docs(wiki): relocate GRO-1561 Istio migration audit from infra repo root (GRO-2496)
@@ -0,0 +1,189 @@
|
||||
> **Relocated from `groombook/infra` repo root** as part of [GRO-2496](https://git.farh.net/GRO/issues/GRO-2496) repo cleanup. The original `GRO-1561-ISTIO-AUDIT.md` was an untracked file sitting in the infra working tree; its durable content now lives here in the org wiki. Source of truth for the policy model is the live manifests under `apps/` on `main`.
|
||||
|
||||
# GRO-1561 Istio Migration Audit Report
|
||||
**Date**: 2026-05-22
|
||||
**Auditor**: Scrubs McBarkley (CEO)
|
||||
**Status**: ✅ COMPLETE — All migration requirements satisfied on main branch
|
||||
|
||||
---
|
||||
|
||||
## Executive Summary
|
||||
|
||||
GroomBook infra repo successfully migrated from Cilium network policies to Istio ambient mode security model. All workload identity and access controls now use Istio AuthorizationPolicies with dedicated ServiceAccounts.
|
||||
|
||||
**Migration Commit**: `f45cd7d` (main branch)
|
||||
|
||||
---
|
||||
|
||||
## Audit Checklist
|
||||
|
||||
### ✅ Removal Phase
|
||||
- [x] All `CiliumNetworkPolicy` resources deleted (21 total across base + 3 overlays)
|
||||
- [x] All `NetworkPolicy` references removed
|
||||
- [x] No ciliumgateway references remain in HTTPRoute
|
||||
- [x] Old network policy patch files removed from overlays
|
||||
|
||||
**Files Deleted**:
|
||||
- apps/base/network-policies.yaml (6 Cilium policies)
|
||||
- apps/overlays/dev/patches/network-policies-dev.yaml (3 policies)
|
||||
- apps/overlays/uat/patches/network-policies-uat.yaml (3 policies)
|
||||
- apps/overlays/prod/patches/network-policies-prod.yaml (3 policies)
|
||||
|
||||
### ✅ Creation Phase — Foundation
|
||||
|
||||
#### ServiceAccounts
|
||||
- [x] `api` service account created
|
||||
- [x] `web` service account created
|
||||
- [x] `migrate` service account created
|
||||
- [x] `seed` service account created
|
||||
- [x] `reset` service account created
|
||||
- [x] All SAs created in base (inherited by all overlays)
|
||||
|
||||
#### Base AuthorizationPolicies (Gateway Access)
|
||||
- [x] `allow-gateway-to-web` — istio-external-istio → web:80
|
||||
- [x] `allow-gateway-to-api` — istio-external-istio → api:3000
|
||||
|
||||
### ✅ Per-Environment Postgres Access
|
||||
|
||||
#### Production (groombook namespace)
|
||||
```
|
||||
allow-workloads-to-postgres:
|
||||
Workloads: api, migrate, seed, reset, groombook-postgres SAs
|
||||
Target: cnpg.io/cluster: groombook-postgres
|
||||
Ports: 5432 (SQL), 8000, 9187 (metrics)
|
||||
Monitor access: cnpg-system, monitoring namespaces
|
||||
```
|
||||
|
||||
#### UAT (groombook-uat namespace)
|
||||
```
|
||||
allow-workloads-to-postgres:
|
||||
Workloads: api, migrate, seed, reset, groombook-postgres SAs
|
||||
Target: cnpg.io/cluster: groombook-postgres
|
||||
Ports: 5432, 8000, 9187
|
||||
Monitor access: cnpg-system, monitoring namespaces
|
||||
```
|
||||
|
||||
#### Dev (groombook-dev namespace)
|
||||
```
|
||||
allow-workloads-to-postgres:
|
||||
Workloads: api, migrate, seed, reset, groombook-postgres SAs
|
||||
Target: cnpg.io/cluster: groombook-postgres
|
||||
Ports: 5432, 8000, 9187
|
||||
Monitor access: cnpg-system, monitoring namespaces
|
||||
```
|
||||
|
||||
### ✅ Workload Identity Coverage
|
||||
|
||||
**All Workloads with Access**:
|
||||
1. API Deployment — SA: api (port 3000)
|
||||
2. Web Deployment — SA: web (port 80)
|
||||
3. Migrate Job — SA: migrate (postgres only)
|
||||
4. Seed Job — SA: seed (postgres only)
|
||||
5. Reset CronJob — SA: reset (postgres only)
|
||||
6. CNPG Postgres Cluster — SA: groombook-postgres (cluster internal)
|
||||
|
||||
All workloads with database access (migrate, seed, reset, api) are principals in the per-namespace postgres AuthorizationPolicies.
