From b6775e1ef5c2dadc4963a534c50067f9af2aa87b Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Wed, 29 Jul 2020 18:02:18 +0100 Subject: [PATCH] Convert argo-cd ACL to DENY policy --- charts/kubezero-argo-cd/Chart.yaml | 2 +- .../templates/istio-authorization-policy.yaml | 11 +++++------ 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/charts/kubezero-argo-cd/Chart.yaml b/charts/kubezero-argo-cd/Chart.yaml index cb873096..4d5129a2 100644 --- a/charts/kubezero-argo-cd/Chart.yaml +++ b/charts/kubezero-argo-cd/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 description: KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application name: kubezero-argo-cd -version: 0.3.5 +version: 0.3.6 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: diff --git a/charts/kubezero-argo-cd/templates/istio-authorization-policy.yaml b/charts/kubezero-argo-cd/templates/istio-authorization-policy.yaml index e0a21d4f..e9522f16 100644 --- a/charts/kubezero-argo-cd/templates/istio-authorization-policy.yaml +++ b/charts/kubezero-argo-cd/templates/istio-authorization-policy.yaml @@ -1,25 +1,24 @@ {{- if index .Values "argo-cd" "istio" "enabled" }} +{{- if index .Values "argo-cd" "istio" "ipBlocks" }} apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: - name: argocd-allow-only + name: argocd-deny-not-in-ipblocks namespace: istio-system spec: selector: matchLabels: app: istio-ingressgateway + action: DENY rules: - {{- if index .Values "argo-cd" "istio" "ipBlocks" }} - from: - source: - ipBlocks: + notIpBlocks: {{- with index .Values "argo-cd" "istio" "ipBlocks" }} {{- . | toYaml | nindent 8 }} {{- end }} to: - operation: hosts: ["{{ index .Values "argo-cd" "server" "config" "url" }}"] - {{- else }} - - {} - {{- end }} +{{- end }} {{- end }}