2022-11-03 13:41:46 +00:00
|
|
|
{{- if and .Values.keycloak.enabled .Values.keycloak.istio.enabled }}
|
2022-05-11 14:31:37 +00:00
|
|
|
apiVersion: security.istio.io/v1beta1
|
|
|
|
|
kind: AuthorizationPolicy
|
|
|
|
|
metadata:
|
2023-09-06 10:43:03 +00:00
|
|
|
name: {{ .Release.Name }}-keycloak-deny-not-in-ipblocks
|
2022-05-11 14:31:37 +00:00
|
|
|
namespace: istio-system
|
|
|
|
|
labels:
|
|
|
|
|
{{- include "kubezero-lib.labels" $ | nindent 4 }}
|
|
|
|
|
spec:
|
|
|
|
|
selector:
|
|
|
|
|
matchLabels:
|
|
|
|
|
app: istio-ingressgateway
|
|
|
|
|
action: DENY
|
|
|
|
|
rules:
|
2023-09-06 10:43:03 +00:00
|
|
|
# block access to metrics via Ingress
|
2022-11-03 13:41:46 +00:00
|
|
|
- to:
|
|
|
|
|
- operation:
|
|
|
|
|
hosts: ["{{ .Values.keycloak.istio.url }}"]
|
2022-11-03 14:02:21 +00:00
|
|
|
paths: ["/auth/realms/master/metrics"]
|
2022-11-03 13:41:46 +00:00
|
|
|
when:
|
|
|
|
|
- key: connection.sni
|
|
|
|
|
values:
|
|
|
|
|
- '*'
|
|
|
|
|
{{- if .Values.keycloak.istio.ipBlocks }}
|
2022-05-11 14:31:37 +00:00
|
|
|
- from:
|
|
|
|
|
- source:
|
|
|
|
|
notIpBlocks:
|
|
|
|
|
{{- toYaml .Values.keycloak.istio.ipBlocks | nindent 8 }}
|
|
|
|
|
to:
|
|
|
|
|
- operation:
|
|
|
|
|
hosts: ["{{ .Values.keycloak.istio.url }}"]
|
|
|
|
|
when:
|
|
|
|
|
- key: connection.sni
|
|
|
|
|
values:
|
|
|
|
|
- '*'
|
2022-11-03 13:41:46 +00:00
|
|
|
{{- end }}
|
2022-05-11 14:31:37 +00:00
|
|
|
{{- end }}
|
