{"id":15955976,"url":"https://github.com/crcsmnky/gatekeeper-istio","last_synced_at":"2025-03-18T00:30:28.146Z","repository":{"id":140856627,"uuid":"207682828","full_name":"crcsmnky/gatekeeper-istio","owner":"crcsmnky","description":"Using OPA Gatekeeper to deny admission or audit Istio and Istio-related objects","archived":false,"fork":false,"pushed_at":"2019-11-25T17:37:12.000Z","size":17,"stargazers_count":12,"open_issues_count":1,"forks_count":9,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-02-28T05:56:06.530Z","etag":null,"topics":["gatekeeper","istio","kubernetes","open-policy-agent"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/crcsmnky.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-09-10T23:43:33.000Z","updated_at":"2022-03-02T15:58:47.000Z","dependencies_parsed_at":"2023-05-04T22:27:28.085Z","dependency_job_id":null,"html_url":"https://github.com/crcsmnky/gatekeeper-istio","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/crcsmnky%2Fgatekeeper-istio","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/crcsmnky%2Fgatekeeper-istio/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/crcsmnky%2Fgatekeeper-istio/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/crcsmnky%2Fgatekeeper-istio/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/crcsmnky","download_url":"https://codeload.github.com/crcsmnky/gatekeeper-istio/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243893549,"owners_count":20364914,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["gatekeeper","istio","kubernetes","open-policy-agent"],"created_at":"2024-10-07T13:28:02.138Z","updated_at":"2025-03-18T00:30:28.135Z","avatar_url":"https://github.com/crcsmnky.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Enforcing Service Mesh Structure using Gatekeeper\n\n## Contents\n\n- [Overview](#overview)\n- [Project setup](#project-setup)\n- [Setup Kubernetes and Istio](#setup-kubernetes-and-istio)\n- [Install and configure Gatekeeper](#install-and-configure-gatekeeper)\n- [Enforcing structural policies](#enforcing-structural-policies)\n- [Cleanup](#cleanup)\n\n## Overview\n\nThis repo contains a set of example policies that can be used to enforce specic service mesh structure. Specifically, the policies are managed by [OPA Gatekeeper](http://github.com/open-policy-agent/gatekeeper) and used to enforce specific production-friendly [Istio](http://istio.io) behaviors.\n\n## Project setup\n\n- Install the [Google Cloud SDK](https://cloud.google.com/sdk)\n- Create a [Google Cloud](https://console.cloud.google.com) project (with billing)\n- Enable the Kubernetes Engine [APIs](https://console.cloud.google.com/apis/library):\n\n```\ngcloud services enable container.googleapis.com\n```\n\n## Setup Kubernetes and Istio\n\n- Create a GKE cluster\n\n```\ngcloud container clusters create [CLUSTER-NAME] \\\n  --cluster-version=latest \\\n  --machine-type=n1-standard-2\n```\n\n- Grab the cluster credentials so you can run `kubectl` commands\n\n```\ngcloud container clusters get-credentials [CLUSTER-NAME]\n```\n\n- Create a `cluster-admin` role binding so you can deploy Istio and Gatekeeper (later)\n\n```\nkubectl create clusterrolebinding cluster-admin-binding \\\n  --clusterrole=cluster-admin \\\n  --user=$(gcloud config get-value core/account)\n```\n\n- Download and unpack a recent version of Istio (e.g. `1.3.3`)\n\n```\ncurl -L https://git.io/getLatestIstio | ISTIO_VERSION=1.3.3 sh -\ncd $ISTIO_VERSION\n```\n- Create the `istio-system` Namespace\n\n```\nkubectl create ns istio-system\n```\n\n- Use `helm` to install the Istio CRDs\n\n```\nhelm template install/kubernetes/helm/istio-init \\\n  --name istio-init \\\n  --namespace istio-system | kubectl apply -f -\n```\n\n- Use `helm` to install the Istio control plane\n\n```\nhelm template install/kubernetes/helm/istio \\\n  --name istio \\\n  --namespace istio-system \\\n  --set kiali.enabled=true \\\n  --set grafana.enabled=true \\\n  --set tracing.enabled=true | kubectl apply -f -\n```\n\n## Install and configure Gatekeeper\n\nRefer to the [OPA Gatekeeper](http://github.com/open-policy-agent/gatekeeper) repo for docs and additional background on `Constraint` and `ConstraintTemplate` objects.