From bbda69ca12d486610ff47e9dbc3165ec0f7f1ea8 Mon Sep 17 00:00:00 2001 From: Julia A Date: Mon, 25 May 2026 10:14:14 +0400 Subject: [PATCH 1/8] feat(016-service-deny-all): Service Deny and allow traffic --- charts/base/Chart.lock | 6 +- charts/base/Chart.yaml | 6 +- charts/base/charts/zero-trust-mesh-0.1.3.tgz | Bin 5108 -> 0 bytes charts/base/charts/zero-trust-mesh-0.1.4.tgz | Bin 0 -> 9533 bytes charts/base/values.yaml | 16 +-- charts/zero-trust-mesh/Chart.yaml | 2 +- charts/zero-trust-mesh/README.md | 112 ++++++++++++++---- charts/zero-trust-mesh/templates/_helpers.tpl | 25 +++- .../templates/istio-allow-from.yaml | 58 +++++++++ .../templates/istio-authorizations.yaml | 21 +++- .../templates/istio-egress-gateway.yaml | 15 ++- .../templates/istio-service-deny-all.yaml | 15 +++ .../templates/istio-serviceentries.yaml | 17 ++- .../templates/networkpolicy-allow-from.yaml | 53 +++++++++ .../templates/networkpolicy-flows.yaml | 21 +++- .../templates/networkpolicy-host-egress.yaml | 60 ++++++++++ .../templates/networkpolicy-ip-egress.yaml | 19 ++- .../networkpolicy-service-deny-all.yaml | 18 +++ .../templates/networkpolicy-service-dns.yaml | 31 +++++ .../networkpolicy-service-egress.yaml | 48 ++++++++ .../networkpolicy-service-istiod.yaml | 39 ++++++ charts/zero-trust-mesh/values.yaml | 107 ++++++++++++++--- .../zero-trust-mesh/service-deny-all.yaml | 9 ++ examples/zero-trust-mesh/values.full.yaml | 60 +++++++--- .../checklists/requirements.md | 20 ++++ .../contracts/render-contract.md | 50 ++++++++ specs/016-service-deny-all/data-model.md | 39 ++++++ specs/016-service-deny-all/plan.md | 98 +++++++++++++++ specs/016-service-deny-all/quickstart.md | 46 +++++++ specs/016-service-deny-all/research.md | 34 ++++++ specs/016-service-deny-all/spec.md | 101 ++++++++++++++++ specs/016-service-deny-all/tasks.md | 107 +++++++++++++++++ 32 files changed, 1165 insertions(+), 88 deletions(-) delete mode 100644 charts/base/charts/zero-trust-mesh-0.1.3.tgz create mode 100644 charts/base/charts/zero-trust-mesh-0.1.4.tgz create mode 100644 charts/zero-trust-mesh/templates/istio-allow-from.yaml create mode 100644 charts/zero-trust-mesh/templates/istio-service-deny-all.yaml create mode 100644 charts/zero-trust-mesh/templates/networkpolicy-allow-from.yaml create mode 100644 charts/zero-trust-mesh/templates/networkpolicy-host-egress.yaml create mode 100644 charts/zero-trust-mesh/templates/networkpolicy-service-deny-all.yaml create mode 100644 charts/zero-trust-mesh/templates/networkpolicy-service-dns.yaml create mode 100644 charts/zero-trust-mesh/templates/networkpolicy-service-egress.yaml create mode 100644 charts/zero-trust-mesh/templates/networkpolicy-service-istiod.yaml create mode 100644 examples/zero-trust-mesh/service-deny-all.yaml create mode 100644 specs/016-service-deny-all/checklists/requirements.md create mode 100644 specs/016-service-deny-all/contracts/render-contract.md create mode 100644 specs/016-service-deny-all/data-model.md create mode 100644 specs/016-service-deny-all/plan.md create mode 100644 specs/016-service-deny-all/quickstart.md create mode 100644 specs/016-service-deny-all/research.md create mode 100644 specs/016-service-deny-all/spec.md create mode 100644 specs/016-service-deny-all/tasks.md diff --git a/charts/base/Chart.lock b/charts/base/Chart.lock index 2eac893..bb9e6ab 100644 --- a/charts/base/Chart.lock +++ b/charts/base/Chart.lock @@ -4,6 +4,6 @@ dependencies: version: 0.1.3 - name: zero-trust-mesh repository: https://dasmeta.github.io/helm - version: 0.1.3 -digest: sha256:e7ff901ebce4f9fa8dbaea29f55b6504a4c102dfab5184ab65516eb11cbbfdbb -generated: "2026-05-12T18:41:21.80521+04:00" + version: 0.1.4 +digest: sha256:30c9d3bbf30655057ba330fc10b341a63636f4887de22569a71de6bba25ef21e +generated: "2026-05-21T11:13:58+04:00" diff --git a/charts/base/Chart.yaml b/charts/base/Chart.yaml index 2408a9c..1b0c48f 100644 --- a/charts/base/Chart.yaml +++ b/charts/base/Chart.yaml @@ -15,13 +15,13 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.3.30 +version: 0.3.32 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "0.3.30" +appVersion: "0.3.32" dependencies: - name: gateway-api @@ -30,7 +30,7 @@ dependencies: alias: gatewayApi condition: gatewayApi.enabled - name: zero-trust-mesh - version: 0.1.3 + version: 0.1.4 repository: "https://dasmeta.github.io/helm" alias: zeroTrustMesh condition: zeroTrustMesh.enabled diff --git a/charts/base/charts/zero-trust-mesh-0.1.3.tgz b/charts/base/charts/zero-trust-mesh-0.1.3.tgz deleted file mode 100644 index 8f5b13fe873d9bdc6501589fcda59e3856af36b7..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5108 zcmVDc zVQyr3R8em|NM&qo0PH<$bKADE{mfsnLnkxRJtpY(Nj+@GPTL3{5{txRcLD5+3+yMH5szg#W!?hQdFN=3GUi{Q zMf}ZYE8T9ld$6}B{_l3X)&INwgM)8+`~7bBU@&+w7<|+1?ez~{d;{Ij2g34_Q--o{ zx(^lyQ?fG5T2{D~!QOd-l*En9llrIsOkqmy!&v2Gt zhAEt4c1g02BN9i`EBFVTP!gM<+oGJcP<3bl6pjhk(*F zF6vzrKz03|KXAS@)&4%Ey8kawoMZZV8NizT-#>WKukQc-L3g|VpQ7vl--0wnQ#^!k ziP+~T26BP3EDG_zAjC72$BY6aa{FgE#)#sw-S>{O1AOzx1cgKR7UhhpS=s(|KO7d)qsq7>i%F+1P<0v_gF`zgm zmlFbUM41n-3_KE2ustuv7dVzxAdL4?6CP$;Tqlhtt_a8Wkj{iW5)SwZ^Gm>Tp}L!dauQ%17pbvo2-QJVT6wUF{7(vbq^TQ%DEx~A-WM8Y@d49B$W z0(d7?s3g*d-NUYWu)u6iLOO)^?hnTkcNg5z+wsKxP}E0kE?#y}8g>4QKUZjrIpS|n z8u^rEQHuR3S?HDq{?nW?vXIl*Ni)L8l*Cjldp3`#=nBp=lBd3IJegyP0c98#I6KE7 zTt;kO(yGA*#gDUCmizq)*18#Ic#MlO8*^`>BkZ&zK$ux(MJrue;)e#J-^rO z`rS@{52h#q6jK6c7;=h3|L)UpGOA93$r98?*@(i+=`}eTeI^~KD*qW?q%mTcc7B`V zIK>(DS^7X#V2%7A?035r`G0V*zqghDPf@O~JNqh0pn;3*POm!{2219RKkS zr!ku1mvId4`~OAWr>^%;@54V_XvO3bXQe3crSW*m1-<`^R3v$SZxxenx54#XxB-^s z$rKI-;?HO?&S$ge5Am)T7$>3l+o{4g%j5VyFs50Quo<||srQ_^;J=e%Ujo~Tl4+cW z776_J=Kzpg z4fSYT*|I7R?aC#sJH7s)TW{P@anP^SQz)%OFERQ2NO4C4+k#l?^Z zuJak#lMGt;ccYp6^Q)2Du09+eP59ILC^Z~8o8B0iLdQETG*1H&dNJiV6q`zEFGnPq zMdxs%achOql$DU_eQ7Rs(RI0JdDp&HcCBqIp0w`<_=90Cs%wqcs3~A=cwymp2Y|xWBnoB)_!$erQ>)|3#EV#6vlolPvlq+;I2w3$6424EA2w`d`1dH#pepe@{`Q za2L*6gX75uOF3OM69%IeA}q_X>cz*>P14qV6{f#tuEL#CilX6nu#{mcIp`a#S+uq} z_tGw^48H6qL&-T_1|nye6`uA?GDr*Rl3iCYGUTaex39ykWmqv_RVpGclZylQADeu1U`S8C17Klyfg|9|f#~`N89J(eExz?9N zNr)2$2XcHgm0vbqzIpTZKMqLWob1sPPRycr;iD3?EuToEJW8ffib^=j`q$Tbo~Ch5 z8P5EeOi|oPXy-ZYP}DJ|tVFtb4sYQ1oG?W;UKlZ9BPq_r%-CQQ>sdLd%GO}{ttz0K zszK4RBwcT>+D#!58y@q)h5M`eQu@SJ3@lr1IPCRx(_i}amu9nn+OkgmEB@q#IJvs- zSD`iXzt`;zD)PVkqTk!f|EDPTlK;;Vnwiz>A4@jZ9pty0(ucIPOZELl46e0|_8KLm z@vVCH3MW^VOlwQa;t_>m>Am7sjJ3IHvT(gpB)DO0$iSKej2i^so))Tbz2%W#ds)Z- z<>x-{95H-}?kNG*`u}VEzt?}Uwf~-^+>ig`^Gja6;I?9o{2-Ue>Q;>glq;7Sy`l^+ zTv4ydgu>^SN+m9gph^c44z*NOKh$VZ6+uZ=UPxi29KO7D@tjMKL6DYHoI;9n-KdrtQtEckQyknVjeuEiiT7C->;vtM) zj>nVN@816W!|S`v&o5ENaulm&-Y`uW$r;{YcD#!S+54eBU-e~cOqzjw6XL246IS}~r{BzkSn_^MeK z6Jd@VV#=bV!2;)$9NJXzpHrV+Onu8K;MO=?ZAV$=v$e{b*ZLg@^ystpMM>Y#%Vt!x zJPd38{L-TQUS*yBmtvfWj{rDfDj4_9O5j@izu&9qfBivs8~^R6U;B-gf{NT6juLWjuLzay0qNbFpo?Z&}CxmHnjRb|1z5 zKj`*r_WxdY8~^_#<>|lwKB=|*Oo2Ee8KZolIHKC#l!~4Uhh1<}9X;m0o{0FaN~OKM zL9N!<3XMF870k)BUCW82E)O5SDLo>?n zS?Wtfj1fjn(Qy(jXgy1P9oMEp<;;+`st0D32~dr_Y#Bq}fCzSMYrxxW0jue*dG;G0 ziDFixn#Q&=S0%Q_j2WZ4iTW7b957a+bUC$KGCv}jAG)ALyYB#{DIY@pZk?~d=yB&h znn6MswC0HNnPX*@w&Vw#^X%;n+U-X`qK?o#eTK>-ah$NM(Q&8_2;IwN_z)LVOr#b* zgrAPbuYWuKpULsN)0b}?fDBU-=kndF)3F1^A&Ww1E+&{{A_hkhS-A$v^A{XK{;HT) z?K{xAzIv^rS-^57>I!;`t4bSq6@(~@(z^+=s*IW(*@4PSrIX#eZh*ot!<6D>g2)1} ztX!_%@|n%Kinw&YdF?)%BRU@ov(MUPin0A4i4t&kU8Datv>5qsN)m;ofpvz<_!_e} zy>O#c@k?XW8=!O4-#?)FLPy~Dy6w-sdH4#k;Ct{UF`SITAXJ`3YY=N2X%g19M>%~seDB8ULQ0&-<>Y8rjUS4xd zpt607GXssBVkwijv+%wU!n-cJlTviAWjlB0I9m_E*I1U@|BA24fXxTRfvxrb9_&^9 zzx%yy{MVBd$yZa$n`@n({VO_wlXR&EI7!X$ubThY5au5bsU^y-L&Xn^_3}_0e;NO8 zO2TpRIUcTW#S@OtMBY3grP@g%zVWGF$MVNkK>RJs#{B=jhkrIW|I_X7*W!PB{Vo50 zit+&dFPV+mQa$gpIBZT7XV5~i^ul)6b<~?3I{7n z!+D;f7$%fkIrFKAs!oQg6S*{~r|2*rr4rX6 zYG|OuN1_s-!>`l{zN!45#pLq79)NZ7zrTM_JO6dCJ^%G2f&k-@ma8niH4vhIGREE!|q|X-FU;t1C#?P{ny;^p^>=b{T?-e z^|`M2Sn1)85=$|t-uUrnPz`EJ=fQG*#f4kd6}HazaD5F;ORoZ>`EA<#oNj+@-(KVK z^kq}|AEip`zlRR6PX6!r`ql5h-Tv18f0A;4`EQ=0t{bY46#e~ZqI?@__pngAC)P4r zwtA#O_^PX8laRjl-DB=H(Nyj#V(;g>SQV`Y>MnJ0`MIqDOrtPcelGU9dYM;)fxa?U z4<0XGucCU?g6?YChJAr(^L@e1LAvl&gw0ju|GVRtuYNlA7vX0dW3~M6b@vad`CkSH z+xx$srtH*`FF8L&Nwh$5HQAFqyK3fqYRK|rWq0x&XJ-e->PW3PaT+_0SL8#05GPlK z0oGA@MJ^%)fh8dV$AjZP&{Smp;LJWHp_xcUrgdp01kN(fPD{I5fYf$8b;=bMlQ&~A zfCM|JpXd#$&>6KGZv5iaRfM;P)HRJ~h+-Q)k#a+4))DD8)SZeQamAs)Pi0wAR1hdJ zQl?>%M>j|YCnGrH44n$vPA&vRpF&;^NNMQY;(AFpx18b-*HqT9^I>V8HE^% z;B*dH5Cq)7a142@6sA=vd03WXEA>ne1dcPAM--+R=H`qsCY_QLhdK$$&?&F(7IUto zgc8YoMVyY+gz86?TQJ0Y)!G@$t~!Qwt#Z*qP_Ey$$*hSc#xV06Ns!dZTxc!Swv`#Y z+6FDl+)T5KBn&6v`t(LRJ5OV79xfYe8FRGaW7jis<-n>;InbCVXLXL8W!YkCT8r0s z50D)IA=b>!4oD*bLQJFc#Bl;eihye;2&hazBUE&;v)Meu*iPV7vIUt=Nx&H>DhALh zbey()p(i7NR>3EBH%PptnpY;m=wxNeq=rm6+@5P-b9QpBU~N*RKmo>Qpa~@i_-fF# z)Fd?5oE(jciuT3G4QT3(p;&Q&scNrQUH}~k#6mN>kW5}*q6@PqW;mlgBaw6`cBrzxl&VUp8?wCpP+ixT2hHO5hfXmy!d2p4??yPRlhrYSCX z4M|ldx$1849p_{QS0v9s-6{nk;bM<4n4=5KQ41Qb$qO{6;+uGv55)yy&=6~3-lZ3C zV8v(|MsabgRMFS+4kQl}t<}dOG6Ob8Om|TbfcIh9Yn8szlHV~>synLJ7A3_roQ|ZV zq`)#Xn?+MzKVogi`H6_Uq)I*2(;#=oB}9ufj;4`Ro(i|94==+Dl<*Bxuoo((iLxk; zi^ENY+M7d zjD5om1g;y%)=L!^-jV#1R`p9$^V;Rw+-|Wp)S}xJI@+#@mN=);Bn(S!mBS^JB?X$+ z6K;xquqz~i?Du4383i{Gy#HV~eE-4MDuS4B%|gv&kcyHJC>^WTM@=2L*(`;knC)|% za0!UR%`^j>7}u8a2e-@6Gp4=@+0r$@folRFK?^R{mQc|i-c$g}r%I?Auq@F9#GDDG z^+T}B|16Z$+CWM}xPg~Ta&mHPObO#jt5K~=F-}$2tqme%aMKX0g|8Spj50iBd`+4| znkqCOjw{0_(#8|U#2KPm?o0R`-(!t?BR`M&L*z46s;#x2*~AQ zUWN7U_=l76xG2L4~vPq;1H WvMqnV^8Wz<0RR7CQn?lYf&c(>g8#q( diff --git a/charts/base/charts/zero-trust-mesh-0.1.4.tgz b/charts/base/charts/zero-trust-mesh-0.1.4.tgz new file mode 100644 index 0000000000000000000000000000000000000000..c1dfb23735ca27bdcb334af0908d31983b1bc5df GIT binary patch literal 9533 zcmV-DCBoVtiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PKBxciT47cmL+6n1^vU_HIaBtk|i#?Ky7ZZTvP(ePVa}>`C)h zGznSQP$Wx0c3eB({W-W2;6*pfvXclsr?E&}2A7%n%>V=bh4R#+`Gin!jL4|+yfv?RNR!c6V>@tIpGIyVu^^?R56PYIl0wz1~;QUL6U|X+mg_ zf7QNqTjkDuA}Pr5zfn$bn)KnK>jYV*f4UvN?K%-6VU9D(AH78J7(%v0V3_9c)8q{0 z38IL=YeX;8{QYqnJdr;T5BCMz4HFK064* zbdu0MxGp2`CxkK>1~Ear<_zVYDlADPJ{%^&S&Se};w!)jqzQtvfS?#BIu|Qh^xb## zpKlOJCwYj7s3hu()*OR&MXnd43lu|yk}EHWV;@dOm;fd~f+5N|eK-koG)4&xV#w1t zPA3%TC`cS*!pbee84805L4cXKjZsL6=n5Sn2q$@tl0pt=X+(VI5hvmxj{D9d06;eB z?2$ozmPWGPG_PMFeOV;PGXK3+4n9s>LeT%ym{684OQTo88H$N22&`zIEuVyr%rV@ybf;@BECtB@W%`>CioV?T?Ee+a_&mq8wRY_0-| z86%M_#*~jE@g30}o?Q;mw4$6MBxp+G2<0GD6C4~LDGE+gUIYL8UwJxitPjVSUIDqp zG#v37*?46+y1?m#fUHZi#u*v~7dXwIFtL&|Hjp`5q6-kjB!wI$5z0{nG|0~p^$3oT zn)wnO3iwJsn9xz0mEDi-$9!2iEfD&!CX}=K)2R!IgY$NrtmQnLdsTw(DNGh9}EX`>jp0(xAF`}b1V$0n9@$l4r zr*Z{!#2>c)E}zX9S)5RmCqe85@tG#zSAyW*$Is#U(Tg{bGM$v?=_ShH;MEU6CT9tv z{GDK-gWpd03%OWXbAU57%3_9&vLE6!e6Ksn=<4iu{oRh=_S>z_UVSh5O8GSjCUk@n zin(m*1I;JM>Km%<+F203SAyP}O+o0|=hLP~^_2Csxih1bP(GhQhJ8YFoFP9<$9lev zUWF4v(=o4?w6Z*URdAlCldNEX(-9&Ff*ipZ<>yQ`U^*&BVEb9S_44%e zm`NGv^>+D>lO5maY)-9?dXP-UXDB!3Pjd1@h#gv{m@ zD;+8aTyvC#ouDE*Jb?!|droEl4@KiF4k#k6KSn6dP)>ZB-O?2_ z!~fIU@9viTKYM$7osIuz9qIboW1<}=2;9Hu*k^Lh1@GfWhrP+sIr{JhWpNOqgE$8F z?f(zFzuMk6-n)OeupM(|-j=EXe6e}(Iv6AH|1BJetiE5Q64}`S*K^^9F|)e|>T6?vx*%JU?YmtF2V}$nf0Uol(Bf*9xN;9U&JX>w{t{sdb;H$q=8zjqcla zghN_Truoub?7ZrNXIa(0hD8?J@+Uis5xz2-w^cb+yIF)2-S|TJ8E)zafbn&SsQLSN zVxj5P_0|$V_JI03#bDTA-l*5?xO_Xu%n78WQJ-rvL;0nCN7MfVJIQ_sAfzeR*b3F_LNF1@T!-t_*#ciQrK*K~eMy2njXSzdOsbY(dg{G=)| zhE!GDJTg;q%ripMSZARzij5(ex4oojr&?qjB*8g~yt6A_P)nhcVgg4f9{Xg};(O{M zmjR+ae)Nhba$g>9AQ#91+<&;>{^6E8xe)$q#{ZZZl^(a8ykVY>m){efh5y@6pW67p z+wOIrZt(v)(%td?7GFT7QWOswmEo51a`nGs*fI1X;#dQa|yhg4-tYcf7qrUKHY{tbqKw}B(#Th66YBmq zrF#3{L5}{M;2cGIaNoYu3K0ym{p68fn%?Ju7Ii^=aC@^h#(Q)46BcgKRTA@_xidzwjVz_Bts#qUirS+-vHx)h9l(;79K~= z3s%!j;A#tQAi+t55(;~Qjvy2#=?-4K`sFtV#I~)d+2Aq1&S44LNlIZm&B2%caPYYY zd}l}04dB7`M_m^OPwIt9`;hyR>)Vj|fgdYSJ?5TXKC{IWv2!6k&cuGs3Axs*D2ykB zqTG+uFo;_TX?;yvBxvzvRAzws6?6lCPEv{r>XdA<9tab@G&n^TnwtGdGnDfcW|OWA z0ab}E4c10PskC;$9dfD4dWcbC<9+xPybnoPiwlS#kKwU7RnM7DuR0tms&X-xL#?ZT z87Dl-2drGhv$Aho_}U6HV_)<$-enpSr?8QAB+RQ5`BVf~IhL{P*BH5`T|G`C z)Q97PlatezZ+`jp$Cr!E&%bd_CqXQQP0cjr>4c&=X2-k0fi0D)^Hp80#-tgYuj{z1 zROjHAXH;AYUlZXzuvUgX5M5ewEa&#LZmG>iJ>Z`3v6xe2(^Wjz^vUVwK^o?g03Zo| zY0vnyS?3dBwj3csaZ=;oU?bVLN5%h|_~at=EtiX1(K8i}vYZpvDz9Jb3k=Ym&)U5X zeN8R%jiTkhnepd+1FBCf&BFf~Lb+!g5x{A(un{oR|5L&L-QD)){-?F1FVX)a;vave zFb={4=t7r)i z&`kMXIse^x+TQs8*ODI4`R~=7FJ7|?zsw)^Bi2`VX0@{Sz0nPybDC5B%Zs7z#Q(py zx7)6q|7&mj|7%Ih`u{f$^atxeU+8$=TD;|3lBDA_r+n4$OO2$zSvY!Jc-96t(=q(+ z%Tpd@U&_?$?N)M~n8ElHf^yxA&u?L>%uA75T&VTK)oWfo$3Lt&<1C#?aH-S$Dh0c1 zx?EAAdDp^L=8KLPEgaX~Q6Rbn+gq8hZx@gk7MK?gl=s1=xd6*IU~C&r-vGaIVn-9c zv%_h%HqHKEEfGX3qo#XXnyaF>#*7)Qx`{mM$D{J6aGM%-57Colgv{NK~VH?I#~Il!+rjVI#Wi`OR(s5|kLJ)$N!&G|WJImkMa zO>F=$3fU_)uX^u5+h_8%J}V5?R-(?JS-dXVss2x{%5b)rA}i~t)93beF^$^Eu3Z-h zqKIi%)TD?k0*lPW>Mfqxl1tqV%#@PQaJy$;4Olok&1<8Ympau`%W>e6&78` z%GcBHYASKBy11!UP&CSjg?0A@*WFdsofMjTrqo$n;H=%%(ro`rjuL?wx4H*pR{Y<7 zr&r$p>vlHZe^^VpL;r7*S$l-mRislw3&jmUW@w>!vbi_p%eprt$?o{l5c67(sh3E7 z>X(G%lemJrs&{&Dl~*2`a_6==Xf+nqv-VDHe4v5H-ajK28nZ4Xu7P7h)y#+w)O}ho zIxtJ4lRLfOL+H!XtE>nQl;O}06nAz*P2AwMbqAfg>DW9gWnlj1OrE+K-9Awj;wW!E zg>_vG%)2gKAtJ$+8dQ4}RjL`yqP_yxmF`KCOF-VHCRISOl6ieUp)2_KQOs|dAxcNv zq9tf6&v^NgK)*4-urhQ8poZcoEFby`^OQ(8;iHLoZ9u%r;Kh0I-)-UmXYT*+Rq)?t z|9?&C7D(;k9s)C=L-myr{#Q9Ja0|7yK&;>W9TYHyqqr+-s=i{s4#khnF@Vo9%`N|z zz5Hjk{O`8AmHR*U+xr{&zmBwCOZ`(-8Qdg!kyOtM-<`e?R#21>89?-a^~Iqg5LwoZ zeecLaFdVFEig;6o2@D(~oHqb0ekC}2f4J0b z1D`lNNi0w@BL;rWs6+|_)D+abfhJ2slkKKUF%&15pXMpulyOJ6WzOpXG=aq(0i3>U zK~z&qgn7<}AM_=`4O{vAQeUxwU+R2`j+*`Z zFJcFOo-2Nr-?@Jn5OVd~;#0nYR$gaI?S8Lj|9f)@%q`Nq_-~XFD(${i-~ZCulZR|a&eE)G&>_T~w@ zQ0U#DWBt(Bj6;#GR+@S`Qi{)31?lfB9<{XEv#|3a>bV@UQx34Ueg0poZM{PuLX=gm z5cHs^TP=|P;0g7R5ZEdkC;48<$64)bbgULRmtf#mgZlrT?d(|zNdO{!1x z;(weii~i^E|L#`K|F$>Ze_l_z)&B1WsXthxUcY_(KtOmS(B6dF-!9bt9)T)NRS172 zW^9g-{(DES^F?yafnKktgzm%2!n2wYV}0O0+*$B`8A;9rkxLkgivZ0H=3FSvi~nwO z5A3Y?uTEwEf495w|E?$9p(l4KRJj6Ah}&M~gkE4Ta^8=S(@0(+4Ar?3O2OWLTK2 zGD^rM;%k%Ekrvhe%WMM7^#AXdH>>tg5Z=eWvXb4+~AX;J*gqdcS4#{bvizs>hQ*ODHb z|L6X{MY@>7$bMD+{OBj`P7=Jn@hGiUpHKBDnL+=z58jgXMWr|VVIMLar*yhH?mTT< zhhuI3QC;rtLb-bj<=&q=xBX%Bjn}I=mG%Fd!-E$;ANu2Hg>6jN|J`=49RJnX-Rtab z^#3~2BPgu^$N3p2cpSv=62)T(M?p?unC2k9T@62J@df{YBd(i^8X!!^<4K}E6z@2X z9>IzH0xSRGbnG}DypRfz=~)$6+mZ(M1rA_fX|I9f!QqD>q)ZAjV>U}8VMGG65(%V9 ze8n^^oaM}@E$m}X(vIWFuUy0U^wkM(K#)DCe$jhSrq0M+^SM}-T^i3`5Qga_p>P%u zWYc$v=?Kz{6=S1%dU_0FL`P{vT3J9xg!fOxc1V>Yx~p`7#`r{hCm1~QUkoFLf7 z386t8Lz;vLGL#pCx#M(w)mPasottG;0APpF^$0pUHT64=05(Of-X)F@sL$ds!Ulr@ zvn?D0Ye>B0G~%Q_2Vaimnd`&bcdRnUIUQjFVUCzlW3)`dG((Z9ob(+}qeMRQ5?o1u zz}Cg<6FIH=k$owe$7iil&RBfqHUe`=sS!Hg~u52+-=T2aVb3&i6IZq&n zB0wK9HVRbID?i=}0Rfr^!yyg<6SxRs90e3b#;D7h`!LMYgrX#xHs~DAIua~1?0}|B zhr=P%RmL!mad<>GSX?E=(T)viIFzw-FfISAJ*!sriG$=ECm;ALV_j8W)-_xk0ADRy zmp4quS(>1P_909Ynx}D$@-qD(Ch6BCC?t^{!ZF-f}}Gw5h> z3Q!FJXF>R$t&-+hvvY_xt$8!56<^VUw{DPOpQ)P+`C&SC-_>Ww8PDALrt7!;uHR|% zj3q2vd>+cggf=4NV&c&w5cU{Eh~V?YaRzc}4;Z%us?&wwkjzIeF%3t3rq~9O0|v0I zH%V%0y1EvG@~qLFwj^W#11D$c zB#D5b5GAM_uUsJ)!;C0l+6;@3K}%3VgDbXH5{x3p8CcSeuNbC*vm6ako}-A5 znSup8upqrmPy}aJJYP7;bEd#$Uwy~Ta0+4^5WX(8bhOr`s8+vwVl7LK5_1%zfFKhtG_G<{8v}8xSnzBl zETLD^*7KtmZ_J@*i!DhL4kVS2h)lu}80%bWF{i9HpENpalaZl zH$VtvOr=m&yTvNV=9DK;KqW$P5(tSfA;{pLK(Z=Axnr`952qspX&j;4WTN-ziZPNP zO0kmNN=PBO_vGzlH$$Qn#G;bS3@OuQ=KUX6@eL>}=f>Lk*90*Du{ z6+wcx>qQV>!RIJpT+=v5OUNlnO-}3CjDaGZYl<9D%x?~_7DugGi4f#S*pm}dC>%M` zQpz!3)58HOCaEz(Nk;8S+Q?Hd^=ezQayx&XYCfV ziY3_S^>+Es6FnZHA53ANF^Q92;0Q&`q`eS;jZN8bLMJ(D*%le(>4Y-PJ|XA{oJ}Yn zj3lLil3|*MVmt=s=V1rJisOU8T35U)od8zW!f<7jKY>ezy(-2TCIud=z@uz(7UR%6 zI&P8%tZ&?w=L?mUU?b~zaCB_W4$h{}jmfe{$J~>^wW9DPOrJDst+UxFmLS2&d5qxb z_@Y;Q!j=!R7&pP#gVt_$z}pjZRqo?JM#K%Q5$8ZONa{zPub@HsYqnwq1=<-gUD7(v zNxjyt)zwefn8`KB)D)+HrkNL`3lvwF(RUoCK1dd0suiDH;YzHs;U!NXizh^?>jcfEk$q#b-Fi^vXBIE3d}h3*pkhF@! zFT}27Cqq55T9hT^OS?xY{Lp9gNX{%`|T< zM?tJS4XUo@3WV<9rR5>DbO>}5P+f(Z4Gyl&)mN&^&{H%moOiO;ZIWs;=U8a-!j(f) zz;wrPer5ujC}*o)!$RU+0v=1B5KcgE^80WQT?7degh~Ml%SgZ*xzr~K$3ThAwS^Hj zV08|}r1G6aemr2{3s=@p=t@qw|gSkb7L&l8+dM8QhXf<&BvCtsq%#dtMqCEfWN823*b!_Y{uxfd8ouejdhgu_YE`% zBn?h(VBop~QM%DH$0`zklCr1Ow7H)!Q~HToS8~BV;eN^|=Fsr)wpt55H+I;ip&&>r z;YyRBCNBz?X-wiPK+7mdC)7r_4ec1*a|6F9?bVF$6cIvnYZ}b{yiVB~Dr>*lNY9#C zEp?mLNK|APTz`~>ORj_)I4*e+iBvp}R4@aZqVuaPn z5bZ$VLZo?$>WHcLV%z|~fV^-+D2XD+A-k_(4KzPeJP#+1Oai zyOt#eb8$uc2>3tJnp=CMZULJxea-0)H zg+E;@DP~eLpvZIo!rhW--V$DXV+)cMdd_|D%(PXdPXz!FEGtifr4j1Go5LTEPEOza z=Z{}rzxt24;mfzZ141Ta69y4sK5&3dgCt@W6bIQbm~t*_;D5G9g{tR&2_-FY{*Qkc zUe5Zm-~Rk+_W9rT-fk)WyR*OF+noPdOH#0@58Ns5g_B$#1CUzYdNuPrfDL`C#{w!F z#az%AEqH7NI@31a%Xy8f`8}xXPq(PExo2Ht1O2#mE4#MBdB`-fTifo^S=)!V?vID3 zYWF&zBmSuMclX`hi=BG@7s|;i#DGsm%eOJ}{)b+#%>TQ4oBJQuk{*+%1{eH7n*jehHTYC>*8WZpk`a`2KG~ zLZJ_sLdO9ZV&`Lp5O{0`*%^{jZN2hAEsG}aS^F`#3UQVWg#^OwT6F%lO&U$rS%h;m zSf?