auth-policies

tunacinsoy · Sep 9, 2024 · 2ea43da · 2ea43da
1 parent 9b288fe
commit 2ea43da
Show file tree

Hide file tree

Showing 3 changed files with 57 additions and 30 deletions.
diff --git a/manifests/blog-app/authorization-policies.yaml b/manifests/blog-app/authorization-policies.yaml
@@ -12,9 +12,7 @@ spec:
   rules:
   - from:
     - source:
-        matchLabels:
-          app: frontend
-        # principals: ["cluster.local/ns/blog-app/sa/frontend"]
+      principals: ["cluster.local/ns/blog-app/sa/frontend"]
 ---
 apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
@@ -30,9 +28,7 @@ spec:
   rules:
   - from:
     - source:
-        matchLabels:
-          app: frontend
-        # principals: ["cluster.local/ns/blog-app/sa/frontend"]
+      principals: ["cluster.local/ns/blog-app/sa/frontend"]
 ---
 apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
@@ -47,9 +43,7 @@ spec:
   rules:
   - from:
     - source:
-        matchLabels:
-          app: frontend
-        # principals: ["cluster.local/ns/blog-app/sa/frontend"]
+      principals: ["cluster.local/ns/blog-app/sa/frontend"]
 ---
 apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
@@ -64,9 +58,7 @@ spec:
   rules:
   - from:
     - source:
-        matchLabels:
-          app: reviews
-        # principals: ["cluster.local/ns/blog-app/sa/reviews"]
+      principals: ["cluster.local/ns/blog-app/sa/reviews"]
 ---
 apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
@@ -81,15 +73,4 @@ spec:
   rules:
   - from:
     - source:
-        matchLabels:
-          app: posts
-    - source:
-        matchLabels:
-          app: reviews
-    - source:
-        matchLabels:
-          app: ratings
-    - source:
-        matchLabels:
-          app: users
-        # principals: ["cluster.local/ns/blog-app/sa/posts", "cluster.local/ns/blog-app/sa/reviews", "cluster.local/ns/blog-app/sa/ratings", "cluster.local/ns/blog-app/sa/users"]
+      principals: ["cluster.local/ns/blog-app/sa/posts", "cluster.local/ns/blog-app/sa/reviews", "cluster.local/ns/blog-app/sa/ratings", "cluster.local/ns/blog-app/sa/users"]
diff --git a/manifests/blog-app/blog-app.yaml b/manifests/blog-app/blog-app.yaml
@@ -1,3 +1,17 @@
+# This document is responsible with the whole deployment of blog-app application.
+# it also includes serviceAccount resource that are associated with the respective pods, to use them later during ./authorization-policies.yaml definition.
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: blog-app
+  labels:
+    istio-injection: enabled
+--- # Acts as a document seperator, kubernetes applies the manifest file that is before this line (for instance -> we want to create namespace resource first)
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: mongodb
+  namespace: blog-app
 ---
 apiVersion: apps/v1
 kind: StatefulSet
@@ -15,6 +29,7 @@ spec:
       labels:
         app: mongodb
     spec:
+      serviceAccountName: mongodb
       containers:
         - name: mongodb
           image: docker.io/library/mongo@sha256:e64f27edef80b41715e5830312da25ea5e6874a2b62ed1adb3e8f74bde7475a6
@@ -55,6 +70,13 @@ spec:
       port: 27017
       targetPort: 27017
 ---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: posts
+  namespace: blog-app
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -70,6 +92,7 @@ spec:
       labels:
         app: posts
     spec:
+      serviceAccountName: posts
       containers:
         - name: posts
           image: docker.io/tunacinsoy/sba-posts@sha256:54245463f0b41501c871c0cba14029583d6c5fd0bc8e202fa5201db6ab52d46d
@@ -101,6 +124,12 @@ spec:
       port: 5000
       targetPort: 5000
 ---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: reviews
+  namespace: blog-app
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -116,6 +145,7 @@ spec:
       labels:
         app: reviews
     spec:
+      serviceAccountName: reviews
       containers:
         - name: reviews
           image: docker.io/tunacinsoy/sba-reviews@sha256:66d7f398d5b2f5a28e68776adb26fe6931eb9099ab8195e2cb36e9e0ae8620b5
@@ -147,6 +177,12 @@ spec:
       port: 5000
       targetPort: 5000
 ---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ratings
+  namespace: blog-app
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -162,6 +198,7 @@ spec:
       labels:
         app: ratings
     spec:
+      serviceAccountName: ratings
       containers:
         - name: ratings
           image: docker.io/tunacinsoy/sba-ratings@sha256:c20883b45f92194a14ab093ca1c10d019b93a8458cead1a0645a2b762885627e
@@ -193,6 +230,12 @@ spec:
       port: 5000
       targetPort: 5000
 ---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: users
+  namespace: blog-app
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -208,6 +251,7 @@ spec:
       labels:
         app: users
     spec:
+      serviceAccountName: users
       containers:
         - name: users
           image: docker.io/tunacinsoy/sba-users@sha256:106c04abd8bfe3ff1f5c57031b67f4beee8d159ae4d51a0ccca1470f383e064a
@@ -239,6 +283,13 @@ spec:
       port: 5000
       targetPort: 5000
 ---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: frontend
+  namespace: blog-app
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -254,6 +305,7 @@ spec:
       labels:
         app: frontend
     spec:
+      serviceAccountName: frontend
       containers:
         - name: frontend
           image: docker.io/tunacinsoy/sba-frontend@sha256:2b3e487a38e77bc20c370468592c03d8b6eb080d0f315b1e04a7a0a57091f292

diff --git a/manifests/blog-app/namespace.yaml b/manifests/blog-app/namespace.yaml