Skip to content
This repository has been archived by the owner on Jan 12, 2023. It is now read-only.

[FR] Add policy to enforce unique Istio VirtualServices (like unique Ingress policy) #83

Open
funkypenguin opened this issue Aug 5, 2020 · 3 comments
Open

[FR] Add policy to enforce unique Istio VirtualServices (like unique Ingress policy) #83

funkypenguin opened this issue Aug 5, 2020 · 3 comments

Comments

@funkypenguin
Copy link
Contributor

Hey guys,

Could we have another policy, similar to https://github.com/cruise-automation/k-rail#unique-ingress-host, which could prevent deployment of Istio VirtualServices with duplicate names? The policy would serve the same purpose - preventing the accidental (or deliberate) interception of traffic to one service simply by creating a matching virtualservice in another namespace.

I'd be happy to take a crack at duplicating policies/ingress/unique_ingress_host.go myself, but might need help to add a check to ensure that the necessary CRD to list VirtualServices even exists in the cluster.

Here's an example virtualservice record - the record we care about is spec.hosts

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  annotations:
    meta.helm.sh/release-name: minio
    meta.helm.sh/release-namespace: dev
  creationTimestamp: "2020-07-27T09:44:34Z"
  generation: 1
  labels:
    app.kubernetes.io/managed-by: Helm
  name: dev-minio.elpenguino.net
  namespace: dev
  resourceVersion: "10700039"
  selfLink: /apis/networking.istio.io/v1beta1/namespaces/dev/virtualservices/dev-minio.elpenguino.net
  uid: 118e4125-20b6-4a82-b940-94c729387b62
spec:
  gateways:
  - istio-ingressgateway.istio-system.svc.cluster.local
  hosts:
  - dev-minio.elpenguino.net

Thanks!
D
@dustin-decker
Copy link
Contributor

That would be a great addition.

If you'd like to attempt, here are the PRs for reference:
https://github.com/cruise-automation/k-rail/pull/63/files
https://github.com/cruise-automation/k-rail/pull/64/files

I don't think we need any special consideration for ensuring the CRD is present - just handling the error and ensuring the request continues to the apiserver so the user gets that feedback should be enough.

Let us know if you need any assistance.

@dustin-decker
Copy link
Contributor

Hey David, we could use this policy as well. I can add it soon if you're too busy.

@mark-adams
Copy link
Contributor

👋 The k-rail project has been deprecated and is no longer under active development. We recommend taking a look at OPA Gatekeeper to see if it might meet your needs going forward.

Thanks for your contribution(s) to the project!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mark-adams @funkypenguin @dustin-decker