_KTIK$pHb54yv0JWEy9ej5QaY~vI1Piim5`QPTrCo`>PMrpr#|=C+soQ3F=*wY zs>k3~wyCrkP;KPh#}jsA2(kYP`F*Ss(t7te9#-E_X`{_eMb_q)IQ zo%T(T;oqer?sq>-$B%2(v{2HDKIzg4(}V^%Awa}tmh{!=-37g;px*G)JZA{rzEf&m z_A6O)zgX*VbE6D32{ndzqX9nKG*$jrE`4221SnfWTNB$}m@?(v{DsX}QG1O^ z+T6yH_G@9ZRaW}^rd!kL1+lR{ug$9hy_)OQHgAL@UZsk)4=04CV+gWLY@yWIz(oX9 zkm2Rq(DgL7WXAEoecKlyUhm%hed{r}_DV2v&NE72UU*!oOrJ`Vv8>i{mB!i*=c%lG z_{A-;F+4U8=uBT5lLURp`1#TJsyLcC<#3SeY%t#!k>Ff9WCXW+lyez*Mn z*G^}Dga6i&9yIJi49N@vL9~Pfd@e!)hQP6U& z_Nmn6%$<4xP`YpVS9+UWL0HdAH0{*WI0IN8owZUM!!POiK(ua8L%4fkpanN2LQoWsS@0#OTI=p`i zKw~n<94JaOFK_R;4Wz1kre;dzD*(GwFpOyR?f{HY|4j5UyaIyl>4)j~foiyV`9I45U#yK;^1oY-|LS)3 zyPNp0wWJ!hxs~{DybgNxa(}T4rk7F&^>-StToE*1u>4R6nj+U4?`AFpytZAJyPx^K bd1R9|X_GeTb4>pi00960H#3sJ04@OlCok8B literal 0 HcmV?d00001 diff --git a/charts/base/values.yaml b/charts/base/values.yaml index 0bfc573..efebdec 100644 --- a/charts/base/values.yaml +++ b/charts/base/values.yaml @@ -1026,21 +1026,21 @@ gatewayApi: # - providers: # - name: envoy -# zero-trust-mesh subchart (zero-trust-mesh-0.1.3). Disabled by default; enable per release. +# zero-trust-mesh subchart (zero-trust-mesh-0.1.4). Disabled by default; enable per release. # Values under this key are passed to the subchart. zeroTrustMesh: enabled: false # Keep empty by default so enabling the subchart from base does not create - # sample service or external egress allow rules. - allowTo: [] + # sample ingress or egress allow rules. + allowPolicies: [] # enabled: true # namespaceResourcesEnabled: true - # allowTo: - # - service: backend + # allowPolicies: + # - type: egress + # service: backend # port: 8080 - # methods: ["GET", "POST"] - # paths: ["/*"] - # - hosts: + # - type: egress + # hosts: # - google.com # - www.google.com diff --git a/charts/zero-trust-mesh/Chart.yaml b/charts/zero-trust-mesh/Chart.yaml index 9385438..1b03dc5 100644 --- a/charts/zero-trust-mesh/Chart.yaml +++ b/charts/zero-trust-mesh/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: zero-trust-mesh -version: 0.1.3 +version: 0.1.4 description: Helm chart for Kubernetes NetworkPolicy + Istio zero-trust service communication appVersion: "1.0" type: application diff --git a/charts/zero-trust-mesh/README.md b/charts/zero-trust-mesh/README.md index e3ed108..e1a38df 100644 --- a/charts/zero-trust-mesh/README.md +++ b/charts/zero-trust-mesh/README.md @@ -25,7 +25,7 @@ Enable namespace-wide resources: ```yaml namespace: default namespaceResourcesEnabled: true -allowTo: [] +allowPolicies: [] ``` This creates namespace-scoped defaults: @@ -37,20 +37,36 @@ This creates namespace-scoped defaults: ### 2) Service rules -Enable only per-service allow entries (minimal values): +Enable per-service deny-all first, then add explicit allow entries as traffic is validated: ```yaml -workload: frontend +service: frontend namespaceResourcesEnabled: false -allowTo: - - service: backend - targetPodLabels: +denyAll: + enabled: true +allowPolicies: + - type: ingress + service: gateway + podLabels: + app: gateway + port: 80 + - type: ingress + service: ingress-nginx + namespace: ingress-nginx + podLabels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/component: controller + port: 80 + allowUnauthenticated: true + - type: egress + service: backend + podLabels: app: backend port: 8080 - methods: ["GET", "POST"] - paths: ["/api/*"] - - hosts: ["api.stripe.com"] - - ips: ["192.0.2.10"] + - type: egress + hosts: ["api.stripe.com"] + - type: egress + ips: ["192.0.2.10"] ports: - number: 443 protocol: TCP @@ -58,27 +74,64 @@ allowTo: ## Values design -`allowTo` is a single list with three entry types: +`denyAll` is a service-scoped deny-all switch: + +- `enabled` (optional, default `false`) +- `podLabels` (optional selector override; defaults to `app.kubernetes.io/name: `) + +When enabled, it renders: + +- a service-scoped NetworkPolicy with both `Ingress` and `Egress` policy types and no allow rules +- a service-scoped Istio AuthorizationPolicy default deny for inbound mesh traffic +- service-scoped DNS and `istiod` egress NetworkPolicy exceptions so injected + sidecars can keep receiving mesh configuration while application traffic stays denied + +`allowPolicies` is the preferred typed allow list owned by the current service. + +For `type: ingress` entries: + +- `service` (required source service name; `workload` is accepted as a legacy alias) +- `namespace` (optional source namespace, defaults to Helm release namespace) +- `podLabels` (optional source pod selector override; defaults to `app.kubernetes.io/name: `) +- `sourceIpBlocks` (optional source CIDR allow list for non-pod sources such as AWS ALB target-type `ip`) +- `serviceAccount` (optional source service account override; defaults to `service`) +- `port` / `protocol` (optional, defaults to `80` / `TCP`) +- `methods` / `paths` (optional Istio operation filters) +- `allowUnauthenticated` (optional, default `false`): omit the Istio source principal match for non-mesh sources such as `ingress-nginx`; keep `podLabels` set so NetworkPolicy still restricts packet sources + +For `type: egress` entries, service destinations use `service` as the peer +service name. The older `workload` key is still accepted. For service +destinations it renders service-scoped egress `NetworkPolicy` rules only; the +destination service must open inbound traffic with its own ingress allow policy +if it has `denyAll.enabled: true`. + +`type: egress` supports three destination forms: - Service rule: - - `service` (required) + - `service` (required; `workload` is accepted as a legacy alias) - `namespace` (optional, defaults to Helm release namespace) - - `targetPodLabels` (optional target pod selector override for NetworkPolicy and AuthorizationPolicy; defaults to `app.kubernetes.io/name: `) + - `podLabels` (optional target pod selector override for generated egress `NetworkPolicy`; defaults to `app.kubernetes.io/name: `) - `port` (optional, default `8080`) - `protocol` (optional, default `TCP`) - - `serviceAccount` (optional target service account override) - - `methods` / `paths` (optional Istio operation filters) + - `serviceAccount` / `methods` / `paths` are only used by the legacy target-side ingress mode - Host rule: - `hosts` (list of approved external hosts) - `ports` (optional list; merged with defaults `80/HTTP` and `443/HTTPS`) - `paths` can be provided in values for future/egress-gateway routing use, but are not enforced by `ServiceEntry`-only mode + - renders Istio `ServiceEntry` resources and, when service deny-all is enabled, a service-scoped public-IP egress `NetworkPolicy` for the selected ports - IP rule: - `ips` (list of approved external destination IPs or CIDR blocks) - `ports` (optional list; defaults to `443/TCP`) - single IPv4 addresses are rendered as `/32` CIDRs for `NetworkPolicy` `ipBlock` - renders both an Istio `ServiceEntry` with `resolution: NONE` and a workload-scoped egress `NetworkPolicy` -Source service account defaults to `workload`, or can be set with top-level `serviceAccount`. +Source service account defaults to `service`, or can be set with top-level `serviceAccount`. + +The split `ingress` and `egress` lists, plus `allowFrom` and `allowTo`, remain +supported for backward compatibility. `workload` and `serviceDenyAll` are +accepted as deprecated aliases for `service` and `denyAll`. `allowpolices` is +accepted as a deprecated misspelled alias, but new values should use +`allowPolicies`. If your cluster does not have an `istio-egressgateway` Service name, set: - `istio.egressGateway.serviceName` to your real gateway Service @@ -91,16 +144,27 @@ Most security defaults are now implicit in templates. Advanced overrides can sti | Key | Description | Default / Example | |-----|-------------|-------------------| -| `workload` | Source workload name used for source pod selectors and default source service account | Helm release name | +| `service` | Current service name used for pod selectors and default source service account | Helm release name | +| `workload` | Deprecated alias for `service` | Helm release name | | `serviceAccount` | Source service account override | `""` | | `namespaceResourcesEnabled` | Enables namespace-wide default deny, DNS, egress gateway, mTLS, and default-deny AuthorizationPolicy resources | `false` | -| `allowTo` | Service, host, and IP allow rules | `[]` | -| `allowTo[].service` | Destination service rule name | `backend` | -| `allowTo[].targetPodLabels` | Optional target pod selector override for generated NetworkPolicy and AuthorizationPolicy resources | `{ app: backend }` | -| `allowTo[].serviceAccount` | Optional target service account override for AuthorizationPolicy naming | `allowTo[].service` | -| `allowTo[].methods` / `allowTo[].paths` | Optional Istio operation filters | `["GET"]`, `["/api/*"]` | -| `allowTo[].hosts` | Approved external hosts for ServiceEntry-based egress | `["api.stripe.com"]` | -| `allowTo[].ips` | Approved external destination IPs or CIDR blocks for direct IP egress | `["192.0.2.10"]` | +| `denyAll.enabled` | Enables service-scoped deny-all for both inbound and outbound traffic | `false` | +| `denyAll.podLabels` | Optional pod selector override for service-level deny-all resources | Not set; defaults to `app.kubernetes.io/name: ` | +| `serviceDenyAll` | Deprecated alias for `denyAll` | `{}` | +| `allowPolicies` | Preferred typed inbound/outbound allow rules owned by the current service | `[]` | +| `allowPolicies[].type` | Policy direction, either `ingress` or `egress` | `ingress` | +| `allowPolicies[].service` | Peer service name for ingress source or egress destination | `backend` | +| `allowPolicies[].workload` | Deprecated alias for `allowPolicies[].service` | `backend` | +| `allowPolicies[].podLabels` | Optional peer pod selector override for generated NetworkPolicy | `{ app: backend }` | +| `allowPolicies[].sourceIpBlocks` | Optional ingress CIDR allow list for non-pod sources such as AWS ALB target-type `ip` | `["172.31.0.0/16"]` | +| `allowPolicies[].serviceAccount` | Optional peer service account override for AuthorizationPolicy principals | `allowPolicies[].service` | +| `allowPolicies[].allowUnauthenticated` | Allow non-mesh inbound sources; NetworkPolicy should still restrict source pods or CIDRs | `false` | +| `allowPolicies[].hosts` | Approved external hosts for ServiceEntry-based egress | `["api.stripe.com"]` | +| `allowPolicies[].ips` | Approved external destination IPs or CIDR blocks for direct IP egress | `["192.0.2.10"]` | +| `allowPolicies[].targetPodLabels` / `sourcePodLabels` | Legacy selector aliases still accepted by split or typed entries | `{ app: backend }` | +| `allowpolices` | Deprecated misspelled alias for `allowPolicies` | `[]` | +| `allowFrom` / `allowTo` | Backward-compatible aliases for `ingress` / `egress` | `[]` | +| `legacyAllowToIngress.enabled` | Also render the previous target-side ingress policies from service egress entries | `false` | ## Install diff --git a/charts/zero-trust-mesh/templates/_helpers.tpl b/charts/zero-trust-mesh/templates/_helpers.tpl index 252f791..cf8b06e 100644 --- a/charts/zero-trust-mesh/templates/_helpers.tpl +++ b/charts/zero-trust-mesh/templates/_helpers.tpl @@ -37,7 +37,7 @@ TCP {{- define "ztm.workloadName" -}} {{- $svc := .Values.serviceConfig | default (dict) -}} -{{- .Values.workload | default ($svc.workload | default .Release.Name) -}} +{{- default (.Values.workload | default ($svc.workload | default ($svc.service | default .Release.Name))) .Values.service -}} {{- end -}} {{- define "ztm.workloadServiceAccount" -}} @@ -48,8 +48,29 @@ TCP {{- define "ztm.targetPodLabels" -}} {{- if .targetPodLabels -}} {{- toYaml .targetPodLabels -}} +{{- else if .podLabels -}} +{{- toYaml .podLabels -}} {{- else -}} -app.kubernetes.io/name: {{ .service }} +app.kubernetes.io/name: {{ default .workload .service }} +{{- end -}} +{{- end -}} + +{{- define "ztm.sourcePodLabels" -}} +{{- if .sourcePodLabels -}} +{{- toYaml .sourcePodLabels -}} +{{- else if .podLabels -}} +{{- toYaml .podLabels -}} +{{- else -}} +app.kubernetes.io/name: {{ default .workload .service }} +{{- end -}} +{{- end -}} + +{{- define "ztm.serviceDenyAllPodLabels" -}} +{{- $denyAll := default (.Values.serviceDenyAll | default (dict)) .Values.denyAll -}} +{{- if $denyAll.podLabels -}} +{{- toYaml $denyAll.podLabels -}} +{{- else -}} +app.kubernetes.io/name: {{ include "ztm.workloadName" . }} {{- end -}} {{- end -}} diff --git a/charts/zero-trust-mesh/templates/istio-allow-from.yaml b/charts/zero-trust-mesh/templates/istio-allow-from.yaml new file mode 100644 index 0000000..6a14c75 --- /dev/null +++ b/charts/zero-trust-mesh/templates/istio-allow-from.yaml @@ -0,0 +1,58 @@ +{{- $denyAll := default (.Values.serviceDenyAll | default (dict)) .Values.denyAll -}} +{{- $istio := .Values.istio | default (dict) -}} +{{- $ingress := concat (.Values.ingress | default (list)) (.Values.allowFrom | default (list)) -}} +{{- range (.Values.allowPolicies | default (list)) -}} +{{- if eq (default "" .type) "ingress" -}} +{{- $ingress = append $ingress . -}} +{{- end -}} +{{- end -}} +{{- range (.Values.allowpolices | default (list)) -}} +{{- if eq (default "" .type) "ingress" -}} +{{- $ingress = append $ingress . -}} +{{- end -}} +{{- end -}} +{{- if and (default false $denyAll.enabled) (default true $istio.enabled) $ingress }} +{{- $targetNamespace := include "ztm.workloadNamespace" . -}} +{{- $targetServiceAccount := include "ztm.workloadServiceAccount" . -}} +{{- range $ingress }} +{{- $sourceWorkload := required "ingress[].service is required" (default .workload .service) -}} +{{- $sourceNamespace := default $targetNamespace .namespace -}} +{{- $sourceServiceAccount := default $sourceWorkload .serviceAccount -}} +{{- $policyName := printf "allow-%s-ingress-from-%s" $targetServiceAccount $sourceServiceAccount -}} +--- +apiVersion: security.istio.io/v1 +kind: AuthorizationPolicy +metadata: + name: {{ include "ztm.sanitizeName" $policyName }} + namespace: {{ $targetNamespace }} +spec: + selector: + matchLabels: + {{- include "ztm.serviceDenyAllPodLabels" $ | nindent 6 }} + action: ALLOW + rules: + {{- if and .allowUnauthenticated (not (or .methods .paths)) }} + - {} + {{- else }} + - + {{- if not .allowUnauthenticated }} + from: + - source: + principals: + - {{ printf "cluster.local/ns/%s/sa/%s" $sourceNamespace $sourceServiceAccount | quote }} + {{- end }} + {{- if or .methods .paths }} + to: + - operation: + {{- if .methods }} + methods: + {{- toYaml .methods | nindent 14 }} + {{- end }} + {{- if .paths }} + paths: + {{- toYaml .paths | nindent 14 }} + {{- end }} + {{- end }} + {{- end }} +{{ end }} +{{- end }} diff --git a/charts/zero-trust-mesh/templates/istio-authorizations.yaml b/charts/zero-trust-mesh/templates/istio-authorizations.yaml index aa1c666..f6ee09d 100644 --- a/charts/zero-trust-mesh/templates/istio-authorizations.yaml +++ b/charts/zero-trust-mesh/templates/istio-authorizations.yaml @@ -1,11 +1,24 @@ {{- $istio := .Values.istio | default (dict) -}} -{{- if and (default true $istio.enabled) .Values.allowTo }} +{{- $legacy := .Values.legacyAllowToIngress | default (dict) -}} +{{- $egress := concat (.Values.egress | default (list)) (.Values.allowTo | default (list)) -}} +{{- range (.Values.allowPolicies | default (list)) -}} +{{- if eq (default "" .type) "egress" -}} +{{- $egress = append $egress . -}} +{{- end -}} +{{- end -}} +{{- range (.Values.allowpolices | default (list)) -}} +{{- if eq (default "" .type) "egress" -}} +{{- $egress = append $egress . -}} +{{- end -}} +{{- end -}} +{{- if and (default false $legacy.enabled) (default true $istio.enabled) $egress }} {{- $sourceNamespace := include "ztm.workloadNamespace" . -}} {{- $sourceServiceAccount := include "ztm.workloadServiceAccount" . -}} -{{- range .Values.allowTo }} -{{- if .service }} +{{- range $egress }} +{{- $targetService := default .workload .service -}} +{{- if $targetService }} {{- $targetNamespace := default $sourceNamespace .namespace -}} -{{- $targetServiceAccount := default .service .serviceAccount -}} +{{- $targetServiceAccount := default $targetService .serviceAccount -}} {{- $policyName := printf "allow-%s-to-%s" $sourceServiceAccount $targetServiceAccount -}} --- apiVersion: security.istio.io/v1 diff --git a/charts/zero-trust-mesh/templates/istio-egress-gateway.yaml b/charts/zero-trust-mesh/templates/istio-egress-gateway.yaml index 9b143a2..c4fdbc1 100644 --- a/charts/zero-trust-mesh/templates/istio-egress-gateway.yaml +++ b/charts/zero-trust-mesh/templates/istio-egress-gateway.yaml @@ -2,9 +2,20 @@ {{- $egw := $istio.egressGateway | default (dict) -}} {{- $egwNamespace := default "istio-system" $egw.namespace -}} {{- $egwServiceName := default "istio-egressgateway" $egw.serviceName -}} -{{- if and (ne $istio.enabled false) (eq $egw.enabled true) .Values.allowTo }} +{{- $egress := concat (.Values.egress | default (list)) (.Values.allowTo | default (list)) -}} +{{- range (.Values.allowPolicies | default (list)) -}} +{{- if eq (default "" .type) "egress" -}} +{{- $egress = append $egress . -}} +{{- end -}} +{{- end -}} +{{- range (.Values.allowpolices | default (list)) -}} +{{- if eq (default "" .type) "egress" -}} +{{- $egress = append $egress . -}} +{{- end -}} +{{- end -}} +{{- if and (ne $istio.enabled false) (eq $egw.enabled true) $egress }} {{- $workloadNamespace := include "ztm.workloadNamespace" . -}} -{{- range .Values.allowTo }} +{{- range $egress }} {{- if .hosts }} {{- range .hosts }} --- diff --git a/charts/zero-trust-mesh/templates/istio-service-deny-all.yaml b/charts/zero-trust-mesh/templates/istio-service-deny-all.yaml new file mode 100644 index 0000000..c1ae1d5 --- /dev/null +++ b/charts/zero-trust-mesh/templates/istio-service-deny-all.yaml @@ -0,0 +1,15 @@ +{{- $denyAll := default (.Values.serviceDenyAll | default (dict)) .Values.denyAll -}} +{{- $istio := .Values.istio | default (dict) -}} +{{- if and (default false $denyAll.enabled) (default true $istio.enabled) }} +apiVersion: security.istio.io/v1 +kind: AuthorizationPolicy +metadata: + name: {{ include "ztm.fullname" . }}-service-deny-all + namespace: {{ include "ztm.workloadNamespace" . }} + labels: + {{- include "ztm.