Add policies to enforce or add Istio ambient mode (#1084)

* feat: add policy to enforce Istio ambient mode

Signed-off-by: Steven Smiley <smiley@scalesec.com>

* feat: add policy to add Istio ambient mode

Signed-off-by: Steven Smiley <smiley@scalesec.com>

---------

Signed-off-by: Steven Smiley <smiley@scalesec.com>
Co-authored-by: Chip Zoller <chipzoller@gmail.com>

istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-1.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    istio.io/dataplane-mode: ambient
+  name: istio-test-en-ns

istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-2.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    istio.io/dataplane-mode: other
+  name: istio-test-dis-ns

istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-3.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: istio-test-none-ns

istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-4.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    foo: bar
+  name: istio-test-alt-ns

istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-test.yaml

@@ -0,0 +1,34 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: add-ambient-mode-namespace
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: ../add-ambient-mode-namespace.yaml
+    - assert:
+        file: policy-ready.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: chainsaw-step-02-apply-1.yaml
+    - apply:
+        file: chainsaw-step-02-apply-2.yaml
+    - apply:
+        file: chainsaw-step-02-apply-3.yaml
+    - apply:
+        file: chainsaw-step-02-apply-4.yaml
+  - name: step-03
+    try:
+    - assert:
+        file: patched-ns-alt.yaml
+    - assert:
+        file: patched-ns-disabled.yaml
+    - assert:
+        file: patched-ns-enabled.yaml
+    - assert:
+        file: patched-ns-none.yaml

istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-alt.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    foo: bar
+    istio.io/dataplane-mode: ambient
+  name: istio-test-alt-ns

istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-disabled.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    istio.io/dataplane-mode: ambient
+  name: istio-test-dis-ns

istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-enabled.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    istio.io/dataplane-mode: ambient
+  name: istio-test-en-ns

istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-none.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    istio.io/dataplane-mode: ambient
+  name: istio-test-none-ns

istio/add-ambient-mode-namespace/.chainsaw-test/policy-ready.yaml

@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-ambient-mode-namespace
+status:
+  ready: true

istio/add-ambient-mode-namespace/.kyverno-test/kyverno-test.yaml

@@ -0,0 +1,21 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: add-ambient-mode-namespace
+policies:
+- ../add-ambient-mode-namespace.yaml
+resources:
+- ../.chainsaw-test/patched-ns-disabled.yaml
+- ../.chainsaw-test/patched-ns-enabled.yaml
+- ../.chainsaw-test/patched-ns-alt.yaml
+- ../.chainsaw-test/patched-ns-none.yaml
+results:
+- policy: add-ambient-mode-namespace
+  rule: check-ambient-mode-enabled
+  kind: Namespace
+  resources:
+  - istio-test-none-ns
+  - istio-test-dis-ns
+  - istio-test-en-ns
+  - istio-test-alt-ns
+  result: pass

istio/add-ambient-mode-namespace/add-ambient-mode-namespace.yaml

@@ -0,0 +1,30 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-ambient-mode-namespace
+  annotations:
+    policies.kyverno.io/title: Add Istio Ambient Mode
+    policies.kyverno.io/category: Istio
+    policies.kyverno.io/severity: medium
+    kyverno.io/kyverno-version: 1.8.0
+    policies.kyverno.io/minversion: 1.6.0
+    kyverno.io/kubernetes-version: "1.24"
+    policies.kyverno.io/subject: Namespace
+    policies.kyverno.io/description: >-
+      In order for Istio to include namespaces in ambient mode, the label `istio.io/dataplane-mode` 
+      must be set to `ambient`. As an alternative to rejecting Namespace definitions which don't already 
+      contain this label, it can be added automatically. This policy adds the label `istio.io/dataplane-mode`
+      set to `ambient` for all new Namespaces.
+spec:
+  rules:
+  - name: add-ambient-mode-enabled
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+    mutate:
+      patchStrategicMerge:
+        metadata:
+          labels:
+            istio.io/dataplane-mode: ambient

