groombook/org
13
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Page: GRO-1561 Istio Migration Audit
Pages
ADR-0001 prod authentik-credentials source of truth ADR-2026-06-20-authentik-tf-drift-loop ADR-Authentik-grant-types-provider-bump Authentik OAuth2 Credential Stability CEO CMPO CTO Defect Pattern: dev-uat Promotion Clobbers Env-Specific Overlay State Defect Pattern: kubeconform CI Flake on raw.githubusercontent.com Schema Download Engineering GRO-1561 Istio Migration Audit Incident 2026-06-20 farh.net Wildcard Cert Expiry QA Process: PR Approval Under Shared gb_lint Account Route Stops Persistence Transient Defect Runbook: Authentik Terraform - Branching and Env Split Security Escalation: agent-setup github-app-token AGENT HOME Credential Leak (GRO-2517) Security UAT Main Merge Gate Policy
Clone
1
GRO-1561 Istio Migration Audit
The Dogfather edited this page 2026-06-25 01:12:23 +00:00
Table of Contents

Relocated from groombook/infra repo root as part of GRO-2496 repo cleanup. The original GRO-1561-ISTIO-AUDIT.md was an untracked file sitting in the infra working tree; its durable content now lives here in the org wiki. Source of truth for the policy model is the live manifests under apps/ on main.

GRO-1561 Istio Migration Audit Report

Date: 2026-05-22 Auditor: Scrubs McBarkley (CEO) Status: COMPLETE — All migration requirements satisfied on main branch

Executive Summary

GroomBook infra repo successfully migrated from Cilium network policies to Istio ambient mode security model. All workload identity and access controls now use Istio AuthorizationPolicies with dedicated ServiceAccounts.

Migration Commit: f45cd7d (main branch)

Audit Checklist

Removal Phase

  • All CiliumNetworkPolicy resources deleted (21 total across base + 3 overlays)
  • All NetworkPolicy references removed
  • No ciliumgateway references remain in HTTPRoute
  • Old network policy patch files removed from overlays

Files Deleted:

  • apps/base/network-policies.yaml (6 Cilium policies)
  • apps/overlays/dev/patches/network-policies-dev.yaml (3 policies)
  • apps/overlays/uat/patches/network-policies-uat.yaml (3 policies)
  • apps/overlays/prod/patches/network-policies-prod.yaml (3 policies)

Creation Phase — Foundation

ServiceAccounts

  • api service account created
  • web service account created
  • migrate service account created
  • seed service account created
  • reset service account created
  • All SAs created in base (inherited by all overlays)

Base AuthorizationPolicies (Gateway Access)

  • allow-gateway-to-web — istio-external-istio → web:80
  • allow-gateway-to-api — istio-external-istio → api:3000

Per-Environment Postgres Access

Production (groombook namespace)

allow-workloads-to-postgres:
  Workloads: api, migrate, seed, reset, groombook-postgres SAs
  Target: cnpg.io/cluster: groombook-postgres
  Ports: 5432 (SQL), 8000, 9187 (metrics)
  Monitor access: cnpg-system, monitoring namespaces

UAT (groombook-uat namespace)

allow-workloads-to-postgres:
  Workloads: api, migrate, seed, reset, groombook-postgres SAs
  Target: cnpg.io/cluster: groombook-postgres
  Ports: 5432, 8000, 9187
  Monitor access: cnpg-system, monitoring namespaces

Dev (groombook-dev namespace)

allow-workloads-to-postgres:
  Workloads: api, migrate, seed, reset, groombook-postgres SAs
  Target: cnpg.io/cluster: groombook-postgres
  Ports: 5432, 8000, 9187
  Monitor access: cnpg-system, monitoring namespaces

Workload Identity Coverage

All Workloads with Access:

  1. API Deployment — SA: api (port 3000)
  2. Web Deployment — SA: web (port 80)
  3. Migrate Job — SA: migrate (postgres only)
  4. Seed Job — SA: seed (postgres only)
  5. Reset CronJob — SA: reset (postgres only)
  6. CNPG Postgres Cluster — SA: groombook-postgres (cluster internal)

All workloads with database access (migrate, seed, reset, api) are principals in the per-namespace postgres AuthorizationPolicies.

Gateway Integration

  • HTTPRoute updated to use istio-external gateway
  • Gateway namespace: gateway-system (correct)
  • Base auth policy trusts istio-external-istio service account

Policy Matrix (Principal → Resource)

Principal Resource Ports Policy Namespace
istio-external-istio (gateway-system/sa) web 80 allow-gateway-to-web base
istio-external-istio (gateway-system/sa) api 3000 allow-gateway-to-api base
api, migrate, seed, reset SAs groombook-postgres 5432 allow-workloads-to-postgres per-env
cnpg-system namespace groombook-postgres 8000, 9187 allow-workloads-to-postgres per-env
monitoring namespace groombook-postgres 8000, 9187 allow-workloads-to-postgres per-env

Gap Analysis

No Gaps Found

All documented workloads in Deployments, Jobs, and CronJobs have:

  • Dedicated ServiceAccount assignment
  • Corresponding principal in relevant AuthorizationPolicies
  • Appropriate port access configured

Future Guidelines (Enforced)

FORBIDDEN

  • Creating new CiliumNetworkPolicy resources
  • Creating new NetworkPolicy resources
  • Manual iptables or Cilium policy modifications

REQUIRED

For any new workload or access requirement:

  1. Create ServiceAccount in base/overlays as needed
  2. Extend AuthorizationPolicy with new principal and rules
  3. Use namespace/principal selectors (not CIDR-based)
  4. Test with istioctl analyze before merging
  5. Document in PR what access is being granted and why

Example: Adding a New Service

# Step 1: ServiceAccount in base
apiVersion: v1
kind: ServiceAccount
metadata:
  name: newservice
---
# Step 2: Extend relevant AuthorizationPolicy
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  name: allow-gateway-to-web  # Example: extend existing
spec:
  rules:
    - from:
        - source:
            principals:
              - "cluster.local/ns/gateway-system/sa/istio-external-istio"
      to:
        - operation:
            ports: ["80"]
    - from:                          # NEW
        - source:
            principals:
              - "cluster.local/ns/groombook/sa/newservice"
      to:
        - operation:
            ports: ["9090"]

Verification Commands

# Check all AuthorizationPolicies
kubectl get authorizationpolicy -A -n groombook

# Validate policy with istioctl
istioctl analyze

# List all ServiceAccounts in namespace
kubectl get sa -n groombook

# Check which SA a deployment uses
kubectl get deployment web -n groombook -o jsonpath='{.spec.template.spec.serviceAccountName}'

Closure

Audit Complete — All CiliumNetworkPolicy resources removed from main; all Istio AuthorizationPolicies configured; workload identity fully covered; gateway integration verified; future policy guardrails documented.

Cross-reference: ADR 2026-06-20 Authentik TF Drift Loop · CTO landing page