|
||||
|
||||
### ✅ Gateway Integration
|
||||
- [x] HTTPRoute updated to use `istio-external` gateway
|
||||
- [x] Gateway namespace: `gateway-system` (correct)
|
||||
- [x] Base auth policy trusts istio-external-istio service account
|
||||
|
||||
---
|
||||
|
||||
## Policy Matrix (Principal → Resource)
|
||||
|
||||
| Principal | Resource | Ports | Policy | Namespace |
|
||||
|-----------|----------|-------|--------|-----------|
|
||||
| istio-external-istio (gateway-system/sa) | web | 80 | allow-gateway-to-web | base |
|
||||
| istio-external-istio (gateway-system/sa) | api | 3000 | allow-gateway-to-api | base |
|
||||
| api, migrate, seed, reset SAs | groombook-postgres | 5432 | allow-workloads-to-postgres | per-env |
|
||||
| cnpg-system namespace | groombook-postgres | 8000, 9187 | allow-workloads-to-postgres | per-env |
|
||||
| monitoring namespace | groombook-postgres | 8000, 9187 | allow-workloads-to-postgres | per-env |
|
||||
|
||||
---
|
||||
|
||||
## Gap Analysis
|
||||
|
||||
### ✅ No Gaps Found
|
||||
|
||||
All documented workloads in Deployments, Jobs, and CronJobs have:
|
||||
- Dedicated ServiceAccount assignment
|
||||
- Corresponding principal in relevant AuthorizationPolicies
|
||||
- Appropriate port access configured
|
||||
|
||||
---
|
||||
|
||||
## Future Guidelines (Enforced)
|
||||
|
||||
### ❌ FORBIDDEN
|
||||
- Creating new `CiliumNetworkPolicy` resources
|
||||
- Creating new `NetworkPolicy` resources
|
||||
- Manual iptables or Cilium policy modifications
|
||||
|
||||
### ✅ REQUIRED
|
||||
For any new workload or access requirement:
|
||||
|
||||
1. **Create ServiceAccount** in base/overlays as needed
|
||||
2. **Extend AuthorizationPolicy** with new principal and rules
|
||||
3. **Use namespace/principal selectors** (not CIDR-based)
|
||||
4. **Test with `istioctl analyze`** before merging
|
||||
5. **Document in PR** what access is being granted and why
|
||||
|
||||
### Example: Adding a New Service
|
||||
|
||||
```yaml
|
||||
# Step 1: ServiceAccount in base
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: newservice
|
||||
---
|
||||
# Step 2: Extend relevant AuthorizationPolicy
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: allow-gateway-to-web # Example: extend existing
|
||||
spec:
|
||||
rules:
|
||||
- from:
|
||||
- source:
|
||||
principals:
|
||||
- "cluster.local/ns/gateway-system/sa/istio-external-istio"
|
||||
to:
|
||||
- operation:
|
||||
ports: ["80"]
|
||||
- from: # NEW
|
||||
- source:
|
||||
principals:
|
||||
- "cluster.local/ns/groombook/sa/newservice"
|
||||
to:
|
||||
- operation:
|
||||
ports: ["9090"]
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Verification Commands
|
||||
|
||||
```bash
|
||||
# Check all AuthorizationPolicies
|
||||
kubectl get authorizationpolicy -A -n groombook
|
||||
|
||||
# Validate policy with istioctl
|
||||
istioctl analyze
|
||||
|
||||
# List all ServiceAccounts in namespace
|
||||
kubectl get sa -n groombook
|
||||
|
||||
# Check which SA a deployment uses
|
||||
kubectl get deployment web -n groombook -o jsonpath='{.spec.template.spec.serviceAccountName}'
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Closure
|
||||
|
||||
✅ **Audit Complete** — All CiliumNetworkPolicy resources removed from main; all Istio AuthorizationPolicies configured; workload identity fully covered; gateway integration verified; future policy guardrails documented.
|
||||
|
||||
> Cross-reference: [ADR 2026-06-20 Authentik TF Drift Loop](https://git.farh.net/groombook/org/wiki/ADR-2026-06-20-authentik-tf-drift-loop.-) · [CTO landing page](https://git.farh.net/groombook/org/wiki/CTO)
|
||||
Reference in New Issue
Block a user