Add default deny AuthzPol in istio-system

Mathieu Benoit · Mathieu Benoit · commit f6b483c9da46 · 2022-03-25T21:57:18.000-04:00
diff --git a/content/service-mesh/set-up-asm-configs.md b/content/service-mesh/set-up-asm-configs.md
@@ -79,15 +79,29 @@ spec:
 EOF
 ```
 {{% notice tip %}}
-A [`Sidecar`](https://istio.io/latest/docs/reference/config/networking/sidecar/) configuration in the `MeshConfig` root namespace will be applied by default to all namespaces without a `Sidecar` configuration.
+A [`Sidecar`](https://istio.io/latest/docs/reference/config/networking/sidecar/) configuration in the `MeshConfig` root namespace will be applied by default to all namespaces.
 {{% /notice %}}
 
+## Define default deny AuthorizationPolicy Mesh-wide
+
+Define `deny` `AuthorizationPolicy` resource:
+```Bash
+cat <<EOF > ~/$GKE_CONFIGS_DIR_NAME/config-sync/istio-config/authorizationpolicy_denyall.yaml
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: deny-all
+  namespace: istio-system
+spec: {}
+EOF
+```
+
 ## Deploy Kubernetes manifests
 
 ```Bash
 cd ~/$GKE_CONFIGS_DIR_NAME/
 git add .
-git commit -m "ASM configs (mTLS, Sidecar, etc.) in GKE cluster"
+git commit -m "ASM Mesh configs in GKE cluster"
 git push origin main
 ```
 
@@ -98,7 +112,7 @@ Here is what you should have at this stage:
 List the GitHub runs for the **GKE cluster configs** repository `cd ~/$GKE_CONFIGS_DIR_NAME && gh run list`:
 ```Plaintext
 STATUS  NAME                                                  WORKFLOW  BRANCH  EVENT  ID          ELAPSED  AGE
-✓       ASM configs (mTLS, Sidecar, etc.) in GKE cluster      ci        main    push   1972234050  56s      2m
+✓       ASM Mesh configs in GKE cluster                       ci        main    push   1972234050  56s      2m
 ✓       ASM MCP for GKE cluster                               ci        main    push   1972222841  56s      7m
 ✓       Enforce Container Registries Policies in GKE cluster  ci        main    push   1972138349  55s      49m
 ✓       Policies for NetworkPolicy resources                  ci        main    push   1971716019  1m14s    3h
@@ -129,6 +143,7 @@ getting 1 RepoSync and RootSync from gke-hub-membership
 │ templates.gatekeeper.sh   │ ConstraintTemplate   │ k8sallowedrepos              │                              │
 │ templates.gatekeeper.sh   │ ConstraintTemplate   │ k8srequiredlabels            │                              │
 │                           │ ServiceAccount       │ default                      │ config-management-monitoring │
+│ security.istio.io         │ AuthorizationPolicy  │ deny-all                     │ istio-system                 │
 │                           │ ConfigMap            │ istio-asm-managed-rapid      │ istio-system                 │
 │ mesh.cloud.google.com     │ ControlPlaneRevision │ asm-managed-rapid            │ istio-system                 │
 │ security.istio.io         │ PeerAuthentication   │ default                      │ istio-system                 │
diff --git a/content/whereami/set-up-authorization-policies.md b/content/whereami/set-up-authorization-policies.md
@@ -10,17 +10,10 @@ Initialize variables:
 source ~/acm-workshop-variables.sh
 ```
 
-## Define AuthorizationPolicy resources
+## Define AuthorizationPolicy resource
 
-Define fine granular `AuthorizationPolicy` resources:
+Define fine granular `AuthorizationPolicy` resource:
 ```Bash
-cat <<EOF > ~/$WHERE_AMI_DIR_NAME/base/authorizationpolicy_denyall.yaml
-apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
-  name: deny-all
-spec: {}
-EOF
 cat <<EOF > ~/$WHERE_AMI_DIR_NAME/base/authorizationpolicy_whereami.yaml
 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
@@ -47,7 +40,6 @@ EOF
 Update the Kustomize base overlay:
 ```Bash
 cd ~/$WHERE_AMI_DIR_NAME/base
-kustomize edit add resource authorizationpolicy_denyall.yaml
 kustomize edit add resource authorizationpolicy_whereami.yaml
 ```
 
@@ -56,7 +48,7 @@ kustomize edit add resource authorizationpolicy_whereami.yaml
 ```Bash
 cd ~/$WHERE_AMI_DIR_NAME/
 git add .
-git commit -m "Whereami Authorization Policies"
+git commit -m "Whereami Authorization Policy"
 git push origin main
 ```
 
@@ -65,7 +57,7 @@ git push origin main
 List the GitHub runs for the **Whereami app** repository `cd ~/$WHERE_AMI_DIR_NAME && gh run list`:
 ```Plaintext
 STATUS  NAME                             WORKFLOW  BRANCH  EVENT  ID          ELAPSED  AGE
-✓       Whereami Authorization Policies  ci        main    push   1976612253  1m9s     2m
+✓       Whereami Authorization Policy  ci        main    push   1976612253  1m9s     2m
 ✓       Whereami Sidecar                 ci        main    push   1976601129  1m3s     5m
 ✓       Whereami Network Policies        ci        main    push   1976593659  1m1s     1m
 ✓       Whereami app                     ci        main    push   1976257627  1m1s     2h
@@ -94,6 +86,5 @@ getting 1 RepoSync and RootSync from gke-hub-membership
 │ networking.k8s.io   │ NetworkPolicy       │ denyall            │ whereami  │
 │ networking.k8s.io   │ NetworkPolicy       │ whereami           │ whereami  │
 │ security.istio.io   │ AuthorizationPolicy │ whereami           │ whereami  │
-│ security.istio.io   │ AuthorizationPolicy │ deny-all           │ whereami  │
 └─────────────────────┴─────────────────────┴────────────────────┴───────────┘
 ```
