From 060ac7674886f61b41112110efb087e867137914 Mon Sep 17 00:00:00 2001
From: Chris Farhood <chris@farhood.org>
Date: Fri, 22 May 2026 11:31:28 -0400
Subject: [PATCH] feat(irc): migrate from Cilium to Istio AuthorizationPolicies

Replace CiliumNetworkPolicies with Istio AuthorizationPolicies, point
the thelounge HTTPRoute at the istio-external gateway, and give each
workload a dedicated ServiceAccount for precise mTLS identity.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 thelounge/authorizationpolicy.yaml | 15 +++++++++
 thelounge/ciliumnetworkpolicy.yaml | 52 ------------------------------
 thelounge/httproute.yaml           |  2 +-
 thelounge/kustomization.yaml       |  3 +-
 thelounge/serviceaccount.yaml      |  6 ++++
 thelounge/statefulset.yaml         |  1 +
 znc/authorizationpolicy.yaml       | 15 +++++++++
 znc/ciliumnetworkpolicy.yaml       | 42 ------------------------
 znc/kustomization.yaml             |  3 +-
 znc/serviceaccount.yaml            |  6 ++++
 znc/statefulset.yaml               |  1 +
 11 files changed, 49 insertions(+), 97 deletions(-)
 create mode 100644 thelounge/authorizationpolicy.yaml
 delete mode 100644 thelounge/ciliumnetworkpolicy.yaml
 create mode 100644 thelounge/serviceaccount.yaml
 create mode 100644 znc/authorizationpolicy.yaml
 delete mode 100644 znc/ciliumnetworkpolicy.yaml
 create mode 100644 znc/serviceaccount.yaml

diff --git a/thelounge/authorizationpolicy.yaml b/thelounge/authorizationpolicy.yaml
new file mode 100644
index 0000000..0f98198
--- /dev/null
+++ b/thelounge/authorizationpolicy.yaml
@@ -0,0 +1,15 @@
+apiVersion: security.istio.io/v1
+kind: AuthorizationPolicy
+metadata:
+  name: thelounge
+  namespace: irc
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: thelounge
+  action: ALLOW
+  rules:
+    - from:
+        - source:
+            principals:
+              - cluster.local/ns/gateway-system/sa/istio-external-istio
diff --git a/thelounge/ciliumnetworkpolicy.yaml b/thelounge/ciliumnetworkpolicy.yaml
deleted file mode 100644
index 4afa782..0000000
--- a/thelounge/ciliumnetworkpolicy.yaml
+++ /dev/null
@@ -1,52 +0,0 @@
-apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
-metadata:
-  name: thelounge
-  namespace: irc
-spec:
-  endpointSelector:
-    matchLabels:
-      app.kubernetes.io/name: thelounge
-  ingress:
-  - fromEntities:
-    - ingress
-    - host
-    toPorts:
-    - ports:
-      - port: "9000"
-        protocol: TCP
-  egress:
-  - toEndpoints:
-    - matchLabels:
-        k8s:io.kubernetes.pod.namespace: kube-system
-        k8s:k8s-app: kube-dns
-    toPorts:
-    - ports:
-      - port: "53"
-        protocol: ANY
-      rules:
-        dns:
-        - matchPattern: "*"
-  - toEndpoints:
-    - matchLabels:
-        k8s:io.kubernetes.pod.namespace: auth
-        k8s:app.kubernetes.io/name: authentik-outpost-ldap
-        k8s:goauthentik.io/outpost-type: ldap
-    toPorts:
-    - ports:
-      - port: "389"
-        protocol: TCP
-  - toEndpoints:
-    - matchLabels:
-        k8s:io.kubernetes.pod.namespace: irc
-        k8s:app.kubernetes.io/name: znc
-    toPorts:
-    - ports:
-      - port: "6501"
-        protocol: TCP
-  - toFQDNs:
-    - matchName: "irc.passthepopcorn.me"
-    toPorts:
-    - ports:
-      - port: "6697"
-        protocol: TCP
diff --git a/thelounge/httproute.yaml b/thelounge/httproute.yaml
index 71e044a..9e9973d 100644
--- a/thelounge/httproute.yaml
+++ b/thelounge/httproute.yaml
@@ -5,7 +5,7 @@ metadata:
   namespace: irc
 spec:
   parentRefs:
-    - name: external
+    - name: istio-external
       namespace: gateway-system
   hostnames:
     - ${THELOUNGE_HOSTNAME}
diff --git a/thelounge/kustomization.yaml b/thelounge/kustomization.yaml
index ff87268..3f4284e 100644
--- a/thelounge/kustomization.yaml
+++ b/thelounge/kustomization.yaml
@@ -1,8 +1,9 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - serviceaccount.yaml
   - statefulset.yaml
   - service.yaml
   - httproute.yaml
-  - ciliumnetworkpolicy.yaml
+  - authorizationpolicy.yaml
   - config.yaml
diff --git a/thelounge/serviceaccount.yaml b/thelounge/serviceaccount.yaml
new file mode 100644
index 0000000..9adf384
--- /dev/null
+++ b/thelounge/serviceaccount.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: thelounge
+  namespace: irc
+automountServiceAccountToken: false
diff --git a/thelounge/statefulset.yaml b/thelounge/statefulset.yaml
index 59b0d2e..53522b7 100644
--- a/thelounge/statefulset.yaml
+++ b/thelounge/statefulset.yaml
@@ -21,6 +21,7 @@ spec:
         app.kubernetes.io/instance: thelounge
     spec:
       priorityClassName: low-priority
+      serviceAccountName: thelounge
       automountServiceAccountToken: false
       securityContext:
         runAsNonRoot: true
diff --git a/znc/authorizationpolicy.yaml b/znc/authorizationpolicy.yaml
new file mode 100644
index 0000000..4d43b69
--- /dev/null
+++ b/znc/authorizationpolicy.yaml
@@ -0,0 +1,15 @@
+apiVersion: security.istio.io/v1
+kind: AuthorizationPolicy
+metadata:
+  name: znc
+  namespace: irc
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: znc
+  action: ALLOW
+  rules:
+    - from:
+        - source:
+            principals:
+              - cluster.local/ns/irc/sa/thelounge
diff --git a/znc/ciliumnetworkpolicy.yaml b/znc/ciliumnetworkpolicy.yaml
deleted file mode 100644
index 5201b99..0000000
--- a/znc/ciliumnetworkpolicy.yaml
+++ /dev/null
@@ -1,42 +0,0 @@
-apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
-metadata:
-  name: znc
-  namespace: irc
-spec:
-  endpointSelector:
-    matchLabels:
-      app.kubernetes.io/name: znc
-  ingress:
-  - fromEndpoints:
-    - matchLabels:
-        k8s:io.kubernetes.pod.namespace: irc
-        k8s:app.kubernetes.io/name: thelounge
-    toPorts:
-    - ports:
-      - port: "6501"
-        protocol: TCP
-  - fromEntities:
-    - host
-    toPorts:
-    - ports:
-      - port: "6501"
-        protocol: TCP
-  egress:
-  - toEndpoints:
-    - matchLabels:
-        k8s:io.kubernetes.pod.namespace: kube-system
-        k8s:k8s-app: kube-dns
-    toPorts:
-    - ports:
-      - port: "53"
-        protocol: ANY
-      rules:
-        dns:
-        - matchPattern: "*"
-  - toFQDNs:
-    - matchName: "irc.passthepopcorn.me"
-    toPorts:
-    - ports:
-      - port: "6697"
-        protocol: TCP
diff --git a/znc/kustomization.yaml b/znc/kustomization.yaml
index 858e6c9..b5d6d25 100644
--- a/znc/kustomization.yaml
+++ b/znc/kustomization.yaml
@@ -1,6 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - serviceaccount.yaml
   - statefulset.yaml
   - service.yaml
-  - ciliumnetworkpolicy.yaml
+  - authorizationpolicy.yaml
diff --git a/znc/serviceaccount.yaml b/znc/serviceaccount.yaml
new file mode 100644
index 0000000..b8f2acd
--- /dev/null
+++ b/znc/serviceaccount.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: znc
+  namespace: irc
+automountServiceAccountToken: false
diff --git a/znc/statefulset.yaml b/znc/statefulset.yaml
index fd60876..35a8a45 100644
--- a/znc/statefulset.yaml
+++ b/znc/statefulset.yaml
@@ -30,6 +30,7 @@ spec:
         app.kubernetes.io/instance: znc
     spec:
       priorityClassName: low-priority
+      serviceAccountName: znc
       automountServiceAccountToken: false
       containers:
         - name: znc