\n\n- Install the `gatekeeper` controller\n\n```\nkubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper.yaml\n```\n\n- Configure Gatekeeper to sync selected objects into it's cache\n  - Required for `Constraints` that use `namespaceSelector` to match against\n  - Required for multi-object policies that evaluate existing cluster- or namespace-scoped objects\n  - Required for auditing existing resources\n\n```\nkubectl apply -f gatekeeper-config.yaml\n```\n\n## Enforcing structural policies\n\nThis repo contains 5 example policies in [`templates`](/templates) and [`constraints`](/constraints):\n\n### Auditing services for not using correct port-naming convention\n\nChecks `Service` objects in `Namespaces` labeled with `istio-injection: enabled`, and throws a violation if ports aren't named using [Istio conventions](https://istio.io/docs/setup/additional-setup/requirements/).\n\nUpload the `ConstraintTemplate` and `Constraint`:\n\n```\nkubectl apply -f templates/port-name-template.yaml\nkubectl apply -f constraints/port-name-constraint.yaml\n```\n\nTest the `Constraint` with the sample object:\n\n```\nkubectl apply -f sample-objects/bad-port-name.yaml\n```\n\nThis `Constraint` set `enforcementAction: dryrun` so the object should be admitted to the cluster, and appear as an audit violation in the `status` field:\n\n```\nkubectl get allowedserviceportname.constraints.gatekeeper.sh port-name-constraint -o yaml\n```\n\n### Preventing VirtualService hostname matching collisions\n\nChecks incoming `VirtualService` objects and compares them against existing `VirtualService` objects, and throws a violation if there are hostname/URI match collisions.\n\nUpload the `ConstraintTemplate` and `Constraint`:\n\n```\nkubectl apply -f templates/vs-same-host-template.yaml\nkubectl apply -f constraints/vs-same-host-constraint.yaml\n```\n\nTest the `Constraint` with the sample object:\n\n```\nkubectl apply -f sample-objects/bad-vs-host.yaml\n```\n\nThis `Constraint` set `enforcementAction: dryrun` so the object should be admitted to the cluster, and appear as an audit violation in the `status` field:\n\n```\nkubectl get uniquevservicehostname.constraints.gatekeeper.sh unique-vs-host-constraint -o yaml\n```\n\n### Preventing mismatched mTLS authentication settings\n\nChecks incoming `DestinationRule` objects and compares their mTLS settings against `Policy` object mTLS settings, and throws a violation if they don't match.\n\nUpload the `ConstraintTemplate` and `Constraint`:\n\n```\nkubectl apply -f templates/mismatched-mtls-template.yaml\nkubectl apply -f constraints/mismatched-mtls-constraint.yaml\n```\n\nTest the `Constraint` with the sample object:\n\n```\nkubectl apply -f sample-objects/mismatched-policy.yaml\nkubectl apply -f sample-objects/mismatched-dr.yaml\n```\n\nThis `Constraint` set `enforcementAction: dryrun` so the object should be admitted to the cluster, and appear as an audit violation in the `status` field:\n\n```\nkubectl get mismatchedmtls.constraints.gatekeeper.sh mismatched-mtls-constraint -o yaml\n```\n\n### Requiring services to disable unauthenticated access\n\nChecks `ServiceRoleBinding` objects and throws a violation if they are set to allow unauthenticated access.\n\nUpload the `ConstraintTemplate` and `Constraint`:\n\n```\nkubectl apply -f templates/source-all-template.yaml\nkubectl apply -f constraints/source-all-constraint.yaml\n```\n\nTest the `Constraint` with the sample object:\n\n```\nkubectl apply -f sample-objects/bad-role-binding.yaml\n```\n\nThis `Constraint` set `enforcementAction: deny` so the object should not be admitted to the cluster, and should return an error message.\n\n### Preventing services from disabling mTLS\n\nChecks `Policy` objects and throws a violation if they attempt to disable mTLS for a specific service.\n\nApply a bad `Policy` sample object:\n\n```\nkubectl apply -f sample-objects/bad-policy-1.yaml\n```\n\nUpload the `ConstraintTemplate` and `Constraint`:\n\n```\nkubectl apply -f templates/policy-strict-template.yaml\nkubectl apply -f constraints/policy-strict-constraint.yaml\n```\n\nTest the `Constraint` with another sample object:\n\n```\nkubectl apply -f sample-objects/bad-policy-2.yaml\n```\n\nThis `Constraint` set `enforcementAction: deny` so `bad-policy-2.yaml` should not be admitted to the cluster, and should return an error message. And because there was a pre-existing object that now violates the `Constraint` you can check the `status` field to see that violation:\n\n```\nkubectl get policystrictonly.constraints.gatekeeper.sh policy-strict-only -o yaml\n```\n\n## Cleanup\n\n```\ngcloud container clusters delete [CLUSTER-NAME]\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcrcsmnky%2Fgatekeeper-istio","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcrcsmnky%2Fgatekeeper-istio","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcrcsmnky%2Fgatekeeper-istio/lists"}