-
Notifications
You must be signed in to change notification settings - Fork 893
/
istio-authorization-config.yaml
102 lines (100 loc) · 2.48 KB
/
istio-authorization-config.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: ml-pipeline-ui
namespace: kubeflow
spec:
selector:
matchLabels:
app: ml-pipeline-ui
rules:
- from:
- source:
namespaces:
- istio-system
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: ml-pipeline
namespace: kubeflow
spec:
selector:
matchLabels:
app: ml-pipeline
rules:
- from:
- source:
principals:
- cluster.local/ns/kubeflow/sa/ml-pipeline
- cluster.local/ns/kubeflow/sa/ml-pipeline-ui
- cluster.local/ns/kubeflow/sa/ml-pipeline-persistenceagent
- cluster.local/ns/kubeflow/sa/ml-pipeline-scheduledworkflow
- cluster.local/ns/kubeflow/sa/ml-pipeline-viewer-crd-service-account
- cluster.local/ns/kubeflow/sa/kubeflow-pipelines-cache
# For user workloads, which cannot user http headers for authentication
- when:
- key: request.headers[kubeflow-userid]
notValues: ['*']
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: ml-pipeline-visualizationserver
namespace: kubeflow
spec:
selector:
matchLabels:
app: ml-pipeline-visualizationserver
rules:
- from:
- source:
principals:
- cluster.local/ns/kubeflow/sa/ml-pipeline
- cluster.local/ns/kubeflow/sa/ml-pipeline-ui
- cluster.local/ns/kubeflow/sa/ml-pipeline-persistenceagent
- cluster.local/ns/kubeflow/sa/ml-pipeline-scheduledworkflow
- cluster.local/ns/kubeflow/sa/ml-pipeline-viewer-crd-service-account
- cluster.local/ns/kubeflow/sa/kubeflow-pipelines-cache
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: service-cache-server
namespace: kubeflow
spec:
selector:
matchLabels:
app: cache-server
rules:
- {}
---
apiVersion: "networking.istio.io/v1alpha3"
kind: DestinationRule
metadata:
name: ml-pipeline-ui
spec:
host: ml-pipeline-ui.kubeflow.svc.cluster.local
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
---
apiVersion: "networking.istio.io/v1alpha3"
kind: DestinationRule
metadata:
name: ml-pipeline
spec:
host: ml-pipeline.kubeflow.svc.cluster.local
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
---
apiVersion: "networking.istio.io/v1alpha3"
kind: DestinationRule
metadata:
name: ml-pipeline-visualizationserver
spec:
host: ml-pipeline-visualizationserver.kubeflow.svc.cluster.local
trafficPolicy:
tls:
mode: ISTIO_MUTUAL