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "ztm.serviceDenyAllPodLabels" . | nindent 6 }} +{{- end }} diff --git a/charts/zero-trust-mesh/templates/istio-serviceentries.yaml b/charts/zero-trust-mesh/templates/istio-serviceentries.yaml index 68a9f50..7a91ee2 100644 --- a/charts/zero-trust-mesh/templates/istio-serviceentries.yaml +++ b/charts/zero-trust-mesh/templates/istio-serviceentries.yaml @@ -1,7 +1,18 @@ {{- $istio := .Values.istio | default (dict) -}} -{{- if and (default true $istio.enabled) .Values.allowTo }} +{{- $egress := concat (.Values.egress | default (list)) (.Values.allowTo | default (list)) -}} +{{- range (.Values.allowPolicies | default (list)) -}} +{{- if eq (default "" .type) "egress" -}} +{{- $egress = append $egress . -}} +{{- end -}} +{{- end -}} +{{- range (.Values.allowpolices | default (list)) -}} +{{- if eq (default "" .type) "egress" -}} +{{- $egress = append $egress . -}} +{{- end -}} +{{- end -}} +{{- if and (default true $istio.enabled) $egress }} {{- $workloadNamespace := include "ztm.workloadNamespace" . -}} -{{- range .Values.allowTo }} +{{- range $egress }} {{- if .hosts }} {{- $defaultPorts := list (dict "number" 80 "protocol" "HTTP") (dict "number" 443 "protocol" "HTTPS") -}} {{- $userPorts := .ports | default (list) -}} @@ -75,7 +86,7 @@ spec: resolution: NONE ports: {{- range $port := $ports }} - {{- $number := required "allowTo[].ips ports[].number is required" $port.number }} + {{- $number := required "egress[].ips ports[].number is required" $port.number }} {{- $protocol := default "TCP" $port.protocol | upper }} - number: {{ $number }} name: {{ default (include "ztm.sanitizeName" (printf "%s-%v" ($protocol | lower) $number)) $port.name }} diff --git a/charts/zero-trust-mesh/templates/networkpolicy-allow-from.yaml b/charts/zero-trust-mesh/templates/networkpolicy-allow-from.yaml new file mode 100644 index 0000000..7aa4645 --- /dev/null +++ b/charts/zero-trust-mesh/templates/networkpolicy-allow-from.yaml @@ -0,0 +1,53 @@ +{{- $denyAll := default (.Values.serviceDenyAll | default (dict)) .Values.denyAll -}} +{{- $np := .Values.networkPolicy | default (dict) -}} +{{- $labels := .Values.labels | default (dict) -}} +{{- $ingress := concat (.Values.ingress | default (list)) (.Values.allowFrom | default (list)) -}} +{{- range (.Values.allowPolicies | default (list)) -}} +{{- if eq (default "" .type) "ingress" -}} +{{- $ingress = append $ingress . -}} +{{- end -}} +{{- end -}} +{{- range (.Values.allowpolices | default (list)) -}} +{{- if eq (default "" .type) "ingress" -}} +{{- $ingress = append $ingress . -}} +{{- end -}} +{{- end -}} +{{- if and (default false $denyAll.enabled) (default true $np.enabled) $ingress }} +{{- $targetNamespace := include "ztm.workloadNamespace" . -}} +{{- $targetWorkload := include "ztm.workloadName" . -}} +{{- range $ingress }} +{{- $sourceWorkload := required "ingress[].service is required" (default .workload .service) -}} +{{- $sourceNamespace := default $targetNamespace .namespace -}} +{{- $ruleName := printf "%s-ingress-from-%s-%v" $targetWorkload $sourceWorkload (.port | default 80) -}} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-{{ include "ztm.sanitizeName" $ruleName }} + namespace: {{ $targetNamespace }} +spec: + podSelector: + matchLabels: + {{- include "ztm.serviceDenyAllPodLabels" $ | nindent 6 }} + policyTypes: + - Ingress + ingress: + - from: + {{- if .sourceIpBlocks }} + {{- range .sourceIpBlocks }} + - ipBlock: + cidr: {{ . | quote }} + {{- end }} + {{- else }} + - namespaceSelector: + matchLabels: + {{ default "kubernetes.io/metadata.name" $labels.namespaceLabelKey }}: {{ $sourceNamespace }} + podSelector: + matchLabels: + {{- include "ztm.sourcePodLabels" . | nindent 14 }} + {{- end }} + ports: + - port: {{ .port | default 80 }} + protocol: {{ .protocol | default "TCP" }} +{{ end }} +{{- end }} diff --git a/charts/zero-trust-mesh/templates/networkpolicy-flows.yaml b/charts/zero-trust-mesh/templates/networkpolicy-flows.yaml index f162640..3f49cb9 100644 --- a/charts/zero-trust-mesh/templates/networkpolicy-flows.yaml +++ b/charts/zero-trust-mesh/templates/networkpolicy-flows.yaml @@ -1,12 +1,25 @@ {{- $np := .Values.networkPolicy | default (dict) -}} +{{- $legacy := .Values.legacyAllowToIngress | default (dict) -}} {{- $labels := .Values.labels | default (dict) -}} -{{- if and (default true $np.enabled) .Values.allowTo }} +{{- $egress := concat (.Values.egress | default (list)) (.Values.allowTo | default (list)) -}} +{{- range (.Values.allowPolicies | default (list)) -}} +{{- if eq (default "" .type) "egress" -}} +{{- $egress = append $egress . -}} +{{- end -}} +{{- end -}} +{{- range (.Values.allowpolices | default (list)) -}} +{{- if eq (default "" .type) "egress" -}} +{{- $egress = append $egress . -}} +{{- end -}} +{{- end -}} +{{- if and (default false $legacy.enabled) (default true $np.enabled) $egress }} {{- $sourceNamespace := include "ztm.workloadNamespace" . -}} {{- $sourceWorkload := include "ztm.workloadName" . -}} -{{- range .Values.allowTo }} -{{- if .service }} +{{- range $egress }} +{{- $targetService := default .workload .service -}} +{{- if $targetService }} {{- $targetNamespace := default $sourceNamespace .namespace -}} -{{- $ruleName := printf "%s-to-%s-%v" $sourceWorkload .service (.port | default 8080) -}} +{{- $ruleName := printf "%s-to-%s-%v" $sourceWorkload $targetService (.port | default 8080) -}} --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy diff --git a/charts/zero-trust-mesh/templates/networkpolicy-host-egress.yaml b/charts/zero-trust-mesh/templates/networkpolicy-host-egress.yaml new file mode 100644 index 0000000..9a199ed --- /dev/null +++ b/charts/zero-trust-mesh/templates/networkpolicy-host-egress.yaml @@ -0,0 +1,60 @@ +{{- $np := .Values.networkPolicy | default (dict) -}} +{{- $denyAll := default (.Values.serviceDenyAll | default (dict)) .Values.denyAll -}} +{{- $egress := concat (.Values.egress | default (list)) (.Values.allowTo | default (list)) -}} +{{- range (.Values.allowPolicies | default (list)) -}} +{{- if eq (default "" .type) "egress" -}} +{{- $egress = append $egress . -}} +{{- end -}} +{{- end -}} +{{- range (.Values.allowpolices | default (list)) -}} +{{- if eq (default "" .type) "egress" -}} +{{- $egress = append $egress . -}} +{{- end -}} +{{- end -}} +{{- if and (default false $denyAll.enabled) (default true $np.enabled) $egress }} +{{- $workloadNamespace := include "ztm.workloadNamespace" . -}} +{{- $sourceWorkload := include "ztm.workloadName" . -}} +{{- $portsByKey := dict -}} +{{- range $egress }} +{{- if .hosts }} +{{- $defaultPorts := list (dict "number" 80 "protocol" "TCP") (dict "number" 443 "protocol" "TCP") -}} +{{- $ports := .ports | default $defaultPorts -}} +{{- range $port := $ports }} +{{- $number := required "egress[].hosts ports[].number is required" $port.number -}} +{{- $protocol := include "ztm.networkPolicyProtocol" $port.protocol -}} +{{- $_ := set $portsByKey (printf "%v-%s" $number $protocol) (dict "number" $number "protocol" $protocol) -}} +{{- end }} +{{- end }} +{{- end }} +{{- if $portsByKey }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-{{ include "ztm.sanitizeName" (printf "%s-egress-to-external-hosts" $sourceWorkload) }} + namespace: {{ $workloadNamespace }} +spec: + podSelector: + matchLabels: + {{- include "ztm.serviceDenyAllPodLabels" . | nindent 6 }} + policyTypes: + - Egress + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + except: + - 10.0.0.0/8 + - 100.64.0.0/10 + - 127.0.0.0/8 + - 169.254.0.0/16 + - 172.16.0.0/12 + - 192.168.0.0/16 + ports: + {{- range $key := keys $portsByKey | sortAlpha }} + {{- $port := get $portsByKey $key }} + - port: {{ $port.number }} + protocol: {{ $port.protocol }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/zero-trust-mesh/templates/networkpolicy-ip-egress.yaml b/charts/zero-trust-mesh/templates/networkpolicy-ip-egress.yaml index b303516..ea809b3 100644 --- a/charts/zero-trust-mesh/templates/networkpolicy-ip-egress.yaml +++ b/charts/zero-trust-mesh/templates/networkpolicy-ip-egress.yaml @@ -1,8 +1,19 @@ {{- $np := .Values.networkPolicy | default (dict) -}} -{{- if and (ne $np.enabled false) .Values.allowTo }} +{{- $egress := concat (.Values.egress | default (list)) (.Values.allowTo | default (list)) -}} +{{- range (.Values.allowPolicies | default (list)) -}} +{{- if eq (default "" .type) "egress" -}} +{{- $egress = append $egress . -}} +{{- end -}} +{{- end -}} +{{- range (.Values.allowpolices | default (list)) -}} +{{- if eq (default "" .type) "egress" -}} +{{- $egress = append $egress . -}} +{{- end -}} +{{- end -}} +{{- if and (ne $np.enabled false) $egress }} {{- $workloadNamespace := include "ztm.workloadNamespace" . -}} {{- $sourceWorkload := include "ztm.workloadName" . -}} -{{- range .Values.allowTo }} +{{- range $egress }} {{- if .ips }} {{- $defaultPorts := list (dict "number" 443 "protocol" "TCP") -}} {{- $ports := .ports | default $defaultPorts -}} @@ -20,7 +31,7 @@ metadata: spec: podSelector: matchLabels: - app.kubernetes.io/name: {{ $sourceWorkload }} + {{- include "ztm.serviceDenyAllPodLabels" $ | nindent 6 }} policyTypes: - Egress egress: @@ -31,7 +42,7 @@ spec: {{- end }} ports: {{- range $port := $ports }} - {{- $number := required "allowTo[].ips ports[].number is required" $port.number }} + {{- $number := required "egress[].ips ports[].number is required" $port.number }} - port: {{ $number }} protocol: {{ include "ztm.networkPolicyProtocol" $port.protocol }} {{- end }} diff --git a/charts/zero-trust-mesh/templates/networkpolicy-service-deny-all.yaml b/charts/zero-trust-mesh/templates/networkpolicy-service-deny-all.yaml new file mode 100644 index 0000000..3f49fbc --- /dev/null +++ b/charts/zero-trust-mesh/templates/networkpolicy-service-deny-all.yaml @@ -0,0 +1,18 @@ +{{- $denyAll := default (.Values.serviceDenyAll | default (dict)) .Values.denyAll -}} +{{- $np := .Values.networkPolicy | default (dict) -}} +{{- if and (default false $denyAll.enabled) (default true $np.enabled) }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "ztm.fullname" . }}-service-deny-all + namespace: {{ include "ztm.workloadNamespace" . }} + labels: + {{- include "ztm.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "ztm.serviceDenyAllPodLabels" . | nindent 6 }} + policyTypes: + - Ingress + - Egress +{{- end }} diff --git a/charts/zero-trust-mesh/templates/networkpolicy-service-dns.yaml b/charts/zero-trust-mesh/templates/networkpolicy-service-dns.yaml new file mode 100644 index 0000000..1710bc9 --- /dev/null +++ b/charts/zero-trust-mesh/templates/networkpolicy-service-dns.yaml @@ -0,0 +1,31 @@ +{{- $denyAll := default (.Values.serviceDenyAll | default (dict)) .Values.denyAll -}} +{{- $np := .Values.networkPolicy | default (dict) -}} +{{- $nsr := .Values.namespaceResources | default (dict) -}} +{{- if and (default false $denyAll.enabled) (default true $np.enabled) (not (default false (default .Values.namespaceResourcesEnabled $nsr.enabled))) }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "ztm.fullname" . }}-allow-dns-egress + namespace: {{ include "ztm.workloadNamespace" . }} + labels: + {{- include "ztm.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "ztm.serviceDenyAllPodLabels" . | nindent 6 }} + policyTypes: + - Egress + egress: + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + podSelector: + matchLabels: + k8s-app: kube-dns + ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP +{{- end }} diff --git a/charts/zero-trust-mesh/templates/networkpolicy-service-egress.yaml b/charts/zero-trust-mesh/templates/networkpolicy-service-egress.yaml new file mode 100644 index 0000000..a72cc65 --- /dev/null +++ b/charts/zero-trust-mesh/templates/networkpolicy-service-egress.yaml @@ -0,0 +1,48 @@ +{{- $np := .Values.networkPolicy | default (dict) -}} +{{- $denyAll := default (.Values.serviceDenyAll | default (dict)) .Values.denyAll -}} +{{- $labels := .Values.labels | default (dict) -}} +{{- $egress := concat (.Values.egress | default (list)) (.Values.allowTo | default (list)) -}} +{{- range (.Values.allowPolicies | default (list)) -}} +{{- if eq (default "" .type) "egress" -}} +{{- $egress = append $egress . -}} +{{- end -}} +{{- end -}} +{{- range (.Values.allowpolices | default (list)) -}} +{{- if eq (default "" .type) "egress" -}} +{{- $egress = append $egress . -}} +{{- end -}} +{{- end -}} +{{- if and (default false $denyAll.enabled) (default true $np.enabled) $egress }} +{{- $sourceNamespace := include "ztm.workloadNamespace" . -}} +{{- $sourceWorkload := include "ztm.workloadName" . -}} +{{- range $egress }} +{{- $targetService := default .workload .service -}} +{{- if $targetService }} +{{- $targetNamespace := default $sourceNamespace .namespace -}} +{{- $ruleName := printf "%s-egress-to-%s-%v" $sourceWorkload $targetService (.port | default 8080) -}} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-{{ include "ztm.sanitizeName" $ruleName }} + namespace: {{ $sourceNamespace }} +spec: + podSelector: + matchLabels: + {{- include "ztm.serviceDenyAllPodLabels" $ | nindent 6 }} + policyTypes: + - Egress + egress: + - to: + - namespaceSelector: + matchLabels: + {{ default "kubernetes.io/metadata.name" $labels.namespaceLabelKey }}: {{ $targetNamespace }} + podSelector: + matchLabels: + {{- include "ztm.targetPodLabels" . | nindent 14 }} + ports: + - port: {{ .port | default 8080 }} + protocol: {{ .protocol | default "TCP" }} +{{ end }} +{{ end }} +{{- end }} diff --git a/charts/zero-trust-mesh/templates/networkpolicy-service-istiod.yaml b/charts/zero-trust-mesh/templates/networkpolicy-service-istiod.yaml new file mode 100644 index 0000000..19d583f --- /dev/null +++ b/charts/zero-trust-mesh/templates/networkpolicy-service-istiod.yaml @@ -0,0 +1,39 @@ +{{- $denyAll := default (.Values.serviceDenyAll | default (dict)) .Values.denyAll -}} +{{- $np := .Values.networkPolicy | default (dict) -}} +{{- $istio := .Values.istio | default (dict) -}} +{{- $nsr := .Values.namespaceResources | default (dict) -}} +{{- if and (default false $denyAll.enabled) (default true $np.enabled) (default true $istio.enabled) (not (default false (default .Values.namespaceResourcesEnabled $nsr.enabled))) }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "ztm.fullname" . }}-allow-istiod-egress + namespace: {{ include "ztm.workloadNamespace" . }} + labels: + {{- include "ztm.