check for waypoint targeted authz policy in ambient controller (#50110)

* check for waypoint targeted authz policy in ambient controller Signed-off-by: Ian Rudie <ian.rudie@solo.io> * unit test Signed-off-by: Ian Rudie <ian.rudie@solo.io> * spelling, clear events before gateway-target policy testing Signed-off-by: Ian Rudie <ian.rudie@solo.io> * release notes Signed-off-by: Ian Rudie <ian.rudie@solo.io> --------- Signed-off-by: Ian Rudie <ian.rudie@solo.io>
istio · Mar 27, 2024 · 0edb8f5 · 0edb8f5
1 parent 585e8bb
commit 0edb8f5
Show file tree

Hide file tree

Showing 3 changed files with 56 additions and 0 deletions.
diff --git a/pilot/pkg/serviceregistry/kube/controller/ambient/ambientindex_test.go b/pilot/pkg/serviceregistry/kube/controller/ambient/ambientindex_test.go
@@ -929,6 +929,19 @@ func TestAmbientIndex_Policy(t *testing.T) {
 	assert.Equal(t,
 		s.lookup(s.addrXdsName("127.0.0.1"))[0].Address.GetWorkload().AuthorizationPolicies,
 		nil)
+
+	s.clearEvents()
+	s.addPolicy(t, "gateway-targeted", testNS, nil, gvk.AuthorizationPolicy, func(o controllers.Object) {
+		p := o.(*clientsecurityv1beta1.AuthorizationPolicy)
+		p.Spec.TargetRef = &v1beta1.PolicyTargetReference{
+			Group: gvk.KubernetesGateway.Group,
+			Kind:  gvk.KubernetesGateway.Kind,
+			Name:  "dummy-waypoint",
+		}
+	})
+	// there should be no event for creation of a gateway-targeted policy because we should not configure WDS with a policy
+	// when expressed user intent is specifically to have that policy enforced by a gateway
+	s.assertNoEvent(t)
 }
 
 func TestPodLifecycleWorkloadGates(t *testing.T) {

diff --git a/pilot/pkg/serviceregistry/kube/controller/ambient/authorization.go b/pilot/pkg/serviceregistry/kube/controller/ambient/authorization.go
@@ -25,6 +25,7 @@ import (
 	"istio.io/api/security/v1beta1"
 	securityclient "istio.io/client-go/pkg/apis/security/v1beta1"
 	"istio.io/istio/pilot/pkg/model"
+	"istio.io/istio/pkg/config/schema/gvk"
 	"istio.io/istio/pkg/config/schema/kind"
 	"istio.io/istio/pkg/log"
 	"istio.io/istio/pkg/util/sets"
@@ -344,6 +345,14 @@ func convertPeerAuthentication(rootNamespace string, cfg *securityclient.PeerAut
 func convertAuthorizationPolicy(rootns string, obj *securityclient.AuthorizationPolicy) *security.Authorization {
 	pol := &obj.Spec
 
+	polTargetRef := pol.GetTargetRef()
+	if polTargetRef != nil &&
+		polTargetRef.Group == gvk.KubernetesGateway.Group &&
+		polTargetRef.Kind == gvk.KubernetesGateway.Kind {
+		// we have a policy targeting a gateway, do not configure a WDS authorization
+		return nil
+	}
+
 	scope := security.Scope_WORKLOAD_SELECTOR
 	if pol.GetSelector() == nil {
 		scope = security.Scope_NAMESPACE

diff --git a/releasenotes/notes/50110.yaml b/releasenotes/notes/50110.yaml
@@ -0,0 +1,34 @@
+apiVersion: release-notes/v2
+
+# This YAML file describes the format for specifying a release notes entry for Istio.
+# This should be filled in for all user facing changes.
+
+# kind describes the type of change that this represents.
+# Valid Values are:
+# - bug-fix -- Used to specify that this change represents a bug fix.
+# - security-fix -- Used to specify that this change represents a vulnerability fix.
+# - feature -- Used to specify a new feature that has been added.
+# - test -- Used to describe additional testing added. This file is optional for
+#   tests, but included for completeness.
+kind: bug-fix
+
+# area describes the area that this change affects.
+# Valid values are:
+# - traffic-management
+# - security
+# - telemetry
+# - installation
+# - istioctl
+# - documentation
+area: traffic-management
+
+# issue is a list of GitHub issues resolved in this note.
+# If issue is not in the current repo, specify its full URL instead.
+issue:
+- 50110
+
+# releaseNotes is a markdown listing of any user facing changes. This will appear in the
+# release notes.
+releaseNotes:
+- |
+  **Added** a check to prevent creation of ztunnel config when user has specified a gateway as targetRef in their AuthorizationPolicy