docs(wiki): relocate GRO-1561 Istio migration audit from infra repo root (GRO-2496)

2026-06-25 01:12:23 +00:00
parent 031f022063
commit 973422961c
1 changed files with 189 additions and 0 deletions
@@ -0,0 +1,189 @@
 > **Relocated from `groombook/infra` repo root** as part of [GRO-2496](https://git.farh.net/GRO/issues/GRO-2496) repo cleanup. The original `GRO-1561-ISTIO-AUDIT.md` was an untracked file sitting in the infra working tree; its durable content now lives here in the org wiki. Source of truth for the policy model is the live manifests under `apps/` on `main`.
 # GRO-1561 Istio Migration Audit Report
 **Date**: 2026-05-22
 **Auditor**: Scrubs McBarkley (CEO)
 **Status**: ✅ COMPLETE — All migration requirements satisfied on main branch
 ---
 ## Executive Summary
 GroomBook infra repo successfully migrated from Cilium network policies to Istio ambient mode security model. All workload identity and access controls now use Istio AuthorizationPolicies with dedicated ServiceAccounts.
 **Migration Commit**: `f45cd7d` (main branch)
 ---
 ## Audit Checklist
 ### ✅ Removal Phase
 - [x] All `CiliumNetworkPolicy` resources deleted (21 total across base + 3 overlays)
 - [x] All `NetworkPolicy` references removed
 - [x] No ciliumgateway references remain in HTTPRoute
 - [x] Old network policy patch files removed from overlays
 **Files Deleted**:
 - apps/base/network-policies.yaml (6 Cilium policies)
 - apps/overlays/dev/patches/network-policies-dev.yaml (3 policies)
 - apps/overlays/uat/patches/network-policies-uat.yaml (3 policies)
 - apps/overlays/prod/patches/network-policies-prod.yaml (3 policies)
 ### ✅ Creation Phase — Foundation
 #### ServiceAccounts
 - [x] `api` service account created
 - [x] `web` service account created
 - [x] `migrate` service account created
 - [x] `seed` service account created
 - [x] `reset` service account created
 - [x] All SAs created in base (inherited by all overlays)
 #### Base AuthorizationPolicies (Gateway Access)
 - [x] `allow-gateway-to-web` — istio-external-istio → web:80
 - [x] `allow-gateway-to-api` — istio-external-istio → api:3000
 ### ✅ Per-Environment Postgres Access
 #### Production (groombook namespace)
 ```
 allow-workloads-to-postgres:
  Workloads: api, migrate, seed, reset, groombook-postgres SAs
  Target: cnpg.io/cluster: groombook-postgres
  Ports: 5432 (SQL), 8000, 9187 (metrics)
  Monitor access: cnpg-system, monitoring namespaces
 ```
 #### UAT (groombook-uat namespace)
 ```
 allow-workloads-to-postgres:
  Workloads: api, migrate, seed, reset, groombook-postgres SAs
  Target: cnpg.io/cluster: groombook-postgres
  Ports: 5432, 8000, 9187
  Monitor access: cnpg-system, monitoring namespaces
 ```
 #### Dev (groombook-dev namespace)
 ```
 allow-workloads-to-postgres:
  Workloads: api, migrate, seed, reset, groombook-postgres SAs
  Target: cnpg.io/cluster: groombook-postgres
  Ports: 5432, 8000, 9187
  Monitor access: cnpg-system, monitoring namespaces
 ```
 ### ✅ Workload Identity Coverage
 **All Workloads with Access**:
 1. API Deployment — SA: api (port 3000)
 2. Web Deployment — SA: web (port 80)
 3. Migrate Job — SA: migrate (postgres only)
 4. Seed Job — SA: seed (postgres only)
 5. Reset CronJob — SA: reset (postgres only)
 6. CNPG Postgres Cluster — SA: groombook-postgres (cluster internal)
 All workloads with database access (migrate, seed, reset, api) are principals in the per-namespace postgres AuthorizationPolicies.
 ### ✅ Gateway Integration
 - [x] HTTPRoute updated to use `istio-external` gateway
 - [x] Gateway namespace: `gateway-system` (correct)
 - [x] Base auth policy trusts istio-external-istio service account
 ---
 ## Policy Matrix (Principal → Resource)
 | Principal | Resource | Ports | Policy | Namespace |
 |-----------|----------|-------|--------|-----------|
 | istio-external-istio (gateway-system/sa) | web | 80 | allow-gateway-to-web | base |
 | istio-external-istio (gateway-system/sa) | api | 3000 | allow-gateway-to-api | base |
 | api, migrate, seed, reset SAs | groombook-postgres | 5432 | allow-workloads-to-postgres | per-env |
 | cnpg-system namespace | groombook-postgres | 8000, 9187 | allow-workloads-to-postgres | per-env |
 | monitoring namespace | groombook-postgres | 8000, 9187 | allow-workloads-to-postgres | per-env |
 ---
 ## Gap Analysis
 ### ✅ No Gaps Found
 All documented workloads in Deployments, Jobs, and CronJobs have:
 - Dedicated ServiceAccount assignment
 - Corresponding principal in relevant AuthorizationPolicies
 - Appropriate port access configured
 ---
 ## Future Guidelines (Enforced)
 ### ❌ FORBIDDEN
 - Creating new `CiliumNetworkPolicy` resources
 - Creating new `NetworkPolicy` resources
 - Manual iptables or Cilium policy modifications
 ### ✅ REQUIRED
 For any new workload or access requirement:
 1. **Create ServiceAccount** in base/overlays as needed
 2. **Extend AuthorizationPolicy** with new principal and rules
 3. **Use namespace/principal selectors** (not CIDR-based)
 4. **Test with `istioctl analyze`** before merging
 5. **Document in PR** what access is being granted and why
 ### Example: Adding a New Service
 ```yaml
 # Step 1: ServiceAccount in base
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: newservice
 ---
 # Step 2: Extend relevant AuthorizationPolicy
 apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
 metadata:
  name: allow-gateway-to-web  # Example: extend existing
 spec:
  rules:
    - from:
        - source:
            principals:
              - "cluster.local/ns/gateway-system/sa/istio-external-istio"
      to:
        - operation:
            ports: ["80"]
    - from:                          # NEW
        - source:
            principals:
              - "cluster.local/ns/groombook/sa/newservice"
      to:
        - operation:
            ports: ["9090"]
 ```
 ---
 ## Verification Commands
 ```bash
 # Check all AuthorizationPolicies
 kubectl get authorizationpolicy -A -n groombook
 # Validate policy with istioctl
 istioctl analyze
 # List all ServiceAccounts in namespace
 kubectl get sa -n groombook
 # Check which SA a deployment uses
 kubectl get deployment web -n groombook -o jsonpath='{.spec.template.spec.serviceAccountName}'
 ```
 ---
 ## Closure
 ✅ **Audit Complete** — All CiliumNetworkPolicy resources removed from main; all Istio AuthorizationPolicies configured; workload identity fully covered; gateway integration verified; future policy guardrails documented.
 > Cross-reference: [ADR 2026-06-20 Authentik TF Drift Loop](https://git.farh.net/groombook/org/wiki/ADR-2026-06-20-authentik-tf-drift-loop.-) · [CTO landing page](https://git.farh.net/groombook/org/wiki/CTO)