KubeZero/charts/kubezero-auth/templates/keycloak/istio-authorization-policy.yaml

38 lines
966 B
YAML
Raw Permalink Normal View History

2023-10-02 12:57:25 +00:00
{{- if and .Values.keycloak.enabled .Values.keycloak.istio.admin.enabled }}
2022-05-11 14:31:37 +00:00
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
2023-10-02 12:57:25 +00:00
name: {{ .Release.Name }}-keycloak-admin-deny-not-in-ipblocks
2022-05-11 14:31:37 +00:00
namespace: istio-system
labels:
{{- include "kubezero-lib.labels" $ | nindent 4 }}
spec:
selector:
matchLabels:
app: istio-ingressgateway
action: DENY
rules:
# block access to metrics via Ingress
- to:
- operation:
2023-10-02 12:57:25 +00:00
hosts: ["{{ .Values.keycloak.istio.admin.url }}"]
paths: ["/metrics", "/realms/*/metrics"]
when:
- key: connection.sni
values:
- '*'
2023-10-02 12:57:25 +00:00
{{- if .Values.keycloak.istio.admin.ipBlocks }}
2022-05-11 14:31:37 +00:00
- from:
- source:
notIpBlocks:
2023-10-02 12:57:25 +00:00
{{- toYaml .Values.keycloak.istio.admin.ipBlocks | nindent 8 }}
2022-05-11 14:31:37 +00:00
to:
- operation:
2023-10-02 12:57:25 +00:00
hosts: ["{{ .Values.keycloak.istio.admin.url }}"]
2022-05-11 14:31:37 +00:00
when:
- key: connection.sni
values:
- '*'
{{- end }}
2022-05-11 14:31:37 +00:00
{{- end }}