├── .github ├── dependabot.yml └── workflows │ ├── ci-apps-gator.yaml │ ├── ci-apps-kpt.yaml │ └── ci-policies.yml ├── .krmignore ├── README.md ├── best-app-ever └── .gitkeep ├── docs ├── demos │ ├── demo-config-sync.md │ ├── demo-kubectl-apply.md │ └── demo-shift-enforcement-left.md ├── images │ ├── asm-security.png │ ├── config-sync-status.png │ └── personas-workflow.png └── setups │ ├── setup-asm-poco-gke.md │ └── setup-istio-gatekeeper-gke.md ├── istio-ingress ├── app-manifest.yaml ├── authorizationpolicy.yaml └── gateway.yaml ├── istio-system ├── default-deny-authorizationpolicy.yaml └── default-strict-peerauthentication.yaml ├── onlineboutique ├── apps-manifests.yaml ├── authorizationpolicies.yaml └── frontend-virtualservice.yaml ├── policies ├── constraints │ ├── allowed-service-port-name.yaml │ ├── authorization-policies │ │ └── default-deny-authorization-policies.yaml │ ├── sidecar-injection │ │ ├── namespace-sidecar-injection-label.yaml │ │ └── sidecar-injection-annotation.yaml │ └── strict-mtls │ │ ├── destinationrule-tls-enabled.yaml │ │ ├── mesh-level-strict-mtls.yaml │ │ └── peer-authentication-strict-mtls.yaml ├── constrainttemplates │ ├── allowed-service-port-name.yaml │ ├── authorization-policies │ │ └── authzpolicy-default-deny.yaml │ ├── sidecar-injection │ │ ├── k8s-required-labels.yaml │ │ └── sidecar-injection-annotation.yaml │ └── strict-mtls │ │ ├── destinationrule-tls-enabled.yaml │ │ ├── peerauthn-mesh-strict-mtls.yaml │ │ └── peerauthn-strict-mtls.yaml └── gatekeeper-system │ └── referential-constraints-config.yaml ├── root-sync ├── best-app-ever │ ├── namespace.yaml │ ├── reposync.yaml │ └── rolebinding.yaml ├── istio-ingress │ ├── namespace.yaml │ ├── reposync.yaml │ └── rolebinding.yaml ├── onlineboutique │ ├── namespace.yaml │ ├── reposync.yaml │ └── rolebinding.yaml └── reposyncs-edit-clusterrole.yaml └── test ├── allowed-service-port-name ├── example-allowed.yaml └── example-disallowed.yaml ├── sidecar-injection-annotation ├── example-allowed.yaml └── example-disallowed.yaml └── suite.yaml /.github/dependabot.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/.github/dependabot.yml -------------------------------------------------------------------------------- /.github/workflows/ci-apps-gator.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/.github/workflows/ci-apps-gator.yaml -------------------------------------------------------------------------------- /.github/workflows/ci-apps-kpt.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/.github/workflows/ci-apps-kpt.yaml -------------------------------------------------------------------------------- /.github/workflows/ci-policies.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/.github/workflows/ci-policies.yml -------------------------------------------------------------------------------- /.krmignore: -------------------------------------------------------------------------------- 1 | .github 2 | test -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/README.md -------------------------------------------------------------------------------- /best-app-ever/.gitkeep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /docs/demos/demo-config-sync.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/docs/demos/demo-config-sync.md -------------------------------------------------------------------------------- /docs/demos/demo-kubectl-apply.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/docs/demos/demo-kubectl-apply.md -------------------------------------------------------------------------------- /docs/demos/demo-shift-enforcement-left.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/docs/demos/demo-shift-enforcement-left.md -------------------------------------------------------------------------------- /docs/images/asm-security.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/docs/images/asm-security.png -------------------------------------------------------------------------------- /docs/images/config-sync-status.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/docs/images/config-sync-status.png -------------------------------------------------------------------------------- /docs/images/personas-workflow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/docs/images/personas-workflow.png -------------------------------------------------------------------------------- /docs/setups/setup-asm-poco-gke.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/docs/setups/setup-asm-poco-gke.md -------------------------------------------------------------------------------- /docs/setups/setup-istio-gatekeeper-gke.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/docs/setups/setup-istio-gatekeeper-gke.md -------------------------------------------------------------------------------- /istio-ingress/app-manifest.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/istio-ingress/app-manifest.yaml -------------------------------------------------------------------------------- /istio-ingress/authorizationpolicy.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/istio-ingress/authorizationpolicy.yaml -------------------------------------------------------------------------------- /istio-ingress/gateway.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/istio-ingress/gateway.yaml -------------------------------------------------------------------------------- /istio-system/default-deny-authorizationpolicy.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/istio-system/default-deny-authorizationpolicy.yaml -------------------------------------------------------------------------------- /istio-system/default-strict-peerauthentication.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/istio-system/default-strict-peerauthentication.yaml -------------------------------------------------------------------------------- /onlineboutique/apps-manifests.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/onlineboutique/apps-manifests.yaml -------------------------------------------------------------------------------- /onlineboutique/authorizationpolicies.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/onlineboutique/authorizationpolicies.yaml -------------------------------------------------------------------------------- /onlineboutique/frontend-virtualservice.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/onlineboutique/frontend-virtualservice.yaml -------------------------------------------------------------------------------- /policies/constraints/allowed-service-port-name.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/policies/constraints/allowed-service-port-name.yaml -------------------------------------------------------------------------------- /policies/constraints/authorization-policies/default-deny-authorization-policies.