We check that all our Service
objects match Istios port convention (start with http- or named http for example). For this we developed a policy that rejects any ports that don’t match and allow opting out via namespace labels.
package k8svalidistioserviceportname
violation[{"msg": msg}] {
valid := "^(grpc|http|http2|https|mongo|mysql|redis|tcp|tls|udp)($|-)"
service := input.review.object
port := service.spec.ports[_]
not valid_port(port, valid)
msg := sprintf(
"%v %v %v: port name must match %v to be routable by Istio",
[service.kind, service.metadata.namespace, service.metadata.name, valid]
)
}
valid_port(port, valid) {
port.name
re_match(valid, port.name)
}
package k8svalidistioserviceportname
test_ignores_exact_match {
count(violation) == 0 with input as {"review":{"object":{"kind":"Service","metadata":{"name":"truth-service","namespace":"mesh-enabled"},"spec":{"ports":[{"name":"https"}]}}}}
}
test_ignores_prefix_match {
count(violation) == 0 with input as {"review":{"object":{"kind":"Service","metadata":{"name":"truth-service","namespace":"mesh-enabled"},"spec":{"ports":[{"name":"https-foobar"}]}}}}
}
test_blocks_bad_match {
count(violation) == 1 with input as {"review":{"object":{"kind":"Service","metadata":{"name":"truth-service","namespace":"mesh-enabled"},"spec":{"ports":[{"name":"httpsfoobar"}]}}}}
}
test_blocks_empty {
count(violation) == 1 with input as {"review":{"object":{"kind":"Service","metadata":{"name":"truth-service","namespace":"mesh-enabled"},"spec":{"ports":[{}]}}}}
}
test_blocks_multiple_bad {
count(violation) == 1 with input as {"review":{"object":{"kind":"Service","metadata":{"name":"truth-service","namespace":"mesh-enabled"},"spec":{"ports":[{}, {}]}}}}
}