From 973422961c29224d5e07c8bbd31d8be0fa5e5bfb Mon Sep 17 00:00:00 2001 From: The Dogfather <20+gb_dogfather@noreply.git.farh.net> Date: Thu, 25 Jun 2026 01:12:23 +0000 Subject: [PATCH] docs(wiki): relocate GRO-1561 Istio migration audit from infra repo root (GRO-2496) --- GRO-1561 Istio Migration Audit.-.md | 189 ++++++++++++++++++++++++++++ 1 file changed, 189 insertions(+) create mode 100644 GRO-1561 Istio Migration Audit.-.md diff --git a/GRO-1561 Istio Migration Audit.-.md b/GRO-1561 Istio Migration Audit.-.md new file mode 100644 index 0000000..ada6734 --- /dev/null +++ b/GRO-1561 Istio Migration Audit.-.md @@ -0,0 +1,189 @@ +> **Relocated from `groombook/infra` repo root** as part of [GRO-2496](https://git.farh.net/GRO/issues/GRO-2496) repo cleanup. The original `GRO-1561-ISTIO-AUDIT.md` was an untracked file sitting in the infra working tree; its durable content now lives here in the org wiki. Source of truth for the policy model is the live manifests under `apps/` on `main`. + +# GRO-1561 Istio Migration Audit Report +**Date**: 2026-05-22 +**Auditor**: Scrubs McBarkley (CEO) +**Status**: ✅ COMPLETE — All migration requirements satisfied on main branch + +--- + +## Executive Summary + +GroomBook infra repo successfully migrated from Cilium network policies to Istio ambient mode security model. All workload identity and access controls now use Istio AuthorizationPolicies with dedicated ServiceAccounts. + +**Migration Commit**: `f45cd7d` (main branch) + +--- + +## Audit Checklist + +### ✅ Removal Phase +- [x] All `CiliumNetworkPolicy` resources deleted (21 total across base + 3 overlays) +- [x] All `NetworkPolicy` references removed +- [x] No ciliumgateway references remain in HTTPRoute +- [x] Old network policy patch files removed from overlays + +**Files Deleted**: +- apps/base/network-policies.yaml (6 Cilium policies) +- apps/overlays/dev/patches/network-policies-dev.yaml (3 policies) +- apps/overlays/uat/patches/network-policies-uat.yaml (3 policies) +- apps/overlays/prod/patches/network-policies-prod.yaml (3 policies) + +### ✅ Creation Phase — Foundation + +#### ServiceAccounts +- [x] `api` service account created +- [x] `web` service account created +- [x] `migrate` service account created +- [x] `seed` service account created +- [x] `reset` service account created +- [x] All SAs created in base (inherited by all overlays) + +#### Base AuthorizationPolicies (Gateway Access) +- [x] `allow-gateway-to-web` — istio-external-istio → web:80 +- [x] `allow-gateway-to-api` — istio-external-istio → api:3000 + +### ✅ Per-Environment Postgres Access + +#### Production (groombook namespace) +``` +allow-workloads-to-postgres: + Workloads: api, migrate, seed, reset, groombook-postgres SAs + Target: cnpg.io/cluster: groombook-postgres + Ports: 5432 (SQL), 8000, 9187 (metrics) + Monitor access: cnpg-system, monitoring namespaces +``` + +#### UAT (groombook-uat namespace) +``` +allow-workloads-to-postgres: + Workloads: api, migrate, seed, reset, groombook-postgres SAs + Target: cnpg.io/cluster: groombook-postgres + Ports: 5432, 8000, 9187 + Monitor access: cnpg-system, monitoring namespaces +``` + +#### Dev (groombook-dev namespace) +``` +allow-workloads-to-postgres: + Workloads: api, migrate, seed, reset, groombook-postgres SAs + Target: cnpg.io/cluster: groombook-postgres + Ports: 5432, 8000, 9187 + Monitor access: cnpg-system, monitoring namespaces +``` + +### ✅ Workload Identity Coverage + +**All Workloads with Access**: +1. API Deployment — SA: api (port 3000) +2. Web Deployment — SA: web (port 80) +3. Migrate Job — SA: migrate (postgres only) +4. Seed Job — SA: seed (postgres only) +5. Reset CronJob — SA: reset (postgres only) +6. CNPG Postgres Cluster — SA: groombook-postgres (cluster internal) + +All workloads with database access (migrate, seed, reset, api) are principals in the per-namespace postgres AuthorizationPolicies. + +### ✅ Gateway Integration +- [x] HTTPRoute updated to use `istio-external` gateway +- [x] Gateway namespace: `gateway-system` (correct) +- [x] Base auth policy trusts istio-external-istio service account + +--- + +## Policy Matrix (Principal → Resource) + +| Principal | Resource | Ports | Policy | Namespace | +|-----------|----------|-------|--------|-----------| +| istio-external-istio (gateway-system/sa) | web | 80 | allow-gateway-to-web | base | +| istio-external-istio (gateway-system/sa) | api | 3000 | allow-gateway-to-api | base | +| api, migrate, seed, reset SAs | groombook-postgres | 5432 | allow-workloads-to-postgres | per-env | +| cnpg-system namespace | groombook-postgres | 8000, 9187 | allow-workloads-to-postgres | per-env | +| monitoring namespace | groombook-postgres | 8000, 9187 | allow-workloads-to-postgres | per-env | + +--- + +## Gap Analysis + +### ✅ No Gaps Found + +All documented workloads in Deployments, Jobs, and CronJobs have: +- Dedicated ServiceAccount assignment +- Corresponding principal in relevant AuthorizationPolicies +- Appropriate port access configured + +--- + +## Future Guidelines (Enforced) + +### ❌ FORBIDDEN +- Creating new `CiliumNetworkPolicy` resources +- Creating new `NetworkPolicy` resources +- Manual iptables or Cilium policy modifications + +### ✅ REQUIRED +For any new workload or access requirement: + +1. **Create ServiceAccount** in base/overlays as needed +2. **Extend AuthorizationPolicy** with new principal and rules +3. **Use namespace/principal selectors** (not CIDR-based) +4. **Test with `istioctl analyze`** before merging +5. **Document in PR** what access is being granted and why + +### Example: Adding a New Service + +```yaml +# Step 1: ServiceAccount in base +apiVersion: v1 +kind: ServiceAccount +metadata: + name: newservice +--- +# Step 2: Extend relevant AuthorizationPolicy +apiVersion: security.istio.io/v1 +kind: AuthorizationPolicy +metadata: + name: allow-gateway-to-web # Example: extend existing +spec: + rules: + - from: + - source: + principals: + - "cluster.local/ns/gateway-system/sa/istio-external-istio" + to: + - operation: + ports: ["80"] + - from: # NEW + - source: + principals: + - "cluster.local/ns/groombook/sa/newservice" + to: + - operation: + ports: ["9090"] +``` + +--- + +## Verification Commands + +```bash +# Check all AuthorizationPolicies +kubectl get authorizationpolicy -A -n groombook + +# Validate policy with istioctl +istioctl analyze + +# List all ServiceAccounts in namespace +kubectl get sa -n groombook + +# Check which SA a deployment uses +kubectl get deployment web -n groombook -o jsonpath='{.spec.template.spec.serviceAccountName}' +``` + +--- + +## Closure + +✅ **Audit Complete** — All CiliumNetworkPolicy resources removed from main; all Istio AuthorizationPolicies configured; workload identity fully covered; gateway integration verified; future policy guardrails documented. + +> Cross-reference: [ADR 2026-06-20 Authentik TF Drift Loop](https://git.farh.net/groombook/org/wiki/ADR-2026-06-20-authentik-tf-drift-loop.-) · [CTO landing page](https://git.farh.net/groombook/org/wiki/CTO)