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/policies/constraints/authorization-policies/default-deny-authorization-policies.yaml -------------------------------------------------------------------------------- /policies/constraints/sidecar-injection/namespace-sidecar-injection-label.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/policies/constraints/sidecar-injection/namespace-sidecar-injection-label.yaml -------------------------------------------------------------------------------- /policies/constraints/sidecar-injection/sidecar-injection-annotation.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/policies/constraints/sidecar-injection/sidecar-injection-annotation.yaml -------------------------------------------------------------------------------- /policies/constraints/strict-mtls/destinationrule-tls-enabled.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/policies/constraints/strict-mtls/destinationrule-tls-enabled.yaml -------------------------------------------------------------------------------- /policies/constraints/strict-mtls/mesh-level-strict-mtls.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/policies/constraints/strict-mtls/mesh-level-strict-mtls.yaml -------------------------------------------------------------------------------- /policies/constraints/strict-mtls/peer-authentication-strict-mtls.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/policies/constraints/strict-mtls/peer-authentication-strict-mtls.yaml -------------------------------------------------------------------------------- /policies/constrainttemplates/allowed-service-port-name.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/policies/constrainttemplates/allowed-service-port-name.yaml -------------------------------------------------------------------------------- /policies/constrainttemplates/authorization-policies/authzpolicy-default-deny.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/policies/constrainttemplates/authorization-policies/authzpolicy-default-deny.yaml -------------------------------------------------------------------------------- /policies/constrainttemplates/sidecar-injection/k8s-required-labels.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/policies/constrainttemplates/sidecar-injection/k8s-required-labels.yaml -------------------------------------------------------------------------------- /policies/constrainttemplates/sidecar-injection/sidecar-injection-annotation.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/policies/constrainttemplates/sidecar-injection/sidecar-injection-annotation.yaml -------------------------------------------------------------------------------- /policies/constrainttemplates/strict-mtls/destinationrule-tls-enabled.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/policies/constrainttemplates/strict-mtls/destinationrule-tls-enabled.yaml -------------------------------------------------------------------------------- /policies/constrainttemplates/strict-mtls/peerauthn-mesh-strict-mtls.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/policies/constrainttemplates/strict-mtls/peerauthn-mesh-strict-mtls.yaml -------------------------------------------------------------------------------- /policies/constrainttemplates/strict-mtls/peerauthn-strict-mtls.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/policies/constrainttemplates/strict-mtls/peerauthn-strict-mtls.yaml -------------------------------------------------------------------------------- /policies/gatekeeper-system/referential-constraints-config.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/policies/gatekeeper-system/referential-constraints-config.yaml -------------------------------------------------------------------------------- /root-sync/best-app-ever/namespace.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/root-sync/best-app-ever/namespace.yaml -------------------------------------------------------------------------------- /root-sync/best-app-ever/reposync.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/root-sync/best-app-ever/reposync.yaml -------------------------------------------------------------------------------- /root-sync/best-app-ever/rolebinding.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/root-sync/best-app-ever/rolebinding.yaml -------------------------------------------------------------------------------- /root-sync/istio-ingress/namespace.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/root-sync/istio-ingress/namespace.yaml -------------------------------------------------------------------------------- /root-sync/istio-ingress/reposync.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/root-sync/istio-ingress/reposync.yaml -------------------------------------------------------------------------------- /root-sync/istio-ingress/rolebinding.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/root-sync/istio-ingress/rolebinding.yaml -------------------------------------------------------------------------------- /root-sync/onlineboutique/namespace.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/root-sync/onlineboutique/namespace.yaml -------------------------------------------------------------------------------- /root-sync/onlineboutique/reposync.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/root-sync/onlineboutique/reposync.yaml -------------------------------------------------------------------------------- /root-sync/onlineboutique/rolebinding.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/root-sync/onlineboutique/rolebinding.yaml -------------------------------------------------------------------------------- /root-sync/reposyncs-edit-clusterrole.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/root-sync/reposyncs-edit-clusterrole.yaml -------------------------------------------------------------------------------- /test/allowed-service-port-name/example-allowed.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/test/allowed-service-port-name/example-allowed.yaml -------------------------------------------------------------------------------- /test/allowed-service-port-name/example-disallowed.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/test/allowed-service-port-name/example-disallowed.yaml -------------------------------------------------------------------------------- /test/sidecar-injection-annotation/example-allowed.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/test/sidecar-injection-annotation/example-allowed.yaml -------------------------------------------------------------------------------- /test/sidecar-injection-annotation/example-disallowed.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/test/sidecar-injection-annotation/example-disallowed.yaml -------------------------------------------------------------------------------- /test/suite.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mathieu-benoit/istio-gatekeeper-demos/HEAD/test/suite.yaml --------------------------------------------------------------------------------