+ !(
+ variables.isTelemetry && (
+ (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) ||
+ (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) ||
+ (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter))
+ )
+ )
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+ name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
+spec:
+ policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
+ validationActions: [Deny]
+{{- end }}
+{{- end }}

releasenotes/notes/release-channels-remote-cluster.yaml

@@ -0,0 +1,8 @@
+apiVersion: release-notes/v2
+kind: feature
+area: installation
+issue:
+- https://github.com/istio/enhancements/issues/173
+releaseNotes:
+- |
+ **Added** a new, optional experimental admission policy that only allows stable features/fields to be used in Istio APIs when using a remote Istiod cluster.