istio/add-ambient-mode-namespace/artifacthub-pkg.yml

@@ -0,0 +1,22 @@
+name: add-ambient-mode-namespace
+version: 1.0.0
+displayName: Add Istio Ambient Mode
+createdAt: "2024-07-25T20:07:52.000Z"
+description: >-
+  In order for Istio to include namespaces in ambient mode, the label `istio.io/dataplane-mode` must be set to `ambient`. As an alternative to rejecting Namespace definitions which don't already contain this label, it can be added automatically. This policy adds the label `istio.io/dataplane-mode` set to `ambient` for all new Namespaces.
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/istio/add-ambient-mode-namespace/add-ambient-mode-namespace.yaml
+  ```
+keywords:
+  - kyverno
+  - Istio
+readme: |
+  In order for Istio to include namespaces in ambient mode, the label `istio.io/dataplane-mode` must be set to `ambient`. As an alternative to rejecting Namespace definitions which don't already contain this label, it can be added automatically. This policy adds the label `istio.io/dataplane-mode` set to `ambient` for all new Namespaces.
+  
+  Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+annotations:
+  kyverno/category: "Istio"
+  kyverno/kubernetesVersion: "1.24"
+  kyverno/subject: "Namespace"
+digest: f81b9ba15c410e62589f0bf79b22a694b41a2294557c91d3c87683772922a8c0

istio/enforce-ambient-mode-namespace/.chainsaw-test/chainsaw-step-01-assert-1.yaml

@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: enforce-ambient-mode-namespace
+status:
+  ready: true

istio/enforce-ambient-mode-namespace/.chainsaw-test/chainsaw-test.yaml

@@ -0,0 +1,41 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: enforce-ambient-mode-namespace
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: ../enforce-ambient-mode-namespace.yaml
+    - patch:
+        resource:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          metadata:
+            name: enforce-ambient-mode-namespace
+          spec:
+            validationFailureAction: Enforce
+    - assert:
+        file: chainsaw-step-01-assert-1.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: ns-good.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: ns-bad-disabled.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: ns-bad-nolabel.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: ns-bad-somelabel.yaml

istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-bad-disabled.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    istio.io/dataplane-mode: other
+  name: bad-istio-amb01

istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-bad-nolabel.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: bad-istio-amb03

istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-bad-somelabel.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    foo: enabled
+  name: bad-istio-amb02

istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-good.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    istio.io/dataplane-mode: ambient
+  name: good-istio-amb01
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    foo: disabled
+    istio.io/dataplane-mode: ambient
+    bar: enabled
+  name: good-istio-amb02

istio/enforce-ambient-mode-namespace/.kyverno-test/kyverno-test.yaml

@@ -0,0 +1,28 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: enforce-ambient-mode-namespace
+policies:
+- ../enforce-ambient-mode-namespace.yaml
+resources:
+- ../.chainsaw-test/ns-bad-disabled.yaml
+- ../.chainsaw-test/ns-bad-nolabel.yaml
+- ../.chainsaw-test/ns-bad-somelabel.yaml
+- ../.chainsaw-test/ns-good.yaml
+results:
+- policy: enforce-ambient-mode-namespace
+  rule: check-ambient-mode-enabled
+  kind: Namespace
+  resources:
+  - bad-istio-amb01
+  - bad-istio-amb02
+  - bad-istio-amb03
+  result: fail
+- policy: enforce-ambient-mode-namespace
+  rule: check-ambient-mode-enabled
+  kind: Namespace
+  resources:
+  - good-istio-amb01
+  - good-istio-amb02
+  result: pass
+

istio/enforce-ambient-mode-namespace/artifacthub-pkg.yml

@@ -0,0 +1,22 @@
+name: enforce-ambient-mode-namespace
+version: 1.0.0
+displayName: Enforce Istio Ambient Mode
+createdAt: "2024-07-25T20:07:52.000Z"
+description: >-
+  In order for Istio to include namespaces in ambient mode, the label `istio.io/dataplane-mode` must be set to `ambient`. This policy ensures that all new Namespaces set `istio.io/dataplane-mode` to `ambient`.
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/istio/enforce-ambient-mode-namespace/enforce-ambient-mode-namespace.yaml
+  ```
+keywords:
+  - kyverno
+  - Istio
+readme: |
+  In order for Istio to include namespaces in ambient mode, the label `istio.io/dataplane-mode` must be set to `ambient`. This policy ensures that all new Namespaces set `istio.io/dataplane-mode` to `ambient`.
+  
+  Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+annotations:
+  kyverno/category: "Istio"
+  kyverno/kubernetesVersion: "1.24"
+  kyverno/subject: "Namespace"
+digest: 1d0f6644ba09afd6fe0dcb431b434c509b995580a5fef2f795df2fc979c6a931

istio/enforce-ambient-mode-namespace/enforce-ambient-mode-namespace.yaml

@@ -0,0 +1,32 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: enforce-ambient-mode-namespace
+  annotations:
+    policies.kyverno.io/title: Enforce Istio Ambient Mode
+    policies.kyverno.io/category: Istio
+    policies.kyverno.io/severity: medium
+    kyverno.io/kyverno-version: 1.8.0
+    policies.kyverno.io/minversion: 1.6.0
+    kyverno.io/kubernetes-version: "1.24"
+    policies.kyverno.io/subject: Namespace
+    policies.kyverno.io/description: >-
+      In order for Istio to include namespaces in ambient mode, the label
+      `istio.io/dataplane-mode` must be set to `ambient`. This policy ensures that all new Namespaces
+      set `istio.io/dataplane-mode` to `ambient`.
+spec:
+  validationFailureAction: audit
+  background: true
+  rules:
+  - name: check-amblient-mode-enabled
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+    validate:
+      message: "All new Namespaces must have Istio ambient mode enabled."
+      pattern:
+        metadata:
+          labels:
+            istio.io/dataplane-mode: ambient