2020-08-06 11:34:32 +00:00
|
|
|
{{- if .Values.grafana.istio.enabled }}
|
|
|
|
|
{{- if .Values.grafana.istio.ipBlocks }}
|
|
|
|
|
apiVersion: security.istio.io/v1beta1
|
|
|
|
|
kind: AuthorizationPolicy
|
|
|
|
|
metadata:
|
|
|
|
|
name: grafana-deny-not-in-ipblocks
|
|
|
|
|
namespace: istio-system
|
2020-08-06 17:15:20 +00:00
|
|
|
labels:
|
|
|
|
|
{{ include "kubezero-lib.labels" . | indent 4 }}
|
2020-08-06 11:34:32 +00:00
|
|
|
spec:
|
|
|
|
|
selector:
|
|
|
|
|
matchLabels:
|
|
|
|
|
app: istio-ingressgateway
|
|
|
|
|
action: DENY
|
|
|
|
|
rules:
|
|
|
|
|
- from:
|
|
|
|
|
- source:
|
|
|
|
|
notIpBlocks:
|
|
|
|
|
{{- with .Values.grafana.istio.ipBlocks }}
|
|
|
|
|
{{- . | toYaml | nindent 8 }}
|
|
|
|
|
{{- end }}
|
|
|
|
|
to:
|
|
|
|
|
- operation:
|
|
|
|
|
hosts: ["{{ .Values.grafana.istio.url }}"]
|
|
|
|
|
{{- end }}
|
|
|
|
|
{{- end }}
|
|
|
|
|
{{- if .Values.prometheus.istio.enabled }}
|
|
|
|
|
{{- if .Values.prometheus.istio.ipBlocks }}
|
2020-10-05 11:31:00 +00:00
|
|
|
---
|
2020-08-06 11:34:32 +00:00
|
|
|
apiVersion: security.istio.io/v1beta1
|
|
|
|
|
kind: AuthorizationPolicy
|
|
|
|
|
metadata:
|
|
|
|
|
name: prometheus-deny-not-in-ipblocks
|
|
|
|
|
namespace: istio-system
|
2020-08-06 17:15:20 +00:00
|
|
|
labels:
|
|
|
|
|
{{ include "kubezero-lib.labels" . | indent 4 }}
|
2020-08-06 11:34:32 +00:00
|
|
|
spec:
|
|
|
|
|
selector:
|
|
|
|
|
matchLabels:
|
|
|
|
|
app: istio-ingressgateway
|
|
|
|
|
action: DENY
|
|
|
|
|
rules:
|
|
|
|
|
- from:
|
|
|
|
|
- source:
|
|
|
|
|
notIpBlocks:
|
|
|
|
|
{{- with .Values.prometheus.istio.ipBlocks }}
|
|
|
|
|
{{- . | toYaml | nindent 8 }}
|
|
|
|
|
{{- end }}
|
|
|
|
|
to:
|
|
|
|
|
- operation:
|
|
|
|
|
hosts: ["{{ .Values.prometheus.istio.url }}"]
|
|
|
|
|
{{- end }}
|
|
|
|
|
{{- end }}
|