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "ztm.serviceDenyAllPodLabels" . | nindent 6 }} + policyTypes: + - Egress + egress: + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: istio-system + podSelector: + matchLabels: + app: istiod + istio: pilot + ports: + - port: 15010 + protocol: TCP + - port: 15012 + protocol: TCP + - port: 15014 + protocol: TCP + - port: 15017 + protocol: TCP + - port: 443 + protocol: TCP +{{- end }} diff --git a/charts/zero-trust-mesh/values.yaml b/charts/zero-trust-mesh/values.yaml index 3f810e2..ece1c37 100644 --- a/charts/zero-trust-mesh/values.yaml +++ b/charts/zero-trust-mesh/values.yaml @@ -1,31 +1,80 @@ # namespace: -# workload: -# Optional; defaults to workload when empty. +# service: +# workload: +# Optional; defaults to service when empty. serviceAccount: "" # Keep false for per-service releases. Enable only in one baseline release per namespace. namespaceResourcesEnabled: false -# Single allowTo list. Defaults to no service-level allow rules. -# Supported entry types: -# - service rule: workload -> service -# - hosts rule: approved external hosts (default ports: 80/HTTP and 443/HTTPS) -# - ips rule: approved external IP/CIDR egress (default port: 443/TCP) +# Optional service-level deny-all. This is safer for incremental rollout than +# namespaceResourcesEnabled because it selects only the current service pods. +# denyAll: +# enabled: false +# # Optional pod selector override; defaults to: +# # app.kubernetes.io/name: +# # podLabels: +# # app: frontend +# # component: api +denyAll: {} + +# Deprecated alias for denyAll. Prefer denyAll. +serviceDenyAll: {} + +# Single typed allow list. Defaults to no service-level allow rules. +# `type: ingress` entries open inbound traffic to the current service. +# `type: egress` entries open outbound traffic from the current service. +allowPolicies: [] + +# Deprecated misspelled alias for allowPolicies. Prefer allowPolicies. +allowpolices: [] + +# Backward-compatible split lists. +egress: [] +ingress: [] + +# Backward-compatible aliases for older values APIs. allowTo: [] +allowFrom: [] -# Example allowTo entries: -# allowTo: -# - service: backend +# Backward-compatibility switch for the previous allowTo service behavior, where +# allowTo/egress also rendered target-side ingress NetworkPolicy and +# AuthorizationPolicy resources. Keep disabled when each service owns its own +# inbound ingress rules. +legacyAllowToIngress: + enabled: false + +# Example typed allow entries: +# allowPolicies: +# - type: ingress +# service: gateway +# # Optional source service account override; defaults to service. +# # serviceAccount: gateway +# # Optional peer pod selector override; defaults to: +# # app.kubernetes.io/name: +# # podLabels: +# # app: gateway +# port: 80 +# methods: ["GET"] +# paths: ["/*"] +# - type: ingress +# service: internal-alb +# # Use VPC CIDR or narrower ALB subnet CIDRs for AWS ALB target-type ip. +# sourceIpBlocks: +# - 172.31.0.0/16 +# port: 80 +# allowUnauthenticated: true +# - type: egress +# service: backend # # Optional target pod selector override; defaults to: # # app.kubernetes.io/name: -# # targetPodLabels: +# # podLabels: # # app: backend # port: 8080 -# methods: ["GET", "POST"] -# paths: ["/api/*"] # -# - hosts: ["api.stripe.com"] +# - type: egress +# hosts: ["api.stripe.com"] # # Optional custom ports/protocols for this host group. # # These are merged with defaults (80/HTTP and 443/HTTPS). # # ports: @@ -34,7 +83,8 @@ allowTo: [] # # - number: 443 # # protocol: HTTPS # -# - ips: ["192.0.2.10"] +# - type: egress +# ips: ["192.0.2.10"] # # Single IPs are normalized to /32 for NetworkPolicy ipBlock. # # CIDRs like 198.51.100.0/24 can also be used. # # Optional custom ports/protocols for this IP group. @@ -42,3 +92,30 @@ allowTo: [] # # ports: # # - number: 443 # # protocol: TCP + +# Legacy split-list ingress examples: +# ingress: +# - service: frontend +# serviceAccount: frontend +# # Optional source pod selector override; defaults to: +# # app.kubernetes.io/name: +# # sourcePodLabels: +# # app: frontend +# port: 80 +# methods: ["GET"] +# paths: ["/*"] +# - service: ingress-nginx +# namespace: ingress-nginx +# sourcePodLabels: +# app.kubernetes.io/name: ingress-nginx +# app.kubernetes.io/component: controller +# port: 80 +# # Use when the source is not in the mesh and has no Istio principal. +# # NetworkPolicy still restricts packets to sourcePodLabels. +# allowUnauthenticated: true +# - service: internal-alb +# # Use VPC CIDR or narrower ALB subnet CIDRs for AWS ALB target-type ip. +# sourceIpBlocks: +# - 172.31.0.0/16 +# port: 80 +# allowUnauthenticated: true diff --git a/examples/zero-trust-mesh/service-deny-all.yaml b/examples/zero-trust-mesh/service-deny-all.yaml new file mode 100644 index 0000000..412ea15 --- /dev/null +++ b/examples/zero-trust-mesh/service-deny-all.yaml @@ -0,0 +1,9 @@ +# helm template ztm-service-deny-all ./charts/zero-trust-mesh -n default -f ./examples/zero-trust-mesh/service-deny-all.yaml +workload: frontend +namespaceResourcesEnabled: false +serviceDenyAll: + enabled: true + podLabels: + app: frontend + component: api + diff --git a/examples/zero-trust-mesh/values.full.yaml b/examples/zero-trust-mesh/values.full.yaml index 9c013b5..53cdb9e 100644 --- a/examples/zero-trust-mesh/values.full.yaml +++ b/examples/zero-trust-mesh/values.full.yaml @@ -6,32 +6,62 @@ labels: namespaceResources: enabled: true -# Preferred top-level identity fields (kept with legacy serviceConfig below for compatibility). -workload: backend +# Current service identity. +service: backend serviceAccount: backend-runtime-sa -serviceConfig: +# Optional service-level deny-all. Use this for a protected service release. +# Keep this disabled for source/peer services that should stay unrestricted. +denyAll: enabled: true - namespace: default - workload: backend - serviceAccount: backend-runtime-sa + podLabels: + app.kubernetes.io/name: backend -allowTo: - - service: auth +allowPolicies: + # Inbound traffic to backend from selected in-mesh services. + - type: ingress + service: frontend + namespace: default + serviceAccount: frontend-runtime-sa + podLabels: + app.kubernetes.io/name: frontend + port: 8080 + protocol: TCP + methods: ["GET", "POST"] + paths: ["/api/*"] + + # Inbound traffic from a non-mesh source such as an ingress controller. + # NetworkPolicy still restricts packets to the selected pods. + - type: ingress + service: ingress-nginx + namespace: ingress-nginx + podLabels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/component: controller + port: 8080 + protocol: TCP + allowUnauthenticated: true + + # Outbound traffic from backend to another service. + - type: egress + service: auth namespace: shared port: 8080 protocol: TCP - serviceAccount: auth-runtime-sa - methods: ["POST"] - paths: ["/verify", "/token"] + podLabels: + app.kubernetes.io/name: auth - - service: payments + - type: egress + service: payments namespace: poc-mesh port: 8080 - methods: ["POST"] - paths: ["/charge"] + protocol: TCP + podLabels: + app.kubernetes.io/name: payments - - hosts: + # External host egress. + - type: egress + hosts: - api.stripe.com - s3.eu-central-1.amazonaws.com # Optional host ports; merged with defaults 80/HTTP and 443/HTTPS. diff --git a/specs/016-service-deny-all/checklists/requirements.md b/specs/016-service-deny-all/checklists/requirements.md new file mode 100644 index 0000000..f92f7ce --- /dev/null +++ b/specs/016-service-deny-all/checklists/requirements.md @@ -0,0 +1,20 @@ +# Requirements Checklist: Service-Level Deny All + +**Feature**: `specs/016-service-deny-all/spec.md` + +## Content Quality + +- [x] No implementation-only details in user stories +- [x] User value and rollout safety are clear +- [x] Acceptance scenarios are independently testable +- [x] Scope is bounded to zero-trust-mesh chart behavior + +## Requirement Completeness + +- [x] Service-level inbound deny behavior specified +- [x] Service-level outbound deny behavior specified +- [x] Namespace-wide behavior explicitly out of scope for the new option +- [x] Selector default and override behavior specified +- [x] Disabled default specified +- [x] Existing allow-rule compatibility specified +- [x] Documentation, example, render assertion, and version bump specified diff --git a/specs/016-service-deny-all/contracts/render-contract.md b/specs/016-service-deny-all/contracts/render-contract.md new file mode 100644 index 0000000..217a356 --- /dev/null +++ b/specs/016-service-deny-all/contracts/render-contract.md @@ -0,0 +1,50 @@ +# Render Contract: Service-Level Deny All + +## Service-level deny-all enabled + +Command: + +```bash +helm template ztm-service-deny-all ./charts/zero-trust-mesh -n default -f ./charts/zero-trust-mesh/tests/service-deny-all-values.yaml +``` + +Expected output: + +- Includes a `networking.k8s.io/v1` `NetworkPolicy`. +- NetworkPolicy selects only the configured workload labels. +- NetworkPolicy has `policyTypes` containing both `Ingress` and `Egress`. +- NetworkPolicy has no ingress or egress allow rule entries. +- Includes a `security.istio.io/v1` `AuthorizationPolicy`. +- AuthorizationPolicy selects only the configured workload labels. +- Does not include namespace baseline deny-all resource names unless namespace baseline is separately enabled. + +## Disabled default + +Command: + +```bash +helm template ztm-default ./charts/zero-trust-mesh -n default +``` + +Expected output: + +- Does not render service-level deny-all resources. +- Does not render sample allow rules. + +## NetworkPolicy disabled + +When `serviceDenyAll.enabled: true` and `networkPolicy.enabled: false`: + +- Does not render the service-level NetworkPolicy. +- May still render the service-level AuthorizationPolicy if Istio is enabled. + +## Istio disabled + +When `serviceDenyAll.enabled: true` and `istio.enabled: false`: + +- Does not render the service-level AuthorizationPolicy. +- May still render the service-level NetworkPolicy if NetworkPolicy is enabled. + +## Existing allow rules + +Existing service, host, and IP examples must continue rendering without behavior changes. diff --git a/specs/016-service-deny-all/data-model.md b/specs/016-service-deny-all/data-model.md new file mode 100644 index 0000000..44225af --- /dev/null +++ b/specs/016-service-deny-all/data-model.md @@ -0,0 +1,39 @@ +# Data Model: Service-Level Deny All + +## ServiceDenyAllConfig + +Values object that controls workload-scoped deny-all behavior. + +| Field | Type | Required | Description | +|-------|------|----------|-------------| +| `enabled` | boolean | no | Enables service/workload-level deny-all resources. Defaults to `false`. | +| `podLabels` | map[string]string | no | Selector labels for the workload pods. Defaults to `app.kubernetes.io/name: `. | + +## WorkloadSelector + +The pod labels used by generated policies. + +| Field | Type | Required | Description | +|-------|------|----------|-------------| +| `matchLabels` | map[string]string | yes | Kubernetes and Istio workload selector labels. | + +## ServiceDenyAllNetworkPolicy + +One Kubernetes NetworkPolicy rendered when `serviceDenyAll.enabled` is true and `networkPolicy.enabled` is not false. + +Key fields: + +- `metadata.namespace`: workload namespace +- `spec.podSelector.matchLabels`: service-level workload selector +- `spec.policyTypes`: `Ingress` and `Egress` +- no `spec.ingress` or `spec.egress` allow rules + +## ServiceDenyAllAuthorizationPolicy + +One Istio AuthorizationPolicy rendered when `serviceDenyAll.enabled` is true and `istio.enabled` is not false. + +Key fields: + +- `metadata.namespace`: workload namespace +- `spec.selector.matchLabels`: service-level workload selector +- no allow rules, establishing default-deny inbound behavior for selected workload diff --git a/specs/016-service-deny-all/plan.md b/specs/016-service-deny-all/plan.md new file mode 100644 index 0000000..1fe9fb2 --- /dev/null +++ b/specs/016-service-deny-all/plan.md @@ -0,0 +1,98 @@ +# Implementation Plan: Service-Level Deny All + +**Branch**: `016-service-deny-all` | **Date**: 2026-05-21 | **Spec**: `/specs/016-service-deny-all/spec.md` +**Input**: Feature specification from `/specs/016-service-deny-all/spec.md` + +## Summary + +Add a disabled-by-default service-level deny-all option to `charts/zero-trust-mesh`. When enabled, it renders workload-scoped Kubernetes NetworkPolicy default deny for both ingress and egress, plus workload-scoped Istio AuthorizationPolicy default deny for inbound mesh traffic. Namespace baseline behavior and existing `allowTo` rules remain unchanged. + +## Technical Context + +**Language/Version**: Helm template DSL, YAML manifests +**Primary Dependencies**: Helm 3 CLI, Kubernetes NetworkPolicy `networking.k8s.io/v1`, Istio AuthorizationPolicy `security.istio.io/v1` +**Storage**: N/A +**Testing**: `helm lint`, `helm template`, focused shell render assertion +**Target Platform**: Kubernetes clusters with a NetworkPolicy provider and Istio sidecar traffic management +**Project Type**: Helm chart repository +**Performance Goals**: Render behavior remains constant for the deny-all option and linear for existing `allowTo` entries +**Constraints**: Disabled by default; service/workload scoped only; no namespace-wide behavior changes; compatible with later explicit allow rules +**Scale/Scope**: One chart (`zero-trust-mesh`), one example under `examples/zero-trust-mesh/`, focused tests, and Speckit artifacts under `specs/016-service-deny-all/` + +## Constitution Check + +*GATE: Must pass before Phase 0 research. Re-check after Phase 1 design.