From 9d31039c9a6427a800042c6ff79b47207ac68498 Mon Sep 17 00:00:00 2001 From: Mansur Uralov Date: Thu, 26 Sep 2024 18:50:31 +0200 Subject: [PATCH] Add rbac rule for PeerAuthentication PeerAuthentication enforces mTLS for NATS pods --- config/rbac/role.yaml | 21 +++++++++++++++++++ internal/controller/nats/controller.go | 2 ++ .../nats/templates/destination-rule.yaml | 4 ++-- 3 files changed, 25 insertions(+), 2 deletions(-) diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index f7e2b911..d98312e0 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -119,6 +119,13 @@ rules: verbs: - list - watch +- apiGroups: + - security.istio.io + resources: + - peerauthentications + verbs: + - list + - watch - apiGroups: - networking.istio.io resourceNames: @@ -133,6 +140,20 @@ rules: - patch - update - watch +- apiGroups: + - security.istio.io + resourceNames: + - eventing-nats + resources: + - peerauthentications + verbs: + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - operator.kyma-project.io resources: diff --git a/internal/controller/nats/controller.go b/internal/controller/nats/controller.go index c0c034d7..e9e63305 100644 --- a/internal/controller/nats/controller.go +++ b/internal/controller/nats/controller.go @@ -108,6 +108,7 @@ func NewReconciler( //+kubebuilder:rbac:groups="",resourceNames=eventing-nats-config,resources=configmaps,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups="apps",resourceNames=eventing-nats,resources=statefulsets,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups="networking.istio.io",resourceNames=eventing-nats,resources=destinationrules,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:groups="security.istio.io",resourceNames=eventing-nats,resources=peerauthentications,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups="policy",resourceNames=eventing-nats,resources=poddisruptionbudgets,verbs=get;list;watch;update;patch;create;delete // RBAC permissions by resource @@ -120,6 +121,7 @@ func NewReconciler( //+kubebuilder:rbac:groups="",resources=nodes,verbs=list;watch;get //+kubebuilder:rbac:groups="apps",resources=statefulsets,verbs=list;watch //+kubebuilder:rbac:groups="networking.istio.io",resources=destinationrules,verbs=list;watch +//+kubebuilder:rbac:groups="security.istio.io",resources=peerauthentications,verbs=list;watch //+kubebuilder:rbac:groups="policy",resources=poddisruptionbudgets,verbs=list;watch //nolint:lll diff --git a/resources/nats/templates/destination-rule.yaml b/resources/nats/templates/destination-rule.yaml index a493266d..1e7b4f2f 100644 --- a/resources/nats/templates/destination-rule.yaml +++ b/resources/nats/templates/destination-rule.yaml @@ -14,5 +14,5 @@ spec: host: {{ include "nats.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local trafficPolicy: tls: - mode: ISTIO_MUTUAL -{{- end }} + mode: DISABLE +{{- end }} \ No newline at end of file