Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add kyverno-authz-server integration #15963

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

feat: add kyverno-authz-server integration #15963

wants to merge 3 commits into from

Conversation

eddycharly
Copy link
Contributor

Description

Add kyverno-authz-server integration docs.

Reviewers

  • Ambient
  • Docs
  • Installation
  • Networking
  • Performance and Scalability
  • Extensions and Telemetry
  • Security
  • Test and Release
  • User Experience
  • Developer Infrastructure
  • Localization/Translation

@istio-testing istio-testing added the do-not-merge/work-in-progress Block merging of a PR because it isn't ready yet. label Nov 20, 2024
@istio-testing istio-testing added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. needs-ok-to-test labels Nov 20, 2024
@istio-testing
Copy link
Contributor

Hi @eddycharly. Thanks for your PR.

I'm waiting for a istio member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@eddycharly eddycharly force-pushed the kyverno-authz-server-integration branch from 8b20b75 to 327091a Compare November 20, 2024 13:13
@eddycharly
feat: add kyverno-authz-server integration
e6dadd4 
Signed-off-by: Charles-Edouard Brétéché <[email protected]>
@eddycharly eddycharly force-pushed the kyverno-authz-server-integration branch from 327091a to e6dadd4 Compare November 20, 2024 13:14
@eddycharly eddycharly marked this pull request as ready for review November 20, 2024 13:14
@eddycharly eddycharly requested a review from a team as a code owner November 20, 2024 13:14
@istio-testing istio-testing removed the do-not-merge/work-in-progress Block merging of a PR because it isn't ready yet. label Nov 20, 2024
@eddycharly
Copy link
Contributor Author

Related to #15867

@eddycharly
Copy link
Contributor Author

cc @craigbox

@eddycharly eddycharly mentioned this pull request Nov 20, 2024
Merged
11 tasks
Arhell
Arhell reviewed Nov 21, 2024
View reviewed changes
Copy link
Member

@Arhell Arhell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/ok-to-test

@istio-testing istio-testing added ok-to-test Set this label allow normal testing to take place for a PR not submitted by an Istio org member. and removed needs-ok-to-test labels Nov 21, 2024
@eddycharly
Copy link
Contributor Author

Linter should pass once #15867 merges

@eddycharly
Copy link
Contributor Author

Shall i wait or fix this PR without waiting for #15867 ?

@eddycharly
fix spelling
aa7a09e 
Signed-off-by: Charles-Edouard Brétéché <[email protected]>
@eddycharly
review fixes
f67e22e 
Signed-off-by: Charles-Edouard Brétéché <[email protected]>
@eddycharly
Copy link
Contributor Author

@Arhell @craigbox i updated this PR based on the feedback in #15867

craigbox
craigbox reviewed Nov 25, 2024
View reviewed changes
content/en/docs/ops/integrations/kyverno-authz-server/index.md
@@ -0,0 +1,464 @@
---
title: Kyverno Authz Server
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
title: Kyverno Authz Server
title: Kyverno

content/en/docs/ops/integrations/kyverno-authz-server/index.md
@@ -0,0 +1,464 @@
---
title: Kyverno Authz Server
description: How to integrate with Kyverno Authz Server.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description: How to integrate with Kyverno Authz Server.
description: How to use Kyverno as an external authorization server.

content/en/docs/ops/integrations/kyverno-authz-server/index.md
weight: 33
keywords: [integration,kyverno,policy,authorization]
owner: istio/wg-environments-maintainers
test: no
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have you considered making this testable? Should be pretty easy.
Check https://github.com/istio/istio.io/tree/master/tests and let me know if you have any issues

content/en/docs/ops/integrations/kyverno-authz-server/index.md
test: no
---

The [Kyverno Authz Server](https://kyverno.github.io/kyverno-envoy-plugin) is a GRPC authorization server implementing the [Envoy's External Authorization protocol](https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The [Kyverno Authz Server](https://kyverno.github.io/kyverno-envoy-plugin) is a GRPC authorization server implementing the [Envoy's External Authorization protocol](https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto).
The [Kyverno Authz Server](https://kyverno.github.io/kyverno-envoy-plugin) is a gRPC authorization server implementing the [Envoy External Authorization protocol](https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto).

content/en/docs/ops/integrations/kyverno-authz-server/index.md

The [Kyverno Authz Server](https://kyverno.github.io/kyverno-envoy-plugin) is a GRPC authorization server implementing the [Envoy's External Authorization protocol](https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto).

Istio and the Kyverno Authz Server is a solid option to deliver policy quickly and transparently to application team everywhere in the business, while also providing the data the security teams need for audit and compliance.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you give a bit more context for someone who isn't familiar with Kyverno? Realistically, is this guide for "I use Kyverno and want to bring Istio into my central policy system" or is it for "There is something in Istio I can't do, and so I want to add a third-party thing, and this is going to be my first experience with Kyverno"?

content/en/docs/ops/integrations/kyverno-authz-server/index.md

Istio and the Kyverno Authz Server is a solid option to deliver policy quickly and transparently to application team everywhere in the business, while also providing the data the security teams need for audit and compliance.

## Try it out
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably best to follow the pattern set out by docs like https://istio.io/latest/docs/tasks/security/authorization/authz-custom/

content/en/docs/ops/integrations/kyverno-authz-server/index.md
Comment on lines +461 to +464
## Wrap Up

In this guide, we have shown how to integrate Istio and the Kyverno Authz Server to enforce policies for a simple microservices application.
We also showed how to use policies to modify the request and response attributes.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
## Wrap Up
In this guide, we have shown how to integrate Istio and the Kyverno Authz Server to enforce policies for a simple microservices application.
We also showed how to use policies to modify the request and response attributes.

content/en/docs/ops/integrations/kyverno-authz-server/index.md
Comment on lines +60 to +70
{{< text bash >}}
$ kubectl create ns kyverno
{{< /text >}}

{{< text bash >}}
$ kubectl label namespace kyverno istio-injection=enabled
{{< /text >}}

{{< text bash >}}
$ helm install kyverno-authz-server --namespace kyverno --wait --repo https://kyverno.github.io/kyverno-envoy-plugin kyverno-authz-server
{{< /text >}}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

condense as per the blog?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Arhell Arhell Arhell left review comments

@craigbox craigbox craigbox left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
area/extensions and telemetry kind/docs ok-to-test Set this label allow normal testing to take place for a PR not submitted by an Istio org member. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@eddycharly @istio-testing @craigbox @Arhell @istio-policy-bot