* + +- [x] **Chart-First**: Work stays inside `charts/zero-trust-mesh`, repo examples, and repo specs. +- [x] **Values Contract**: New consumer-facing behavior is exposed via values as a disabled-by-default service deny-all block. +- [x] **Lint & Template**: Plan includes `helm lint` and `helm template` with focused and existing examples. +- [x] **Versioning & Compatibility**: Change is backward-compatible and includes a patch version bump. +- [x] **Simplicity & Defaults**: New behavior is opt-in and defaults to no rendered resources. +- [x] **Examples for new abilities**: Plan includes `examples/zero-trust-mesh/service-deny-all.yaml`. +- [x] **Example testing and regression**: Plan includes rendering the new example and existing zero-trust-mesh examples. +- [x] **Docs before implementation**: Kubernetes NetworkPolicy and Istio AuthorizationPolicy shapes are confirmed against existing repo usage and documented in research. + +## Project Structure + +### Documentation (this feature) + +```text +specs/016-service-deny-all/ +├── plan.md +├── spec.md +├── research.md +├── data-model.md +├── quickstart.md +├── contracts/ +│ └── render-contract.md +├── checklists/ +│ └── requirements.md +└── tasks.md +``` + +### Source Code (repository root) + +```text +charts/ +└── zero-trust-mesh/ + ├── Chart.yaml + ├── README.md + ├── values.yaml + ├── templates/ + │ ├── _helpers.tpl + │ ├── istio-service-deny-all.yaml + │ └── networkpolicy-service-deny-all.yaml + └── tests/ + ├── service-deny-all-values.yaml + └── render-service-deny-all.sh + +examples/ +└── zero-trust-mesh/ + └── service-deny-all.yaml +``` + +**Structure Decision**: Keep service-level deny-all in dedicated templates so namespace baseline default-deny templates remain unchanged and the new option stays visibly service scoped. + +## Phase 0: Research Plan + +- Confirm current namespace-level deny-all resources and avoid modifying those templates. +- Confirm service-level selector behavior follows existing `workload` and override patterns. +- Confirm additive Kubernetes NetworkPolicy behavior supports opening explicit allow rules later. +- Confirm Istio default-deny behavior should use an ALLOW policy with no rules, not an action DENY policy. + +## Phase 1: Design & Contracts Plan + +- Document the service deny-all option, workload selector, NetworkPolicy, and AuthorizationPolicy in `data-model.md`. +- Define render contract for the new resources, selector override, disabled defaults, and regression behavior in `contracts/render-contract.md`. +- Provide quickstart commands for focused render assertions, chart linting, default rendering, and example rendering. +- Re-check constitution compliance after artifact generation. + +## Post-Design Constitution Check + +- [x] No constitution violations remain in the planned implementation. +- [x] Chart version bump is included in tasks. +- [x] New public value is paired with README/values documentation and a runnable example. + +## Complexity Tracking + +No constitution violations requiring justification. diff --git a/specs/016-service-deny-all/quickstart.md b/specs/016-service-deny-all/quickstart.md new file mode 100644 index 0000000..caf28ce --- /dev/null +++ b/specs/016-service-deny-all/quickstart.md @@ -0,0 +1,46 @@ +# Quickstart: Service-Level Deny All + +Run these commands from the repository root. + +## Focused service deny-all assertion + +```bash +./charts/zero-trust-mesh/tests/render-service-deny-all.sh ./charts/zero-trust-mesh +``` + +Expected: exits with status `0` after implementation. + +## Chart lint + +```bash +helm lint ./charts/zero-trust-mesh +``` + +Expected: `0 chart(s) failed`. + +## Default render regression + +```bash +helm template ztm-default ./charts/zero-trust-mesh -n default +``` + +Expected: renders successfully and does not include service-level deny-all resources. + +## Existing examples + +```bash +helm template ztm-namespace ./charts/zero-trust-mesh -n default -f ./examples/zero-trust-mesh/values.namespace.yaml +helm template ztm-full ./charts/zero-trust-mesh -n default -f ./examples/zero-trust-mesh/values.full.yaml +helm template ztm-target-pod-labels ./charts/zero-trust-mesh -n default -f ./examples/zero-trust-mesh/target-pod-labels.yaml +helm template ztm-ip-egress ./charts/zero-trust-mesh -n default -f ./examples/zero-trust-mesh/ip-egress.yaml +``` + +Expected: each command exits with status `0`. + +## New example + +```bash +helm template ztm-service-deny-all ./charts/zero-trust-mesh -n default -f ./examples/zero-trust-mesh/service-deny-all.yaml +``` + +Expected: renders service-level deny-all resources for the selected workload only. diff --git a/specs/016-service-deny-all/research.md b/specs/016-service-deny-all/research.md new file mode 100644 index 0000000..d29aa18 --- /dev/null +++ b/specs/016-service-deny-all/research.md @@ -0,0 +1,34 @@ +# Research: Service-Level Deny All + +## Decision: Add a dedicated `serviceDenyAll` values block + +- **Decision**: Use `serviceDenyAll.enabled` with optional `serviceDenyAll.podLabels`. +- **Rationale**: The chart already has `namespaceResourcesEnabled` for namespace-wide controls and `allowTo` for explicit service/host/IP allows. A dedicated block keeps the new safety switch separate from both concepts. +- **Alternatives considered**: + - Reuse `namespaceResourcesEnabled`: rejected because the requested behavior must not affect the entire namespace. + - Add a special `allowTo` entry: rejected because deny-all is a baseline isolation state, not an allow rule. + +## Decision: Render service-level deny-all with Kubernetes NetworkPolicy + +- **Decision**: Render a NetworkPolicy that selects only the service workload pods and lists both `Ingress` and `Egress` policy types with no rules. +- **Rationale**: Kubernetes NetworkPolicy deny behavior is driven by selecting pods and omitting allow rules. NetworkPolicy is additive, so later allow policies can open explicit paths for the selected pods. +- **Existing repo evidence**: `charts/zero-trust-mesh/templates/networkpolicy-default-deny.yaml` already uses no allow rules for namespace baseline deny-all. + +## Decision: Render service-level Istio default deny with AuthorizationPolicy selector + +- **Decision**: Render an Istio AuthorizationPolicy with a workload selector and no allow rules when `istio.enabled` is not false. +- **Rationale**: Existing chart baseline uses an empty AuthorizationPolicy to establish default-deny behavior. Adding a selector scopes that behavior to one workload. Avoiding action `DENY` keeps later explicit ALLOW policies usable. +- **Boundary**: Istio AuthorizationPolicy covers inbound authorization. Outbound denial is handled by Kubernetes NetworkPolicy for this feature. + +## Decision: Selector override is required + +- **Decision**: Default selector is `app.kubernetes.io/name: `, with `serviceDenyAll.podLabels` override. +- **Rationale**: Existing chart service allow rules support target selector override because real workloads may not use the default label. Service-level deny-all has the same risk and needs an explicit override path. + +## Compatibility Notes + +- `serviceDenyAll.enabled` defaults to false and renders no resources unless explicitly enabled. +- `namespaceResourcesEnabled` templates are left unchanged. +- Existing `allowTo` service, host, and IP templates are left unchanged. +- `networkPolicy.enabled: false` suppresses the service-level NetworkPolicy. +- `istio.enabled: false` suppresses the service-level AuthorizationPolicy. diff --git a/specs/016-service-deny-all/spec.md b/specs/016-service-deny-all/spec.md new file mode 100644 index 0000000..0f016fb --- /dev/null +++ b/specs/016-service-deny-all/spec.md @@ -0,0 +1,101 @@ +# Feature Specification: Service-Level Deny All + +**Feature Branch**: `016-service-deny-all` +**Created**: 2026-05-21 +**Status**: Draft +**Input**: Jira `DMVP-10070`: add a service-level deny-all mode so one workload can deny inbound and outbound traffic without enabling namespace-wide deny-all. + +## User Scenarios & Testing *(mandatory)* + +### User Story 1 - Isolate one service first (Priority: P1) + +As a zero-trust-mesh chart consumer, I can enable deny-all for one selected workload, so I can safely isolate that service before adding explicit allow rules. + +**Why this priority**: This is the requested safety control for Checkpoint rollout. Namespace-level deny-all is too broad for incremental adoption because it can affect every workload in the namespace. + +**Independent Test**: Render `charts/zero-trust-mesh` with service-level deny-all enabled, then verify the output includes workload-scoped Kubernetes `NetworkPolicy` deny-all for both ingress and egress plus a workload-scoped Istio `AuthorizationPolicy` default deny. + +**Acceptance Scenarios**: + +1. **Given** service-level deny-all is enabled for workload `frontend`, **When** the chart is rendered, **Then** the generated NetworkPolicy selects only `frontend` pods and lists both `Ingress` and `Egress` policy types. +2. **Given** the same values, **When** the chart is rendered, **Then** the generated Istio AuthorizationPolicy selects only `frontend` pods and provides default-deny behavior for inbound mesh traffic. +3. **Given** namespace baseline is disabled, **When** service-level deny-all is rendered, **Then** no namespace-wide deny-all NetworkPolicy is created by that setting. + +--- + +### User Story 2 - Preserve existing allow rules (Priority: P2) + +As an existing chart consumer, I can keep using service, host, and IP allow rules without behavior changes caused by adding service-level deny-all. + +**Why this priority**: The new control must be additive and compatible with follow-up explicit allow rules. + +**Independent Test**: Render existing examples and focused render checks after the new option is added. + +**Acceptance Scenarios**: + +1. **Given** existing `allowTo[].service` rules, **When** the chart is rendered, **Then** existing NetworkPolicy ingress and AuthorizationPolicy allow resources still render. +2. **Given** existing `allowTo[].hosts` and `allowTo[].ips` rules, **When** the chart is rendered, **Then** existing ServiceEntry and IP egress NetworkPolicy behavior remains valid. + +--- + +### User Story 3 - Discover safe rollout values (Priority: P3) + +As a service owner, I can find an example for service-level deny-all, so I can start with a safe isolated service and later add explicit allow rules. + +**Why this priority**: The option changes the public chart values contract and should be easy to discover. + +**Independent Test**: Follow the example under `examples/zero-trust-mesh/service-deny-all.yaml` and render it successfully with Helm. + +**Acceptance Scenarios**: + +1. **Given** a user reads the chart README, **When** they scan the key values table, **Then** they can find the service-level deny-all option and its intended scope. +2. **Given** the documented example, **When** a user runs its top-line Helm command, **Then** the chart renders successfully. + +### Edge Cases + +- Service-level deny-all must not create namespace-wide deny resources when `namespaceResourcesEnabled` is false. +- If NetworkPolicy support is disabled with `networkPolicy.enabled: false`, the chart must not render the service-level NetworkPolicy. +- If Istio support is disabled with `istio.enabled: false`, the chart must not render the service-level AuthorizationPolicy. +- Consumers must be able to override the workload pod selector when the default `app.kubernetes.io/name: ` label does not match their deployment labels. +- Existing namespace baseline resources must remain unchanged. + +## Requirements *(mandatory)* + +### Functional Requirements + +- **FR-001**: The chart MUST support an optional service/workload-level deny-all values block that defaults to disabled. +- **FR-002**: When service-level deny-all is enabled and NetworkPolicy rendering is enabled, the chart MUST render a Kubernetes `NetworkPolicy` that selects only the configured workload pods. +- **FR-003**: The service-level NetworkPolicy MUST deny both inbound and outbound traffic by including `Ingress` and `Egress` policy types without allow rules. +- **FR-004**: When service-level deny-all is enabled and Istio rendering is enabled, the chart MUST render an Istio `AuthorizationPolicy` that selects only the configured workload pods and denies inbound mesh traffic by default. +- **FR-005**: The service-level deny-all selector MUST default to `app.kubernetes.io/name: `. +- **FR-006**: The service-level deny-all values MUST allow selector override for services whose pods use different labels. +- **FR-007**: Service-level deny-all MUST NOT enable or alter namespace-wide deny-all resources. +- **FR-008**: Existing `allowTo[].service`, `allowTo[].hosts`, and `allowTo[].ips` behavior MUST remain compatible. +- **FR-009**: The chart MUST document the new values in `charts/zero-trust-mesh/values.yaml` and `charts/zero-trust-mesh/README.md`. +- **FR-010**: The repository MUST include a runnable example under `examples/zero-trust-mesh/`. +- **FR-011**: The change MUST include a render check that fails against the previous chart and passes after implementation. +- **FR-012**: The affected chart version MUST be bumped according to repository constitution requirements. + +### Key Entities + +- **Service-level deny-all option**: A values block that enables deny-all behavior for the current workload only. +- **Workload selector**: The labels used by generated policies to select the service pods. +- **Service deny-all NetworkPolicy**: A workload-scoped Kubernetes policy with both ingress and egress policy types and no allow rules. +- **Service default-deny AuthorizationPolicy**: A workload-scoped Istio policy that establishes default-deny inbound mesh behavior for the selected workload. + +### Assumptions + +- Kubernetes NetworkPolicy is additive, so later allow policies can open specific traffic for the same selected pods. +- Istio AuthorizationPolicy default-deny behavior can be established for a selected workload without using a DENY action that would block later ALLOW policies. +- Outbound traffic denial is enforced by Kubernetes NetworkPolicy in this chart; Istio AuthorizationPolicy is used for inbound mesh authorization. + +## Success Criteria *(mandatory)* + +### Measurable Outcomes + +- **SC-001**: Rendering the service-level deny-all test fixture produces exactly workload-scoped deny resources and no namespace-wide deny-all resource. +- **SC-002**: Rendered service-level NetworkPolicy contains both `Ingress` and `Egress` policy types. +- **SC-003**: Rendered service-level deny resources select the intended workload labels. +- **SC-004**: Existing zero-trust-mesh examples render successfully after the change. +- **SC-005**: `helm lint ./charts/zero-trust-mesh` completes with 0 failed charts. +- **SC-006**: A reviewer can locate the new values shape in README, `values.yaml`, and a runnable example in under 5 minutes. diff --git a/specs/016-service-deny-all/tasks.md b/specs/016-service-deny-all/tasks.md new file mode 100644 index 0000000..b08e74d --- /dev/null +++ b/specs/016-service-deny-all/tasks.md @@ -0,0 +1,107 @@ +# Tasks: Service-Level Deny All + +**Input**: Design documents from `/specs/016-service-deny-all/` +**Prerequisites**: `plan.md`, `spec.md`, `research.md`, `data-model.md`, `contracts/render-contract.md`, `quickstart.md` + +**Tests**: This feature requires Helm lint/template checks plus a focused render assertion. + +**Organization**: Tasks are grouped by user story to enable independent implementation and testing. + +## Phase 1: Setup (Shared Infrastructure) + +**Purpose**: Capture the missing service-level deny-all behavior before implementation. + +- [x] T001 Review existing namespace baseline deny-all templates and document behavior in `specs/016-service-deny-all/research.md` +- [x] T002 Add `charts/zero-trust-mesh/tests/service-deny-all-values.yaml` with service-level deny-all enabled for one workload +- [x] T003 Add `charts/zero-trust-mesh/tests/render-service-deny-all.sh` to assert workload-scoped NetworkPolicy and AuthorizationPolicy output +- [x] T004 Run `./charts/zero-trust-mesh/tests/render-service-deny-all.sh ./charts/zero-trust-mesh` before implementation and confirm it fails because service-level deny-all resources are absent + +--- + +## Phase 2: Foundational (Blocking Prerequisites) + +**Purpose**: Add selector helper behavior needed by both service-level deny-all templates. + +- [x] T005 Add a service deny-all pod-label helper in `charts/zero-trust-mesh/templates/_helpers.tpl` +- [x] T006 Ensure the helper defaults to `app.kubernetes.io/name: ` +- [x] T007 Ensure the helper supports `serviceDenyAll.podLabels` override + +**Checkpoint**: Shared workload selector behavior is available. + +--- + +## Phase 3: User Story 1 - Isolate one service first (Priority: P1) MVP + +**Goal**: Render deny-all resources for one selected workload. + +**Independent Test**: `./charts/zero-trust-mesh/tests/render-service-deny-all.sh ./charts/zero-trust-mesh` + +- [x] T008 [US1] Add `charts/zero-trust-mesh/templates/networkpolicy-service-deny-all.yaml` +- [x] T009 [US1] Add `charts/zero-trust-mesh/templates/istio-service-deny-all.yaml` +- [x] T010 [US1] Re-run the focused render assertion and confirm it exits `0` + +**Checkpoint**: Service-level deny-all is rendered and independently verifiable. + +--- + +## Phase 4: User Story 2 - Preserve existing allow rules (Priority: P2) + +**Goal**: Keep existing service, host, and IP allow behavior valid. + +**Independent Test**: Existing examples and render checks complete successfully. + +- [x] T011 [US2] Render default chart values and confirm service-level deny-all is absent by default +- [x] T012 [US2] Render existing zero-trust-mesh examples from `specs/016-service-deny-all/quickstart.md` +- [x] T013 [US2] Confirm existing default-empty render assertion still exits `0` + +**Checkpoint**: Existing consumers are not regressed. + +--- + +## Phase 5: User Story 3 - Discover safe rollout values (Priority: P3) + +**Goal**: Document and demonstrate service-level deny-all. + +**Independent Test**: A user can render the repo-level example command successfully. + +- [x] T014 [US3] Document `serviceDenyAll` in `charts/zero-trust-mesh/values.yaml` +- [x] T015 [US3] Document `serviceDenyAll` in `charts/zero-trust-mesh/README.md` +- [x] T016 [US3] Add `examples/zero-trust-mesh/service-deny-all.yaml` with a top-line runnable Helm command +- [x] T017 [US3] Render the new example with `helm template ztm-service-deny-all ./charts/zero-trust-mesh -n default -f ./examples/zero-trust-mesh/service-deny-all.yaml` + +**Checkpoint**: Documentation and example values show the new safe rollout option. + +--- + +## Phase 6: Polish & Cross-Cutting Concerns + +**Purpose**: Final compliance, versioning, and release readiness. + +- [x] T018 Add Speckit artifacts under `specs/016-service-deny-all/` +- [x] T019 Bump `charts/zero-trust-mesh/Chart.yaml` patch version +- [x] T020 Run `helm lint ./charts/zero-trust-mesh` +- [x] T021 Run focused render assertion `./charts/zero-trust-mesh/tests/render-service-deny-all.sh ./charts/zero-trust-mesh` +- [x] T022 Run existing example regressions from `specs/016-service-deny-all/quickstart.md` +- [x] T023 Run `git diff --check` + +## Dependencies & Execution Order + +- Phase 1 precedes implementation because the render assertion must fail first. +- Phase 2 precedes US1 because both templates use the shared selector helper. +- US2 depends on final template output to validate regression behavior. +- US3 depends on finalized values shape and render output. +- Phase 6 depends on all stories. + +## Parallel Opportunities + +- Documentation updates (`T014`, `T015`) can run after values shape is final. +- Example rendering and default rendering can run in parallel during verification. +- Speckit documentation can be reviewed independently of template code after behavior is finalized. + +## Implementation Strategy + +1. Prove current behavior fails the new service-level deny-all assertion. +2. Add selector helper and deny-all templates. +3. Confirm focused service-level deny-all rendering. +4. Confirm existing zero-trust-mesh examples still render. +5. Add docs/example/version bump and run Helm validation. From b3bdca2aae8bedce4bdcf05ad0322ab569c20cb3 Mon Sep 17 00:00:00 2001 From: Julia A Date: Mon, 25 May 2026 10:17:13 +0400 Subject: [PATCH 2/8] feat(016-service-deny-all): Service Deny and allow traffic --- charts/base/Chart.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/base/Chart.yaml b/charts/base/Chart.yaml index 1b0c48f..cd054c4 100644 --- a/charts/base/Chart.yaml +++ b/charts/base/Chart.yaml @@ -15,13 +15,13 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.3.32 +version: 0.3.31 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "0.3.32" +appVersion: "0.3.31" dependencies: - name: gateway-api From 87b6300cbd0e14c0237d9d8da7952c3cf4021c86 Mon Sep 17 00:00:00 2001 From: Julia A Date: Mon, 25 May 2026 11:27:01 +0400 Subject: [PATCH 3/8] feat(gitlab_repos_managment): Gitlab repos managment --- charts/base/Chart.yaml | 6 +-- charts/base/values.yaml | 4 +- charts/zero-trust-mesh/README.md | 17 ++----- charts/zero-trust-mesh/templates/_helpers.tpl | 8 +-- .../templates/istio-allow-from.yaml | 7 +-- .../templates/istio-authorizations.yaml | 51 ------------------- .../templates/istio-egress-gateway.yaml | 7 +-- .../templates/istio-serviceentries.yaml | 7 +-- .../templates/networkpolicy-allow-from.yaml | 7 +-- .../templates/networkpolicy-flows.yaml | 48 ----------------- .../templates/networkpolicy-host-egress.yaml | 7 +-- .../templates/networkpolicy-ip-egress.yaml | 7 +-- .../networkpolicy-service-egress.yaml | 7 +-- charts/zero-trust-mesh/values.yaml | 45 ---------------- 14 files changed, 17 insertions(+), 211 deletions(-) delete mode 100644 charts/zero-trust-mesh/templates/istio-authorizations.yaml delete mode 100644 charts/zero-trust-mesh/templates/networkpolicy-flows.yaml diff --git a/charts/base/Chart.yaml b/charts/base/Chart.yaml index cd054c4..dabee78 100644 --- a/charts/base/Chart.yaml +++ b/charts/base/Chart.yaml @@ -15,13 +15,13 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.3.31 +version: 0.3.30 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "0.3.31" +appVersion: 0.3.30 dependencies: - name: gateway-api @@ -30,7 +30,7 @@ dependencies: alias: gatewayApi condition: gatewayApi.enabled - name: zero-trust-mesh - version: 0.1.4 + version: 0.1.3 repository: "https://dasmeta.github.io/helm" alias: zeroTrustMesh condition: zeroTrustMesh.enabled diff --git a/charts/base/values.yaml b/charts/base/values.yaml index efebdec..d4c3dfd 100644 --- a/charts/base/values.yaml +++ b/charts/base/values.yaml @@ -1031,8 +1031,8 @@ gatewayApi: zeroTrustMesh: enabled: false # Keep empty by default so enabling the subchart from base does not create - # sample ingress or egress allow rules. - allowPolicies: [] + # sample service or external egress allow rules. + allowTo: [] # enabled: true # namespaceResourcesEnabled: true diff --git a/charts/zero-trust-mesh/README.md b/charts/zero-trust-mesh/README.md index e1a38df..ca58ab9 100644 --- a/charts/zero-trust-mesh/README.md +++ b/charts/zero-trust-mesh/README.md @@ -100,10 +100,9 @@ For `type: ingress` entries: - `allowUnauthenticated` (optional, default `false`): omit the Istio source principal match for non-mesh sources such as `ingress-nginx`; keep `podLabels` set so NetworkPolicy still restricts packet sources For `type: egress` entries, service destinations use `service` as the peer -service name. The older `workload` key is still accepted. For service -destinations it renders service-scoped egress `NetworkPolicy` rules only; the -destination service must open inbound traffic with its own ingress allow policy -if it has `denyAll.enabled: true`. +service name. For service destinations it renders service-scoped egress +`NetworkPolicy` rules only; the destination service must open inbound traffic +with its own ingress allow policy if it has `denyAll.enabled: true`. `type: egress` supports three destination forms: @@ -127,12 +126,6 @@ if it has `denyAll.enabled: true`. Source service account defaults to `service`, or can be set with top-level `serviceAccount`. -The split `ingress` and `egress` lists, plus `allowFrom` and `allowTo`, remain -supported for backward compatibility. `workload` and `serviceDenyAll` are -accepted as deprecated aliases for `service` and `denyAll`. `allowpolices` is -accepted as a deprecated misspelled alias, but new values should use -`allowPolicies`. - If your cluster does not have an `istio-egressgateway` Service name, set: - `istio.egressGateway.serviceName` to your real gateway Service - `istio.egressGateway.selector` to labels of that gateway workload @@ -161,10 +154,6 @@ Most security defaults are now implicit in templates. Advanced overrides can sti | `allowPolicies[].allowUnauthenticated` | Allow non-mesh inbound sources; NetworkPolicy should still restrict source pods or CIDRs | `false` | | `allowPolicies[].hosts` | Approved external hosts for ServiceEntry-based egress | `["api.stripe.com"]` | | `allowPolicies[].ips` | Approved external destination IPs or CIDR blocks for direct IP egress | `["192.0.2.10"]` | -| `allowPolicies[].targetPodLabels` / `sourcePodLabels` | Legacy selector aliases still accepted by split or typed entries | `{ app: backend }` | -| `allowpolices` | Deprecated misspelled alias for `allowPolicies` | `[]` | -| `allowFrom` / `allowTo` | Backward-compatible aliases for `ingress` / `egress` | `[]` | -| `legacyAllowToIngress.enabled` | Also render the previous target-side ingress policies from service egress entries | `false` | ## Install diff --git a/charts/zero-trust-mesh/templates/_helpers.tpl b/charts/zero-trust-mesh/templates/_helpers.tpl index cf8b06e..b8fc472 100644 --- a/charts/zero-trust-mesh/templates/_helpers.tpl +++ b/charts/zero-trust-mesh/templates/_helpers.tpl @@ -46,9 +46,7 @@ TCP {{- end -}} {{- define "ztm.targetPodLabels" -}} -{{- if .targetPodLabels -}} -{{- toYaml .targetPodLabels -}} -{{- else if .podLabels -}} +{{- if .podLabels -}} {{- toYaml .podLabels -}} {{- else -}} app.kubernetes.io/name: {{ default .workload .service }} @@ -56,9 +54,7 @@ app.kubernetes.io/name: {{ default .workload .service }} {{- end -}} {{- define "ztm.sourcePodLabels" -}} -{{- if .sourcePodLabels -}} -{{- toYaml .sourcePodLabels -}} -{{- else if .podLabels -}} +{{- if .podLabels -}} {{- toYaml .podLabels -}} {{- else -}} app.kubernetes.io/name: {{ default .workload .service }} diff --git a/charts/zero-trust-mesh/templates/istio-allow-from.yaml b/charts/zero-trust-mesh/templates/istio-allow-from.yaml index 6a14c75..415714e 100644 --- a/charts/zero-trust-mesh/templates/istio-allow-from.yaml +++ b/charts/zero-trust-mesh/templates/istio-allow-from.yaml @@ -1,16 +1,11 @@ {{- $denyAll := default (.Values.serviceDenyAll | default (dict)) .Values.denyAll -}} {{- $istio := .Values.istio | default (dict) -}} -{{- $ingress := concat (.Values.ingress | default (list)) (.Values.allowFrom | default (list)) -}} +{{- $ingress := list -}} {{- range (.Values.allowPolicies | default (list)) -}} {{- if eq (default "" .type) "ingress" -}} {{- $ingress = append $ingress . -}} {{- end -}} {{- end -}} -{{- range (.Values.allowpolices | default (list)) -}} -{{- if eq (default "" .type) "ingress" -}} -{{- $ingress = append $ingress . -}} -{{- end -}} -{{- end -}} {{- if and (default false $denyAll.enabled) (default true $istio.enabled) $ingress }} {{- $targetNamespace := include "ztm.workloadNamespace" . -}} {{- $targetServiceAccount := include "ztm.workloadServiceAccount" . -}} diff --git a/charts/zero-trust-mesh/templates/istio-authorizations.yaml b/charts/zero-trust-mesh/templates/istio-authorizations.yaml deleted file mode 100644 index f6ee09d..0000000 --- a/charts/zero-trust-mesh/templates/istio-authorizations.yaml +++ /dev/null @@ -1,51 +0,0 @@ -{{- $istio := .Values.istio | default (dict) -}} -{{- $legacy := .Values.legacyAllowToIngress | default (dict) -}} -{{- $egress := concat (.Values.egress | default (list)) (.Values.allowTo | default (list)) -}} -{{- range (.Values.allowPolicies | default (list)) -}} -{{- if eq (default "" .type) "egress" -}} -{{- $egress = append $egress . -}} -{{- end -}} -{{- end -}} -{{- range (.Values.allowpolices | default (list)) -}} -{{- if eq (default "" .type) "egress" -}} -{{- $egress = append $egress . -}} -{{- end -}} -{{- end -}} -{{- if and (default false $legacy.enabled) (default true $istio.enabled) $egress }} -{{- $sourceNamespace := include "ztm.workloadNamespace" . -}} -{{- $sourceServiceAccount := include "ztm.workloadServiceAccount" . -}} -{{- range $egress }} -{{- $targetService := default .workload .service -}} -{{- if $targetService }} -{{- $targetNamespace := default $sourceNamespace .namespace -}} -{{- $targetServiceAccount := default $targetService .serviceAccount -}} -{{- $policyName := printf "allow-%s-to-%s" $sourceServiceAccount $targetServiceAccount -}} ---- -apiVersion: security.istio.io/v1 -kind: AuthorizationPolicy -metadata: - name: {{ include "ztm.sanitizeName" $policyName }} - namespace: {{ $targetNamespace }} -spec: - selector: - matchLabels: - {{- include "ztm.targetPodLabels" . | nindent 6 }} - action: ALLOW - rules: - - from: - - source: - principals: - - {{ printf "cluster.local/ns/%s/sa/%s" $sourceNamespace $sourceServiceAccount | quote }} - to: - - operation: - {{- if .methods }} - methods: - {{- toYaml .methods | nindent 14 }} - {{- end }} - {{- if .paths }} - paths: - {{- toYaml .paths | nindent 14 }} - {{- end }} -{{ end }} -{{ end }} -{{- end }} diff --git a/charts/zero-trust-mesh/templates/istio-egress-gateway.yaml b/charts/zero-trust-mesh/templates/istio-egress-gateway.yaml index c4fdbc1..1b717a9 100644 --- a/charts/zero-trust-mesh/templates/istio-egress-gateway.yaml +++ b/charts/zero-trust-mesh/templates/istio-egress-gateway.yaml @@ -2,17 +2,12 @@ {{- $egw := $istio.egressGateway | default (dict) -}} {{- $egwNamespace := default "istio-system" $egw.namespace -}} {{- $egwServiceName := default "istio-egressgateway" $egw.serviceName -}} -{{- $egress := concat (.Values.egress | default (list)) (.Values.allowTo | default (list)) -}} +{{- $egress := list -}} {{- range (.Values.allowPolicies | default (list)) -}} {{- if eq (default "" .type) "egress" -}} {{- $egress = append $egress . -}} {{- end -}} {{- end -}} -{{- range (.Values.allowpolices | default (list)) -}} -{{- if eq (default "" .type) "egress" -}} -{{- $egress = append $egress . -}} -{{- end -}} -{{- end -}} {{- if and (ne $istio.enabled false) (eq $egw.enabled true) $egress }} {{- $workloadNamespace := include "ztm.workloadNamespace" . -}} {{- range $egress }} diff --git a/charts/zero-trust-mesh/templates/istio-serviceentries.yaml b/charts/zero-trust-mesh/templates/istio-serviceentries.yaml index 7a91ee2..129592c 100644 --- a/charts/zero-trust-mesh/templates/istio-serviceentries.yaml +++ b/charts/zero-trust-mesh/templates/istio-serviceentries.yaml @@ -1,15 +1,10 @@ {{- $istio := .Values.istio | default (dict) -}} -{{- $egress := concat (.Values.egress | default (list)) (.Values.allowTo | default (list)) -}} +{{- $egress := list -}} {{- range (.Values.allowPolicies | default (list)) -}} {{- if eq (default "" .type) "egress" -}} {{- $egress = append $egress . -}} {{- end -}} {{- end -}} -{{- range (.Values.allowpolices | default (list)) -}} -{{- if eq (default "" .type) "egress" -}} -{{- $egress = append $egress . -}} -{{- end -}} -{{- end -}} {{- if and (default true $istio.enabled) $egress }} {{- $workloadNamespace := include "ztm.workloadNamespace" . -}} {{- range $egress }} diff --git a/charts/zero-trust-mesh/templates/networkpolicy-allow-from.yaml b/charts/zero-trust-mesh/templates/networkpolicy-allow-from.yaml index 7aa4645..568d56c 100644 --- a/charts/zero-trust-mesh/templates/networkpolicy-allow-from.yaml +++ b/charts/zero-trust-mesh/templates/networkpolicy-allow-from.yaml @@ -1,17 +1,12 @@ {{- $denyAll := default (.Values.serviceDenyAll | default (dict)) .Values.denyAll -}} {{- $np := .Values.networkPolicy | default (dict) -}} {{- $labels := .Values.labels | default (dict) -}} -{{- $ingress := concat (.Values.ingress | default (list)) (.Values.allowFrom | default (list)) -}} +{{- $ingress := list -}} {{- range (.Values.allowPolicies | default (list)) -}} {{- if eq (default "" .type) "ingress" -}} {{- $ingress = append $ingress . -}} {{- end -}} {{- end -}} -{{- range (.Values.allowpolices | default (list)) -}} -{{- if eq (default "" .type) "ingress" -}} -{{- $ingress = append $ingress . -}} -{{- end -}} -{{- end -}} {{- if and (default false $denyAll.enabled) (default true $np.enabled) $ingress }} {{- $targetNamespace := include "ztm.workloadNamespace" . -}} {{- $targetWorkload := include "ztm.workloadName" . -}} diff --git a/charts/zero-trust-mesh/templates/networkpolicy-flows.yaml b/charts/zero-trust-mesh/templates/networkpolicy-flows.yaml deleted file mode 100644 index 3f49cb9..0000000 --- a/charts/zero-trust-mesh/templates/networkpolicy-flows.yaml +++ /dev/null @@ -1,48 +0,0 @@ -{{- $np := .Values.networkPolicy | default (dict) -}} -{{- $legacy := .Values.legacyAllowToIngress | default (dict) -}} -{{- $labels := .Values.labels | default (dict) -}} -{{- $egress := concat (.Values.egress | default (list)) (.Values.allowTo | default (list)) -}} -{{- range (.Values.allowPolicies | default (list)) -}} -{{- if eq (default "" .type) "egress" -}} -{{- $egress = append $egress . -}} -{{- end -}} -{{- end -}} -{{- range (.Values.allowpolices | default (list)) -}} -{{- if eq (default "" .type) "egress" -}} -{{- $egress = append $egress . -}} -{{- end -}} -{{- end -}} -{{- if and (default false $legacy.enabled) (default true $np.enabled) $egress }} -{{- $sourceNamespace := include "ztm.workloadNamespace" . -}} -{{- $sourceWorkload := include "ztm.workloadName" . -}} -{{- range $egress }} -{{- $targetService := default .workload .service -}} -{{- if $targetService }} -{{- $targetNamespace := default $sourceNamespace .namespace -}} -{{- $ruleName := printf "%s-to-%s-%v" $sourceWorkload $targetService (.port | default 8080) -}} ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: allow-{{ include "ztm.sanitizeName" $ruleName }} - namespace: {{ $targetNamespace }} -spec: - podSelector: - matchLabels: - {{- include "ztm.targetPodLabels" . | nindent 6 }} - policyTypes: - - Ingress - ingress: - - from: - - namespaceSelector: - matchLabels: - {{ default "kubernetes.io/metadata.name" $labels.namespaceLabelKey }}: {{ $sourceNamespace }} - podSelector: - matchLabels: - app.kubernetes.io/name: {{ $sourceWorkload }} - ports: - - port: {{ .port | default 8080 }} - protocol: {{ .protocol | default "TCP" }} -{{ end }} -{{ end }} -{{- end }} diff --git a/charts/zero-trust-mesh/templates/networkpolicy-host-egress.yaml b/charts/zero-trust-mesh/templates/networkpolicy-host-egress.yaml index 9a199ed..ce7f51c 100644 --- a/charts/zero-trust-mesh/templates/networkpolicy-host-egress.yaml +++ b/charts/zero-trust-mesh/templates/networkpolicy-host-egress.yaml @@ -1,16 +1,11 @@ {{- $np := .Values.networkPolicy | default (dict) -}} {{- $denyAll := default (.Values.serviceDenyAll | default (dict)) .Values.denyAll -}} -{{- $egress := concat (.Values.egress | default (list)) (.Values.allowTo | default (list)) -}} +{{- $egress := list -}} {{- range (.Values.allowPolicies | default (list)) -}} {{- if eq (default "" .type) "egress" -}} {{- $egress = append $egress . -}} {{- end -}} {{- end -}} -{{- range (.Values.allowpolices | default (list)) -}} -{{- if eq (default "" .type) "egress" -}} -{{- $egress = append $egress . -}} -{{- end -}} -{{- end -}} {{- if and (default false $denyAll.enabled) (default true $np.enabled) $egress }} {{- $workloadNamespace := include "ztm.workloadNamespace" . -}} {{- $sourceWorkload := include "ztm.workloadName" . -}} diff --git a/charts/zero-trust-mesh/templates/networkpolicy-ip-egress.yaml b/charts/zero-trust-mesh/templates/networkpolicy-ip-egress.yaml index ea809b3..e515489 100644 --- a/charts/zero-trust-mesh/templates/networkpolicy-ip-egress.yaml +++ b/charts/zero-trust-mesh/templates/networkpolicy-ip-egress.yaml @@ -1,15 +1,10 @@ {{- $np := .Values.networkPolicy | default (dict) -}} -{{- $egress := concat (.Values.egress | default (list)) (.Values.allowTo | default (list)) -}} +{{- $egress := list -}} {{- range (.Values.allowPolicies | default (list)) -}} {{- if eq (default "" .type) "egress" -}} {{- $egress = append $egress . -}} {{- end -}} {{- end -}} -{{- range (.Values.allowpolices | default (list)) -}} -{{- if eq (default "" .type) "egress" -}} -{{- $egress = append $egress . -}} -{{- end -}} -{{- end -}} {{- if and (ne $np.enabled false) $egress }} {{- $workloadNamespace := include "ztm.workloadNamespace" . -}} {{- $sourceWorkload := include "ztm.workloadName" . -}} diff --git a/charts/zero-trust-mesh/templates/networkpolicy-service-egress.yaml b/charts/zero-trust-mesh/templates/networkpolicy-service-egress.yaml index a72cc65..87030dc 100644 --- a/charts/zero-trust-mesh/templates/networkpolicy-service-egress.yaml +++ b/charts/zero-trust-mesh/templates/networkpolicy-service-egress.yaml @@ -1,17 +1,12 @@ {{- $np := .Values.networkPolicy | default (dict) -}} {{- $denyAll := default (.Values.serviceDenyAll | default (dict)) .Values.denyAll -}} {{- $labels := .Values.labels | default (dict) -}} -{{- $egress := concat (.Values.egress | default (list)) (.Values.allowTo | default (list)) -}} +{{- $egress := list -}} {{- range (.Values.allowPolicies | default (list)) -}} {{- if eq (default "" .type) "egress" -}} {{- $egress = append $egress . -}} {{- end -}} {{- end -}} -{{- range (.Values.allowpolices | default (list)) -}} -{{- if eq (default "" .type) "egress" -}} -{{- $egress = append $egress . -}} -{{- end -}} -{{- end -}} {{- if and (default false $denyAll.enabled) (default true $np.enabled) $egress }} {{- $sourceNamespace := include "ztm.workloadNamespace" . -}} {{- $sourceWorkload := include "ztm.workloadName" . -}} diff --git a/charts/zero-trust-mesh/values.yaml b/charts/zero-trust-mesh/values.yaml index ece1c37..d878645 100644 --- a/charts/zero-trust-mesh/values.yaml +++ b/charts/zero-trust-mesh/values.yaml @@ -27,24 +27,6 @@ serviceDenyAll: {} # `type: egress` entries open outbound traffic from the current service. allowPolicies: [] -# Deprecated misspelled alias for allowPolicies. Prefer allowPolicies. -allowpolices: [] - -# Backward-compatible split lists. -egress: [] -ingress: [] - -# Backward-compatible aliases for older values APIs. -allowTo: [] -allowFrom: [] - -# Backward-compatibility switch for the previous allowTo service behavior, where -# allowTo/egress also rendered target-side ingress NetworkPolicy and -# AuthorizationPolicy resources. Keep disabled when each service owns its own -# inbound ingress rules. -legacyAllowToIngress: - enabled: false - # Example typed allow entries: # allowPolicies: # - type: ingress @@ -92,30 +74,3 @@ legacyAllowToIngress: # # ports: # # - number: 443 # # protocol: TCP - -# Legacy split-list ingress examples: -# ingress: -# - service: frontend -# serviceAccount: frontend -# # Optional source pod selector override; defaults to: -# # app.kubernetes.io/name: -# # sourcePodLabels: -# # app: frontend -# port: 80 -# methods: ["GET"] -# paths: ["/*"] -# - service: ingress-nginx -# namespace: ingress-nginx -# sourcePodLabels: -# app.kubernetes.io/name: ingress-nginx -# app.kubernetes.io/component: controller -# port: 80 -# # Use when the source is not in the mesh and has no Istio principal. -# # NetworkPolicy still restricts packets to sourcePodLabels. -# allowUnauthenticated: true -# - service: internal-alb -# # Use VPC CIDR or narrower ALB subnet CIDRs for AWS ALB target-type ip. -# sourceIpBlocks: -# - 172.31.0.0/16 -# port: 80 -# allowUnauthenticated: true From 7ba04fc0a8a1d2a7a5769b9c2919d971230c840d Mon Sep 17 00:00:00 2001 From: Julia A Date: Mon, 25 May 2026 11:27:51 +0400 Subject: [PATCH 4/8] feat(016-service-deny-all): Service Deny and allow traffic --- charts/base/Chart.lock | 6 +++--- charts/base/charts/zero-trust-mesh-0.1.4.tgz | Bin 9533 -> 0 bytes 2 files changed, 3 insertions(+), 3 deletions(-) delete mode 100644 charts/base/charts/zero-trust-mesh-0.1.4.tgz diff --git a/charts/base/Chart.lock b/charts/base/Chart.lock index bb9e6ab..21c70a1 100644 --- a/charts/base/Chart.lock +++ b/charts/base/Chart.lock @@ -4,6 +4,6 @@ dependencies: version: 0.1.3 - name: zero-trust-mesh repository: https://dasmeta.github.io/helm - version: 0.1.4 -digest: sha256:30c9d3bbf30655057ba330fc10b341a63636f4887de22569a71de6bba25ef21e -generated: "2026-05-21T11:13:58+04:00" + version: 0.1.3 +digest: sha256:e7ff901ebce4f9fa8dbaea29f55b6504a4c102dfab5184ab65516eb11cbbfdbb +generated: "2026-05-25T11:27:24.6417+04:00" diff --git a/charts/base/charts/zero-trust-mesh-0.1.4.tgz b/charts/base/charts/zero-trust-mesh-0.1.4.tgz deleted file mode 100644 index c1dfb23735ca27bdcb334af0908d31983b1bc5df..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 9533 zcmV-DCBoVtiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PKBxciT47cmL+6n1^vU_HIaBtk|i#?Ky7ZZTvP(ePVa}>`C)h zGznSQP$Wx0c3eB({W-W2;6*pfvXclsr?E&}2A7%n%>V=bh4R#+`Gin!jL4|+yfv?RNR!c6V>@tIpGIyVu^^?R56PYIl0wz1~;QUL6U|X+mg_ zf7QNqTjkDuA}Pr5zfn$bn)KnK>jYV*f4UvN?K%-6VU9D(AH78J7(%v0V3_9c)8q{0 z38IL=YeX;8{QYqnJdr;T5BCMz4HFK064* zbdu0MxGp2`CxkK>1~Ear<_zVYDlADPJ{%^&S&Se};w!)jqzQtvfS?#BIu|Qh^xb## zpKlOJCwYj7s3hu()*OR&MXnd43lu|yk}EHWV;@dOm;fd~f+5N|eK-koG)4&xV#w1t zPA3%TC`cS*!pbee84805L4cXKjZsL6=n5Sn2q$@tl0pt=X+(VI5hvmxj{D9d06;eB z?2$ozmPWGPG_PMFeOV;PGXK3+4n9s>LeT%ym{684OQTo88H$N22&`zIEuVyr%rV@ybf;@BECtB@W%`>CioV?T?Ee+a_&mq8wRY_0-| z86%M_#*~jE@g30}o?Q;mw4$6MBxp+G2<0GD6C4~LDGE+gUIYL8UwJxitPjVSUIDqp zG#v37*?46+y1?m#fUHZi#u*v~7dXwIFtL&|Hjp`5q6-kjB!wI$5z0{nG|0~p^$3oT zn)wnO3iwJsn9xz0mEDi-$9!2iEfD&!CX}=K)2R!IgY$NrtmQnLdsTw(DNGh9}EX`>jp0(xAF`}b1V$0n9@$l4r zr*Z{!#2>c)E}zX9S)5RmCqe85@tG#zSAyW*$Is#U(Tg{bGM$v?=_ShH;MEU6CT9tv z{GDK-gWpd03%OWXbAU57%3_9&vLE6!e6Ksn=<4iu{oRh=_S>z_UVSh5O8GSjCUk@n zin(m*1I;JM>Km%<+F203SAyP}O+o0|=hLP~^_2Csxih1bP(GhQhJ8YFoFP9<$9lev zUWF4v(=o4?w6Z*URdAlCldNEX(-9&Ff*ipZ<>yQ`U^*&BVEb9S_44%e zm`NGv^>+D>lO5maY)-9?dXP-UXDB!3Pjd1@h#gv{m@ zD;+8aTyvC#ouDE*Jb?!|droEl4@KiF4k#k6KSn6dP)>ZB-O?2_ z!~fIU@9viTKYM$7osIuz9qIboW1<}=2;9Hu*k^Lh1@GfWhrP+sIr{JhWpNOqgE$8F z?f(zFzuMk6-n)OeupM(|-j=EXe6e}(Iv6AH|1BJetiE5Q64}`S*K^^9F|)e|>T6?vx*%JU?YmtF2V}$nf0Uol(Bf*9xN;9U&JX>w{t{sdb;H$q=8zjqcla zghN_Truoub?7ZrNXIa(0hD8?J@+Uis5xz2-w^cb+yIF)2-S|TJ8E)zafbn&SsQLSN zVxj5P_0|$V_JI03#bDTA-l*5?xO_Xu%n78WQJ-rvL;0nCN7MfVJIQ_sAfzeR*b3F_LNF1@T!-t_*#ciQrK*K~eMy2njXSzdOsbY(dg{G=)| zhE!GDJTg;q%ripMSZARzij5(ex4oojr&?qjB*8g~yt6A_P)nhcVgg4f9{Xg};(O{M zmjR+ae)Nhba$g>9AQ#91+<&;>{^6E8xe)$q#{ZZZl^(a8ykVY>m){efh5y@6pW67p z+wOIrZt(v)(%td?7GFT7QWOswmEo51a`nGs*fI1X;#dQa|yhg4-tYcf7qrUKHY{tbqKw}B(#Th66YBmq zrF#3{L5}{M;2cGIaNoYu3K0ym{p68fn%?Ju7Ii^=aC@^h#(Q)46BcgKRTA@_xidzwjVz_Bts#qUirS+-vHx)h9l(;79K~= z3s%!j;A#tQAi+t55(;~Qjvy2#=?-4K`sFtV#I~)d+2Aq1&S44LNlIZm&B2%caPYYY zd}l}04dB7`M_m^OPwIt9`;hyR>)Vj|fgdYSJ?5TXKC{IWv2!6k&cuGs3Axs*D2ykB zqTG+uFo;_TX?;yvBxvzvRAzws6?6lCPEv{r>XdA<9tab@G&n^TnwtGdGnDfcW|OWA z0ab}E4c10PskC;$9dfD4dWcbC<9+xPybnoPiwlS#kKwU7RnM7DuR0tms&X-xL#?ZT z87Dl-2drGhv$Aho_}U6HV_)<$-enpSr?8QAB+RQ5`BVf~IhL{P*BH5`T|G`C z)Q97PlatezZ+`jp$Cr!E&%bd_CqXQQP0cjr>4c&=X2-k0fi0D)^Hp80#-tgYuj{z1 zROjHAXH;AYUlZXzuvUgX5M5ewEa&#LZmG>iJ>Z`3v6xe2(^Wjz^vUVwK^o?g03Zo| zY0vnyS?3dBwj3csaZ=;oU?bVLN5%h|_~at=EtiX1(K8i}vYZpvDz9Jb3k=Ym&)U5X zeN8R%jiTkhnepd+1FBCf&BFf~Lb+!g5x{A(un{oR|5L&L-QD)){-?F1FVX)a;vave zFb={4=t7r)i z&`kMXIse^x+TQs8*ODI4`R~=7FJ7|?zsw)^Bi2`VX0@{Sz0nPybDC5B%Zs7z#Q(py zx7)6q|7&mj|7%Ih`u{f$^atxeU+8$=TD;|3lBDA_r+n4$OO2$zSvY!Jc-96t(=q(+ z%Tpd@U&_?$?N)M~n8ElHf^yxA&u?L>%uA75T&VTK)oWfo$3Lt&<1C#?aH-S$Dh0c1 zx?EAAdDp^L=8KLPEgaX~Q6Rbn+gq8hZx@gk7MK?gl=s1=xd6*IU~C&r-vGaIVn-9c zv%_h%HqHKEEfGX3qo#XXnyaF>#*7)Qx`{mM$D{J6aGM%-57Colgv{NK~VH?I#~Il!+rjVI#Wi`OR(s5|kLJ)$N!&G|WJImkMa zO>F=$3fU_)uX^u5+h_8%J}V5?R-(?JS-dXVss2x{%5b)rA}i~t)93beF^$^Eu3Z-h zqKIi%)TD?k0*lPW>Mfqxl1tqV%#@PQaJy$;4Olok&1<8Ympau`%W>e6&78` z%GcBHYASKBy11!UP&CSjg?0A@*WFdsofMjTrqo$n;H=%%(ro`rjuL?wx4H*pR{Y<7 zr&r$p>vlHZe^^VpL;r7*S$l-mRislw3&jmUW@w>!vbi_p%eprt$?o{l5c67(sh3E7 z>X(G%lemJrs&{&Dl~*2`a_6==Xf+nqv-VDHe4v5H-ajK28nZ4Xu7P7h)y#+w)O}ho zIxtJ4lRLfOL+H!XtE>nQl;O}06nAz*P2AwMbqAfg>DW9gWnlj1OrE+K-9Awj;wW!E zg>_vG%)2gKAtJ$+8dQ4}RjL`yqP_yxmF`KCOF-VHCRISOl6ieUp)2_KQOs|dAxcNv zq9tf6&v^NgK)*4-urhQ8poZcoEFby`^OQ(8;iHLoZ9u%r;Kh0I-)-UmXYT*+Rq)?t z|9?&C7D(;k9s)C=L-myr{#Q9Ja0|7yK&;>W9TYHyqqr+-s=i{s4#khnF@Vo9%`N|z zz5Hjk{O`8AmHR*U+xr{&zmBwCOZ`(-8Qdg!kyOtM-<`e?R#21>89?-a^~Iqg5LwoZ zeecLaFdVFEig;6o2@D(~oHqb0ekC}2f4J0b z1D`lNNi0w@BL;rWs6+|_)D+abfhJ2slkKKUF%&15pXMpulyOJ6WzOpXG=aq(0i3>U zK~z&qgn7<}AM_=`4O{vAQeUxwU+R2`j+*`Z zFJcFOo-2Nr-?@Jn5OVd~;#0nYR$gaI?S8Lj|9f)@%q`Nq_-~XFD(${i-~ZCulZR|a&eE)G&>_T~w@ zQ0U#DWBt(Bj6;#GR+@S`Qi{)31?lfB9<{XEv#|3a>bV@UQx34Ueg0poZM{PuLX=gm z5cHs^TP=|P;0g7R5ZEdkC;48<$64)bbgULRmtf#mgZlrT?d(|zNdO{!1x z;(weii~i^E|L#`K|F$>Ze_l_z)&B1WsXthxUcY_(KtOmS(B6dF-!9bt9)T)NRS172 zW^9g-{(DES^F?yafnKktgzm%2!n2wYV}0O0+*$B`8A;9rkxLkgivZ0H=3FSvi~nwO z5A3Y?uTEwEf495w|E?$9p(l4KRJj6Ah}&M~gkE4Ta^8=S(@0(+4Ar?3O2OWLTK2 zGD^rM;%k%Ekrvhe%WMM7^#AXdH>>tg5Z=eWvXb4+~AX;J*gqdcS4#{bvizs>hQ*ODHb z|L6X{MY@>7$bMD+{OBj`P7=Jn@hGiUpHKBDnL+=z58jgXMWr|VVIMLar*yhH?mTT< zhhuI3QC;rtLb-bj<=&q=xBX%Bjn}I=mG%Fd!-E$;ANu2Hg>6jN|J`=49RJnX-Rtab z^#3~2BPgu^$N3p2cpSv=62)T(M?p?unC2k9T@62J@df{YBd(i^8X!!^<4K}E6z@2X z9>IzH0xSRGbnG}DypRfz=~)$6+mZ(M1rA_fX|I9f!QqD>q)ZAjV>U}8VMGG65(%V9 ze8n^^oaM}@E$m}X(vIWFuUy0U^wkM(K#)DCe$jhSrq0M+^SM}-T^i3`5Qga_p>P%u zWYc$v=?Kz{6=S1%dU_0FL`P{vT3J9xg!fOxc1V>Yx~p`7#`r{hCm1~QUkoFLf7 z386t8Lz;vLGL#pCx#M(w)mPasottG;0APpF^$0pUHT64=05(Of-X)F@sL$ds!Ulr@ zvn?D0Ye>B0G~%Q_2Vaimnd`&bcdRnUIUQjFVUCzlW3)`dG((Z9ob(+}qeMRQ5?o1u zz}Cg<6FIH=k$owe$7iil&RBfqHUe`=sS!Hg~u52+-=T2aVb3&i6IZq&n zB0wK9HVRbID?i=}0Rfr^!yyg<6SxRs90e3b#;D7h`!LMYgrX#xHs~DAIua~1?0}|B zhr=P%RmL!mad<>GSX?E=(T)viIFzw-FfISAJ*!sriG$=ECm;ALV_j8W)-_xk0ADRy zmp4quS(>1P_909Ynx}D$@-qD(Ch6BCC?t^{!ZF-f}}Gw5h> z3Q!FJXF>R$t&-+hvvY_xt$8!56<^VUw{DPOpQ)P+`C&SC-_>Ww8PDALrt7!;uHR|% zj3q2vd>+cggf=4NV&c&w5cU{Eh~V?YaRzc}4;Z%us?&wwkjzIeF%3t3rq~9O0|v0I zH%V%0y1EvG@~qLFwj^W#11D$c zB#D5b5GAM_uUsJ)!;C0l+6;@3K}%3VgDbXH5{x3p8CcSeuNbC*vm6ako}-A5 znSup8upqrmPy}aJJYP7;bEd#$Uwy~Ta0+4^5WX(8bhOr`s8+vwVl7LK5_1%zfFKhtG_G<{8v}8xSnzBl zETLD^*7KtmZ_J@*i!DhL4kVS2h)lu}80%bWF{i9HpENpalaZl zH$VtvOr=m&yTvNV=9DK;KqW$P5(tSfA;{pLK(Z=Axnr`952qspX&j;4WTN-ziZPNP zO0kmNN=PBO_vGzlH$$Qn#G;bS3@OuQ=KUX6@eL>}=f>Lk*90*Du{ z6+wcx>qQV>!RIJpT+=v5OUNlnO-}3CjDaGZYl<9D%x?~_7DugGi4f#S*pm}dC>%M` zQpz!3)58HOCaEz(Nk;8S+Q?Hd^=ezQayx&XYCfV ziY3_S^>+Es6FnZHA53ANF^Q92;0Q&`q`eS;jZN8bLMJ(D*%le(>4Y-PJ|XA{oJ}Yn zj3lLil3|*MVmt=s=V1rJisOU8T35U)od8zW!f<7jKY>ezy(-2TCIud=z@uz(7UR%6 zI&P8%tZ&?w=L?mUU?b~zaCB_W4$h{}jmfe{$J~>^wW9DPOrJDst+UxFmLS2&d5qxb z_@Y;Q!j=!R7&pP#gVt_$z}pjZRqo?JM#K%Q5$8ZONa{zPub@HsYqnwq1=<-gUD7(v zNxjyt)zwefn8`KB)D)+HrkNL`3lvwF(RUoCK1dd0suiDH;YzHs;U!NXizh^?>jcfEk$q#b-Fi^vXBIE3d}h3*pkhF@! zFT}27Cqq55T9hT^OS?xY{Lp9gNX{%`|T< zM?tJS4XUo@3WV<9rR5>DbO>}5P+f(Z4Gyl&)mN&^&{H%moOiO;ZIWs;=U8a-!j(f) zz;wrPer5ujC}*o)!$RU+0v=1B5KcgE^80WQT?7degh~Ml%SgZ*xzr~K$3ThAwS^Hj zV08|}r1G6aemr2{3s=@p=t@qw|gSkb7L&l8+dM8QhXf<&BvCtsq%#dtMqCEfWN823*b!_Y{uxfd8ouejdhgu_YE`% zBn?h(VBop~QM%DH$0`zklCr1Ow7H)!Q~HToS8~BV;eN^|=Fsr)wpt55H+I;ip&&>r z;YyRBCNBz?X-wiPK+7mdC)7r_4ec1*a|6F9?bVF$6cIvnYZ}b{yiVB~Dr>*lNY9#C zEp?mLNK|APTz`~>ORj_)I4*e+iBvp}R4@aZqVuaPn z5bZ$VLZo?$>WHcLV%z|~fV^-+D2XD+A-k_(4KzPeJP#+1Oai zyOt#eb8$uc2>3tJnp=CMZULJxea-0)H zg+E;@DP~eLpvZIo!rhW--V$DXV+)cMdd_|D%(PXdPXz!FEGtifr4j1Go5LTEPEOza z=Z{}rzxt24;mfzZ141Ta69y4sK5&3dgCt@W6bIQbm~t*_;D5G9g{tR&2_-FY{*Qkc zUe5Zm-~Rk+_W9rT-fk)WyR*OF+noPdOH#0@58Ns5g_B$#1CUzYdNuPrfDL`C#{w!F z#az%AEqH7NI@31a%Xy8f`8}xXPq(PExo2Ht1O2#mE4#MBdB`-fTifo^S=)!V?vID3 zYWF&zBmSuMclX`hi=BG@7s|;i#DGsm%eOJ}{)b+#%>TQ4oBJQuk{*+%1{eH7n*jehHTYC>*8WZpk`a`2KG~ zLZJ_sLdO9ZV&`Lp5O{0`*%^{jZN2hAEsG}aS^F`#3UQVWg#^OwT6F%lO&U$rS%h;m zSf?_KTIK$pHb54yv0JWEy9ej5QaY~vI1Piim5`QPTrCo`>PMrpr#|=C+soQ3F=*wY zs>k3~wyCrkP;KPh#}jsA2(kYP`F*Ss(t7te9#-E_X`{_eMb_q)IQ zo%T(T;oqer?sq>-$B%2(v{2HDKIzg4(}V^%Awa}tmh{!=-37g;px*G)JZA{rzEf&m z_A6O)zgX*VbE6D32{ndzqX9nKG*$jrE`4221SnfWTNB$}m@?(v{DsX}QG1O^ z+T6yH_G@9ZRaW}^rd!kL1+lR{ug$9hy_)OQHgAL@UZsk)4=04CV+gWLY@yWIz(oX9 zkm2Rq(DgL7WXAEoecKlyUhm%hed{r}_DV2v&NE72UU*!oOrJ`Vv8>i{mB!i*=c%lG z_{A-;F+4U8=uBT5lLURp`1#TJsyLcC<#3SeY%t#!k>Ff9WCXW+lyez*Mn z*G^}Dga6i&9yIJi49N@vL9~Pfd@e!)hQP6U& z_Nmn6%$<4xP`YpVS9+UWL0HdAH0{*WI0IN8owZUM!!POiK(ua8L%4fkpanN2LQoWsS@0#OTI=p`i zKw~n<94JaOFK_R;4Wz1kre;dzD*(GwFpOyR?f{HY|4j5UyaIyl>4)j~foiyV`9I45U#yK;^1oY-|LS)3 zyPNp0wWJ!hxs~{DybgNxa(}T4rk7F&^>-StToE*1u>4R6nj+U4?`AFpytZAJyPx^K bd1R9|X_GeTb4>pi00960H#3sJ04@OlCok8B From 78e2da6e90ae482a2918ae9f4ec49f655f708081 Mon Sep 17 00:00:00 2001 From: Julia A Date: Mon, 25 May 2026 11:29:48 +0400 Subject: [PATCH 5/8] feat(016-service-deny-all): Service Deny and allow traffic --- charts/base/Chart.yaml | 2 +- charts/base/charts/zero-trust-mesh-0.1.3.tgz | Bin 0 -> 5108 bytes charts/base/values.yaml | 15 +++++++-------- 3 files changed, 8 insertions(+), 9 deletions(-) create mode 100644 charts/base/charts/zero-trust-mesh-0.1.3.tgz diff --git a/charts/base/Chart.yaml b/charts/base/Chart.yaml index dabee78..2408a9c 100644 --- a/charts/base/Chart.yaml +++ b/charts/base/Chart.yaml @@ -21,7 +21,7 @@ version: 0.3.30 # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: 0.3.30 +appVersion: "0.3.30" dependencies: - name: gateway-api diff --git a/charts/base/charts/zero-trust-mesh-0.1.3.tgz b/charts/base/charts/zero-trust-mesh-0.1.3.tgz new file mode 100644 index 0000000000000000000000000000000000000000..8f5b13fe873d9bdc6501589fcda59e3856af36b7 GIT binary patch literal 5108 zcmVDc zVQyr3R8em|NM&qo0PH<$bKADE{mfsnLnkxRJtpY(Nj+@GPTL3{5{txRcLD5+3+yMH5szg#W!?hQdFN=3GUi{Q zMf}ZYE8T9ld$6}B{_l3X)&INwgM)8+`~7bBU@&+w7<|+1?ez~{d;{Ij2g34_Q--o{ zx(^lyQ?fG5T2{D~!QOd-l*En9llrIsOkqmy!&v2Gt zhAEt4c1g02BN9i`EBFVTP!gM<+oGJcP<3bl6pjhk(*F zF6vzrKz03|KXAS@)&4%Ey8kawoMZZV8NizT-#>WKukQc-L3g|VpQ7vl--0wnQ#^!k ziP+~T26BP3EDG_zAjC72$BY6aa{FgE#)#sw-S>{O1AOzx1cgKR7UhhpS=s(|KO7d)qsq7>i%F+1P<0v_gF`zgm zmlFbUM41n-3_KE2ustuv7dVzxAdL4?6CP$;Tqlhtt_a8Wkj{iW5)SwZ^Gm>Tp}L!dauQ%17pbvo2-QJVT6wUF{7(vbq^TQ%DEx~A-WM8Y@d49B$W z0(d7?s3g*d-NUYWu)u6iLOO)^?hnTkcNg5z+wsKxP}E0kE?#y}8g>4QKUZjrIpS|n z8u^rEQHuR3S?HDq{?nW?vXIl*Ni)L8l*Cjldp3`#=nBp=lBd3IJegyP0c98#I6KE7 zTt;kO(yGA*#gDUCmizq)*18#Ic#MlO8*^`>BkZ&zK$ux(MJrue;)e#J-^rO z`rS@{52h#q6jK6c7;=h3|L)UpGOA93$r98?*@(i+=`}eTeI^~KD*qW?q%mTcc7B`V zIK>(DS^7X#V2%7A?035r`G0V*zqghDPf@O~JNqh0pn;3*POm!{2219RKkS zr!ku1mvId4`~OAWr>^%;@54V_XvO3bXQe3crSW*m1-<`^R3v$SZxxenx54#XxB-^s z$rKI-;?HO?&S$ge5Am)T7$>3l+o{4g%j5VyFs50Quo<||srQ_^;J=e%Ujo~Tl4+cW z776_J=Kzpg z4fSYT*|I7R?aC#sJH7s)TW{P@anP^SQz)%OFERQ2NO4C4+k#l?^Z zuJak#lMGt;ccYp6^Q)2Du09+eP59ILC^Z~8o8B0iLdQETG*1H&dNJiV6q`zEFGnPq zMdxs%achOql$DU_eQ7Rs(RI0JdDp&HcCBqIp0w`<_=90Cs%wqcs3~A=cwymp2Y|xWBnoB)_!$erQ>)|3#EV#6vlolPvlq+;I2w3$6424EA2w`d`1dH#pepe@{`Q za2L*6gX75uOF3OM69%IeA}q_X>cz*>P14qV6{f#tuEL#CilX6nu#{mcIp`a#S+uq} z_tGw^48H6qL&-T_1|nye6`uA?GDr*Rl3iCYGUTaex39ykWmqv_RVpGclZylQADeu1U`S8C17Klyfg|9|f#~`N89J(eExz?9N zNr)2$2XcHgm0vbqzIpTZKMqLWob1sPPRycr;iD3?EuToEJW8ffib^=j`q$Tbo~Ch5 z8P5EeOi|oPXy-ZYP}DJ|tVFtb4sYQ1oG?W;UKlZ9BPq_r%-CQQ>sdLd%GO}{ttz0K zszK4RBwcT>+D#!58y@q)h5M`eQu@SJ3@lr1IPCRx(_i}amu9nn+OkgmEB@q#IJvs- zSD`iXzt`;zD)PVkqTk!f|EDPTlK;;Vnwiz>A4@jZ9pty0(ucIPOZELl46e0|_8KLm z@vVCH3MW^VOlwQa;t_>m>Am7sjJ3IHvT(gpB)DO0$iSKej2i^so))Tbz2%W#ds)Z- z<>x-{95H-}?kNG*`u}VEzt?}Uwf~-^+>ig`^Gja6;I?9o{2-Ue>Q;>glq;7Sy`l^+ zTv4ydgu>^SN+m9gph^c44z*NOKh$VZ6+uZ=UPxi29KO7D@tjMKL6DYHoI;9n-KdrtQtEckQyknVjeuEiiT7C->;vtM) zj>nVN@816W!|S`v&o5ENaulm&-Y`uW$r;{YcD#!S+54eBU-e~cOqzjw6XL246IS}~r{BzkSn_^MeK z6Jd@VV#=bV!2;)$9NJXzpHrV+Onu8K;MO=?ZAV$=v$e{b*ZLg@^ystpMM>Y#%Vt!x zJPd38{L-TQUS*yBmtvfWj{rDfDj4_9O5j@izu&9qfBivs8~^R6U;B-gf{NT6juLWjuLzay0qNbFpo?Z&}CxmHnjRb|1z5 zKj`*r_WxdY8~^_#<>|lwKB=|*Oo2Ee8KZolIHKC#l!~4Uhh1<}9X;m0o{0FaN~OKM zL9N!<3XMF870k)BUCW82E)O5SDLo>?n zS?Wtfj1fjn(Qy(jXgy1P9oMEp<;;+`st0D32~dr_Y#Bq}fCzSMYrxxW0jue*dG;G0 ziDFixn#Q&=S0%Q_j2WZ4iTW7b957a+bUC$KGCv}jAG)ALyYB#{DIY@pZk?~d=yB&h znn6MswC0HNnPX*@w&Vw#^X%;n+U-X`qK?o#eTK>-ah$NM(Q&8_2;IwN_z)LVOr#b* zgrAPbuYWuKpULsN)0b}?fDBU-=kndF)3F1^A&Ww1E+&{{A_hkhS-A$v^A{XK{;HT) z?K{xAzIv^rS-^57>I!;`t4bSq6@(~@(z^+=s*IW(*@4PSrIX#eZh*ot!<6D>g2)1} ztX!_%@|n%Kinw&YdF?)%BRU@ov(MUPin0A4i4t&kU8Datv>5qsN)m;ofpvz<_!_e} zy>O#c@k?XW8=!O4-#?)FLPy~Dy6w-sdH4#k;Ct{UF`SITAXJ`3YY=N2X%g19M>%~seDB8ULQ0&-<>Y8rjUS4xd zpt607GXssBVkwijv+%wU!n-cJlTviAWjlB0I9m_E*I1U@|BA24fXxTRfvxrb9_&^9 zzx%yy{MVBd$yZa$n`@n({VO_wlXR&EI7!X$ubThY5au5bsU^y-L&Xn^_3}_0e;NO8 zO2TpRIUcTW#S@OtMBY3grP@g%zVWGF$MVNkK>RJs#{B=jhkrIW|I_X7*W!PB{Vo50 zit+&dFPV+mQa$gpIBZT7XV5~i^ul)6b<~?3I{7n z!+D;f7$%fkIrFKAs!oQg6S*{~r|2*rr4rX6 zYG|OuN1_s-!>`l{zN!45#pLq79)NZ7zrTM_JO6dCJ^%G2f&k-@ma8niH4vhIGREE!|q|X-FU;t1C#?P{ny;^p^>=b{T?-e z^|`M2Sn1)85=$|t-uUrnPz`EJ=fQG*#f4kd6}HazaD5F;ORoZ>`EA<#oNj+@-(KVK z^kq}|AEip`zlRR6PX6!r`ql5h-Tv18f0A;4`EQ=0t{bY46#e~ZqI?@__pngAC)P4r zwtA#O_^PX8laRjl-DB=H(Nyj#V(;g>SQV`Y>MnJ0`MIqDOrtPcelGU9dYM;)fxa?U z4<0XGucCU?g6?YChJAr(^L@e1LAvl&gw0ju|GVRtuYNlA7vX0dW3~M6b@vad`CkSH z+xx$srtH*`FF8L&Nwh$5HQAFqyK3fqYRK|rWq0x&XJ-e->PW3PaT+_0SL8#05GPlK z0oGA@MJ^%)fh8dV$AjZP&{Smp;LJWHp_xcUrgdp01kN(fPD{I5fYf$8b;=bMlQ&~A zfCM|JpXd#$&>6KGZv5iaRfM;P)HRJ~h+-Q)k#a+4))DD8)SZeQamAs)Pi0wAR1hdJ zQl?>%M>j|YCnGrH44n$vPA&vRpF&;^NNMQY;(AFpx18b-*HqT9^I>V8HE^% z;B*dH5Cq)7a142@6sA=vd03WXEA>ne1dcPAM--+R=H`qsCY_QLhdK$$&?&F(7IUto zgc8YoMVyY+gz86?TQJ0Y)!G@$t~!Qwt#Z*qP_Ey$$*hSc#xV06Ns!dZTxc!Swv`#Y z+6FDl+)T5KBn&6v`t(LRJ5OV79xfYe8FRGaW7jis<-n>;InbCVXLXL8W!YkCT8r0s z50D)IA=b>!4oD*bLQJFc#Bl;eihye;2&hazBUE&;v)Meu*iPV7vIUt=Nx&H>DhALh zbey()p(i7NR>3EBH%PptnpY;m=wxNeq=rm6+@5P-b9QpBU~N*RKmo>Qpa~@i_-fF# z)Fd?5oE(jciuT3G4QT3(p;&Q&scNrQUH}~k#6mN>kW5}*q6@PqW;mlgBaw6`cBrzxl&VUp8?wCpP+ixT2hHO5hfXmy!d2p4??yPRlhrYSCX z4M|ldx$1849p_{QS0v9s-6{nk;bM<4n4=5KQ41Qb$qO{6;+uGv55)yy&=6~3-lZ3C zV8v(|MsabgRMFS+4kQl}t<}dOG6Ob8Om|TbfcIh9Yn8szlHV~>synLJ7A3_roQ|ZV zq`)#Xn?+MzKVogi`H6_Uq)I*2(;#=oB}9ufj;4`Ro(i|94==+Dl<*Bxuoo((iLxk; zi^ENY+M7d zjD5om1g;y%)=L!^-jV#1R`p9$^V;Rw+-|Wp)S}xJI@+#@mN=);Bn(S!mBS^JB?X$+ z6K;xquqz~i?Du4383i{Gy#HV~eE-4MDuS4B%|gv&kcyHJC>^WTM@=2L*(`;knC)|% za0!UR%`^j>7}u8a2e-@6Gp4=@+0r$@folRFK?^R{mQc|i-c$g}r%I?Auq@F9#GDDG z^+T}B|16Z$+CWM}xPg~Ta&mHPObO#jt5K~=F-}$2tqme%aMKX0g|8Spj50iBd`+4| znkqCOjw{0_(#8|U#2KPm?o0R`-(!t?BR`M&L*z46s;#x2*~AQ zUWN7U_=l76xG2L4~vPq;1H WvMqnV^8Wz<0RR7CQn?lYf&c(>g8#q( literal 0 HcmV?d00001 diff --git a/charts/base/values.yaml b/charts/base/values.yaml index d4c3dfd..6779768 100644 --- a/charts/base/values.yaml +++ b/charts/base/values.yaml @@ -1026,7 +1026,7 @@ gatewayApi: # - providers: # - name: envoy -# zero-trust-mesh subchart (zero-trust-mesh-0.1.4). Disabled by default; enable per release. +# zero-trust-mesh subchart (zero-trust-mesh-0.1.3). Disabled by default; enable per release. # Values under this key are passed to the subchart. zeroTrustMesh: enabled: false @@ -1036,11 +1036,10 @@ zeroTrustMesh: # enabled: true # namespaceResourcesEnabled: true - # allowPolicies: - # - type: egress - # service: backend - # port: 8080 - # - type: egress - # hosts: + # allowTo: + # - service: backend + # methods: ["GET", "POST"] + # paths: ["/*"] + # - hosts: # - google.com - # - www.google.com + # - www.google.com \ No newline at end of file From 98e6dd8a87784683428053db91bd75950d259e48 Mon Sep 17 00:00:00 2001 From: Julia A Date: Mon, 25 May 2026 11:30:41 +0400 Subject: [PATCH 6/8] feat(016-service-deny-all): Service Deny and allow traffic --- charts/base/values.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/charts/base/values.yaml b/charts/base/values.yaml index 6779768..0bfc573 100644 --- a/charts/base/values.yaml +++ b/charts/base/values.yaml @@ -1038,8 +1038,9 @@ zeroTrustMesh: # namespaceResourcesEnabled: true # allowTo: # - service: backend + # port: 8080 # methods: ["GET", "POST"] # paths: ["/*"] # - hosts: # - google.com - # - www.google.com \ No newline at end of file + # - www.google.com From 6c976f7ee201dc7b77dd8cd02d55e351147d47a5 Mon Sep 17 00:00:00 2001 From: Julia A Date: Mon, 25 May 2026 11:31:16 +0400 Subject: [PATCH 7/8] feat(016-service-deny-all): Service Deny and allow traffic --- charts/base/Chart.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/base/Chart.lock b/charts/base/Chart.lock index 21c70a1..2eac893 100644 --- a/charts/base/Chart.lock +++ b/charts/base/Chart.lock @@ -6,4 +6,4 @@ dependencies: repository: https://dasmeta.github.io/helm version: 0.1.3 digest: sha256:e7ff901ebce4f9fa8dbaea29f55b6504a4c102dfab5184ab65516eb11cbbfdbb -generated: "2026-05-25T11:27:24.6417+04:00" +generated: "2026-05-12T18:41:21.80521+04:00" From cd6aa2c0bd84ad5c14c6088e241fe76ea390be90 Mon Sep 17 00:00:00 2001 From: Julia A Date: Mon, 25 May 2026 14:11:12 +0400 Subject: [PATCH 8/8] feat(016-service-deny-all): Service Deny and allow traffic --- charts/zero-trust-mesh/README.md | 1 - charts/zero-trust-mesh/templates/_helpers.tpl | 4 ++-- charts/zero-trust-mesh/templates/istio-allow-from.yaml | 4 ++-- charts/zero-trust-mesh/templates/istio-service-deny-all.yaml | 4 ++-- .../zero-trust-mesh/templates/networkpolicy-allow-from.yaml | 4 ++-- .../zero-trust-mesh/templates/networkpolicy-host-egress.yaml | 4 ++-- charts/zero-trust-mesh/templates/networkpolicy-ip-egress.yaml | 2 +- .../templates/networkpolicy-service-deny-all.yaml | 4 ++-- .../zero-trust-mesh/templates/networkpolicy-service-dns.yaml | 4 ++-- .../templates/networkpolicy-service-egress.yaml | 4 ++-- .../templates/networkpolicy-service-istiod.yaml | 4 ++-- charts/zero-trust-mesh/values.yaml | 3 --- 12 files changed, 19 insertions(+), 23 deletions(-) diff --git a/charts/zero-trust-mesh/README.md b/charts/zero-trust-mesh/README.md index ca58ab9..bf88ff4 100644 --- a/charts/zero-trust-mesh/README.md +++ b/charts/zero-trust-mesh/README.md @@ -143,7 +143,6 @@ Most security defaults are now implicit in templates. Advanced overrides can sti | `namespaceResourcesEnabled` | Enables namespace-wide default deny, DNS, egress gateway, mTLS, and default-deny AuthorizationPolicy resources | `false` | | `denyAll.enabled` | Enables service-scoped deny-all for both inbound and outbound traffic | `false` | | `denyAll.podLabels` | Optional pod selector override for service-level deny-all resources | Not set; defaults to `app.kubernetes.io/name: ` | -| `serviceDenyAll` | Deprecated alias for `denyAll` | `{}` | | `allowPolicies` | Preferred typed inbound/outbound allow rules owned by the current service | `[]` | | `allowPolicies[].type` | Policy direction, either `ingress` or `egress` | `ingress` | | `allowPolicies[].service` | Peer service name for ingress source or egress destination | `backend` | diff --git a/charts/zero-trust-mesh/templates/_helpers.tpl b/charts/zero-trust-mesh/templates/_helpers.tpl index b8fc472..272dc98 100644 --- a/charts/zero-trust-mesh/templates/_helpers.tpl +++ b/charts/zero-trust-mesh/templates/_helpers.tpl @@ -61,8 +61,8 @@ app.kubernetes.io/name: {{ default .workload .service }} {{- end -}} {{- end -}} -{{- define "ztm.serviceDenyAllPodLabels" -}} -{{- $denyAll := default (.Values.serviceDenyAll | default (dict)) .Values.denyAll -}} +{{- define "ztm.denyAllPodLabels" -}} +{{- $denyAll := .Values.denyAll | default (dict) -}} {{- if $denyAll.podLabels -}} {{- toYaml $denyAll.podLabels -}} {{- else -}} diff --git a/charts/zero-trust-mesh/templates/istio-allow-from.yaml b/charts/zero-trust-mesh/templates/istio-allow-from.yaml index 415714e..bcd8cd0 100644 --- a/charts/zero-trust-mesh/templates/istio-allow-from.yaml +++ b/charts/zero-trust-mesh/templates/istio-allow-from.yaml @@ -1,4 +1,4 @@ -{{- $denyAll := default (.Values.serviceDenyAll | default (dict)) .Values.denyAll -}} +{{- $denyAll := .Values.denyAll | default (dict) -}} {{- $istio := .Values.istio | default (dict) -}} {{- $ingress := list -}} {{- range (.Values.allowPolicies | default (list)) -}} @@ -23,7 +23,7 @@ metadata: spec: selector: matchLabels: - {{- include "ztm.serviceDenyAllPodLabels" $ | nindent 6 }} + {{- include "ztm.denyAllPodLabels" $ | nindent 6 }} action: ALLOW rules: {{- if and .allowUnauthenticated (not (or .methods .paths)) }} diff --git a/charts/zero-trust-mesh/templates/istio-service-deny-all.yaml b/charts/zero-trust-mesh/templates/istio-service-deny-all.yaml index c1ae1d5..3958a06 100644 --- a/charts/zero-trust-mesh/templates/istio-service-deny-all.yaml +++ b/charts/zero-trust-mesh/templates/istio-service-deny-all.yaml @@ -1,4 +1,4 @@ -{{- $denyAll := default (.Values.serviceDenyAll | default (dict)) .Values.denyAll -}} +{{- $denyAll := .Values.denyAll | default (dict) -}} {{- $istio := .Values.istio | default (dict) -}} {{- if and (default false $denyAll.enabled) (default true $istio.enabled) }} apiVersion: security.istio.io/v1 @@ -11,5 +11,5 @@ metadata: spec: selector: matchLabels: - {{- include "ztm.serviceDenyAllPodLabels" . | nindent 6 }} + {{- include "ztm.denyAllPodLabels" . | nindent 6 }} {{- end }} diff --git a/charts/zero-trust-mesh/templates/networkpolicy-allow-from.yaml b/charts/zero-trust-mesh/templates/networkpolicy-allow-from.yaml index 568d56c..41275a9 100644 --- a/charts/zero-trust-mesh/templates/networkpolicy-allow-from.yaml +++ b/charts/zero-trust-mesh/templates/networkpolicy-allow-from.yaml @@ -1,4 +1,4 @@ -{{- $denyAll := default (.Values.serviceDenyAll | default (dict)) .Values.denyAll -}} +{{- $denyAll := .Values.denyAll | default (dict) -}} {{- $np := .Values.networkPolicy | default (dict) -}} {{- $labels := .Values.labels | default (dict) -}} {{- $ingress := list -}} @@ -23,7 +23,7 @@ metadata: spec: podSelector: matchLabels: - {{- include "ztm.serviceDenyAllPodLabels" $ | nindent 6 }} + {{- include "ztm.denyAllPodLabels" $ | nindent 6 }} policyTypes: - Ingress ingress: diff --git a/charts/zero-trust-mesh/templates/networkpolicy-host-egress.yaml b/charts/zero-trust-mesh/templates/networkpolicy-host-egress.yaml index ce7f51c..992dcc9 100644 --- a/charts/zero-trust-mesh/templates/networkpolicy-host-egress.yaml +++ b/charts/zero-trust-mesh/templates/networkpolicy-host-egress.yaml @@ -1,5 +1,5 @@ {{- $np := .Values.networkPolicy | default (dict) -}} -{{- $denyAll := default (.Values.serviceDenyAll | default (dict)) .Values.denyAll -}} +{{- $denyAll := .Values.denyAll | default (dict) -}} {{- $egress := list -}} {{- range (.Values.allowPolicies | default (list)) -}} {{- if eq (default "" .type) "egress" -}} @@ -31,7 +31,7 @@ metadata: spec: podSelector: matchLabels: - {{- include "ztm.serviceDenyAllPodLabels" . | nindent 6 }} + {{- include "ztm.denyAllPodLabels" . | nindent 6 }} policyTypes: - Egress egress: diff --git a/charts/zero-trust-mesh/templates/networkpolicy-ip-egress.yaml b/charts/zero-trust-mesh/templates/networkpolicy-ip-egress.yaml index e515489..bede1e5 100644 --- a/charts/zero-trust-mesh/templates/networkpolicy-ip-egress.yaml +++ b/charts/zero-trust-mesh/templates/networkpolicy-ip-egress.yaml @@ -26,7 +26,7 @@ metadata: spec: podSelector: matchLabels: - {{- include "ztm.serviceDenyAllPodLabels" $ | nindent 6 }} + {{- include "ztm.denyAllPodLabels" $ | nindent 6 }} policyTypes: - Egress egress: diff --git a/charts/zero-trust-mesh/templates/networkpolicy-service-deny-all.yaml b/charts/zero-trust-mesh/templates/networkpolicy-service-deny-all.yaml index 3f49fbc..b71aee7 100644 --- a/charts/zero-trust-mesh/templates/networkpolicy-service-deny-all.yaml +++ b/charts/zero-trust-mesh/templates/networkpolicy-service-deny-all.yaml @@ -1,4 +1,4 @@ -{{- $denyAll := default (.Values.serviceDenyAll | default (dict)) .Values.denyAll -}} +{{- $denyAll := .Values.denyAll | default (dict) -}} {{- $np := .Values.networkPolicy | default (dict) -}} {{- if and (default false $denyAll.enabled) (default true $np.enabled) }} apiVersion: networking.k8s.io/v1 @@ -11,7 +11,7 @@ metadata: spec: podSelector: matchLabels: - {{- include "ztm.serviceDenyAllPodLabels" . | nindent 6 }} + {{- include "ztm.denyAllPodLabels" . | nindent 6 }} policyTypes: - Ingress - Egress diff --git a/charts/zero-trust-mesh/templates/networkpolicy-service-dns.yaml b/charts/zero-trust-mesh/templates/networkpolicy-service-dns.yaml index 1710bc9..3452be0 100644 --- a/charts/zero-trust-mesh/templates/networkpolicy-service-dns.yaml +++ b/charts/zero-trust-mesh/templates/networkpolicy-service-dns.yaml @@ -1,4 +1,4 @@ -{{- $denyAll := default (.Values.serviceDenyAll | default (dict)) .Values.denyAll -}} +{{- $denyAll := .Values.denyAll | default (dict) -}} {{- $np := .Values.networkPolicy | default (dict) -}} {{- $nsr := .Values.namespaceResources | default (dict) -}} {{- if and (default false $denyAll.enabled) (default true $np.enabled) (not (default false (default .Values.namespaceResourcesEnabled $nsr.enabled))) }} @@ -12,7 +12,7 @@ metadata: spec: podSelector: matchLabels: - {{- include "ztm.serviceDenyAllPodLabels" . | nindent 6 }} + {{- include "ztm.denyAllPodLabels" . | nindent 6 }} policyTypes: - Egress egress: diff --git a/charts/zero-trust-mesh/templates/networkpolicy-service-egress.yaml b/charts/zero-trust-mesh/templates/networkpolicy-service-egress.yaml index 87030dc..ffffffb 100644 --- a/charts/zero-trust-mesh/templates/networkpolicy-service-egress.yaml +++ b/charts/zero-trust-mesh/templates/networkpolicy-service-egress.yaml @@ -1,5 +1,5 @@ {{- $np := .Values.networkPolicy | default (dict) -}} -{{- $denyAll := default (.Values.serviceDenyAll | default (dict)) .Values.denyAll -}} +{{- $denyAll := .Values.denyAll | default (dict) -}} {{- $labels := .Values.labels | default (dict) -}} {{- $egress := list -}} {{- range (.Values.allowPolicies | default (list)) -}} @@ -24,7 +24,7 @@ metadata: spec: podSelector: matchLabels: - {{- include "ztm.serviceDenyAllPodLabels" $ | nindent 6 }} + {{- include "ztm.denyAllPodLabels" $ | nindent 6 }} policyTypes: - Egress egress: diff --git a/charts/zero-trust-mesh/templates/networkpolicy-service-istiod.yaml b/charts/zero-trust-mesh/templates/networkpolicy-service-istiod.yaml index 19d583f..70e9a00 100644 --- a/charts/zero-trust-mesh/templates/networkpolicy-service-istiod.yaml +++ b/charts/zero-trust-mesh/templates/networkpolicy-service-istiod.yaml @@ -1,4 +1,4 @@ -{{- $denyAll := default (.Values.serviceDenyAll | default (dict)) .Values.denyAll -}} +{{- $denyAll := .Values.denyAll | default (dict) -}} {{- $np := .Values.networkPolicy | default (dict) -}} {{- $istio := .Values.istio | default (dict) -}} {{- $nsr := .Values.namespaceResources | default (dict) -}} @@ -13,7 +13,7 @@ metadata: spec: podSelector: matchLabels: - {{- include "ztm.serviceDenyAllPodLabels" . | nindent 6 }} + {{- include "ztm.denyAllPodLabels" . | nindent 6 }} policyTypes: - Egress egress: diff --git a/charts/zero-trust-mesh/values.yaml b/charts/zero-trust-mesh/values.yaml index d878645..b2a5784 100644 --- a/charts/zero-trust-mesh/values.yaml +++ b/charts/zero-trust-mesh/values.yaml @@ -19,9 +19,6 @@ namespaceResourcesEnabled: false # # component: api denyAll: {} -# Deprecated alias for denyAll. Prefer denyAll. -serviceDenyAll: {} - # Single typed allow list. Defaults to no service-level allow rules. # `type: ingress` entries open inbound traffic to the current service. # `type: egress` entries open outbound traffic from the current service.